Support Announcements
DNR-322L :: Rev. Ax :: Fimrware 2.40B03 and older :: Command Injection Vulnerability



In August 2018, D-Link becamea aware of a 3rd Party security researcher that accused the DNR-322L Hardware Rev. Ax of an authenticated command injection vulnerability.


3rd Party Report:

Andrea Possemato :: andrea _dot_ possemato _at_

Since this time, D-Link has dilegently investigate and patched the issue that are disclosed in the following.




The following was taken directly from the 3rd Party's report


  • Command Injection
  • File: file_center.cgi
  • Function: offset 0xB354
  • Description: the attacker controls parameters 'f_dir', 'f_type', 'f_name' Function at offset 0xA780 sanitizes/escapes the value of 'f_name' by checking a list of characters like #,$,&,... : if it finds one of these characters inside 'f_name' it will escape them with '\\' The value of the 'sanitized' f_name is then concatened as second parameter using sprintf in the command "rm -f %s%s" and the value of the command is then executed via `system` Since backtick is not checked, the attacker can provide a filename like 'test`reboot`' gaining a command injection.
  • Constraint: the attacker must have a valid session (authenticated/logged in)


Affected Products and Fixes:


Model Revision Affected FW Fixed FW  Last Updated
DNR-322L All A revisions v2.40.B03 and Lower (older) v2.60B13Beta01




Regarding Security patch for your D-Link Devices
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.