Regarding CVE-2018-19986, a similar vulnerability appears to exist in the D_Link DIR-868L B1_FW205b02_WW firmware. The general logic is as follows: SetRouterSettings writes the value of the RemotePort parameter to the internal configuration item $path_inf_wan1."/web", and then executes service HTTP.WAN-1 start; HTTP.WAN-1.php executes service IPT.WAN-1 restart; IPT.WAN-1.php calls the IPTWAN_build_command function, and $web is appended to the iptables command. The logic seems correct, but I cannot obtain a shell using poc.py, and I am completely baffled. If possible, could you please help me analyze the cause? Thank you very much!
Regarding CVE-2018-19986, a similar vulnerability appears to exist in the D_Link DIR-868L B1_FW205b02_WW firmware. The general logic is as follows:
SetRouterSettingswrites the value of theRemotePortparameter to the internal configuration item$path_inf_wan1."/web", and then executesservice HTTP.WAN-1 start;HTTP.WAN-1.phpexecutesservice IPT.WAN-1 restart;IPT.WAN-1.phpcalls theIPTWAN_build_commandfunction, and$webis appended to the iptables command. The logic seems correct, but I cannot obtain a shell usingpoc.py, and I am completely baffled. If possible, could you please help me analyze the cause? Thank you very much!