D-Link DNS-320 ShareCenter <= 2.05.B10 – Unauthenticated Remote code execution

CyStack image

Trung Nguyen

CEO @CyStack|April 5, 2023

CyStack Advisory ID CSA-2019-03
CVE IDs CVE-2019-16057
Severity Critical
CVSS v2 Base 10.0
Vendor’s announcement Link


CyStack Security discovered a remote code execution vulnerability in the D-Link DNS-320 ShareCenter device which its version is lower or equal 2.05.B10 . By exploiting the vulnerability, a remote, unauthenticated attacker can access to all application commands with root permission. This device is a popular network storage device and interestingly, in the past, it was also reported that it contains a backdoor itself.


While doing some research on network devices we found a command injection vulnerability at the login module of a D-Link DNS-320 device. The flaw exists at a hidden feature called SSL Login which its required parameter, port, can be poisoned.

Login interface

In this article, I will show how we found out the flaw and analyze what happened in the old version of the firmware.

Extract firmware

Firstly, we download the firmware

$ mkdir /tmp/dns_320 && cd mkdir /tmp/dns_320
$ wget
$ unzip DNS-320_REVA_FIRMWARE_PATCH_2.05.B10.ZIP

Next, we use Binwalk and Firmware Modification Kit to extract it

# If you do not have these tools, install them first
$ sudo apt-get install git build-essential zlib1g-dev liblzma-dev bsdmainutils python
$ wget
$ tar -xvf fmk_099.tar.gz fmk/
$ cd fmk/src/others/ && make && cd -
$ curl "" -o ""
$ python3
$ git clone && cd binwalk && python3 install && cd -
$ binwalk -eM DLINK_DNS320.2.05b10\(2.13.0226.2016\)
$ ./fmk/ _DLINK_DNS320.2.05b10\(2.13.0226.2016\).extracted/3F5020.squashfs
# All binaries are now in the following folder
$ cd squashfs-root/


Our target binary is /cgi/login_mgr.cgi which handles login requests. We focus on function cgiMain()

Firstly, if the parameter cmd equals "login" then sub_9958 will be called

Function cgiMain() calls sub_9958()

sub_9924() will be called with parameter port

Let’s take a look at sub_9924(). We can see that if an attacker controls parameter v1 which stands for port, he will be able to arbitrarily execute commands, which is the key point in this vulnerability


By poisoning the parameter port, we can perform an RCE attack like below


D-Link team released a patch for this issue on 11/04/2019. According to their release notes, the patch is for login_mgr.cgi allows attackers pipe commands to the user.log.  I don’t know exactly what issue they found related to the flaw I’m addressing in this article, but the patch worked. They fixed it by type casting parameter port to Integer.


  • 14/08/2019 – CyStack reports to D-Link team
  • 15/08/2019 – CyStack gets the first response from D-Link team and asks them for some information
  • 06/09/2019 – D-Link team confirms this issue and works on a patch
  • 07/09/2019 – CVE-2019-16057 is assigned for the vulnerability (reserved status)
  • 11/09/2019 – D-Link team includes this CVE to their release notes and allows CyStack to disclose the issue.
  • 15/09/2019 – D-Link team announces the issue

Related posts

Stored XSS leads to account takeover in Flarum
Stored XSS leads to account takeover in Flarum
November 19 2022|Advisories

CyStack Advisory ID CSA-2022-01 CVE IDs CVE-2022-41938 Severity Critical CVSS v3 Base 9.0 Synopsis CyStack’s researchers recently discovered a Stored XSS vulnerability in the Flarum platform version 1.5.0 to 1.6.1 which can lead to an account takeover attack. Flarum is a widely used simple and open-source forum platform. At the time of this post, we […]

Cyclos &lt; 4.14.15 &#8211; Remote code execution
Cyclos < 4.14.15 – Remote code execution
June 24 2022|Advisories

CyStack Advisory ID CSA-2021-01 CVE IDs CVE-2021-44832 Severity Critical CVSS v3 Base 10.0 Synopsis Cyclos is a payment software created for banks, barters, remittances, and innovative currency systems. Cyclos is used by more than 1500 payment systems worldwide. CyStack recently found that Cyclos versions prior to 4.14.15 are vulnerable to the remote code execution vulnerability. […]

macOS Rootkit Emulation
macOS Rootkit Emulation
June 24 2022|Advisories

Kernel rootkit is considered the most dangerous malware that may infect computers. Operating at ring 0, the highest privilege level in the system, this super malware has unrestricted power to control the whole machine, thus can defeat all the defensive and monitoring mechanisms. Unfortunately, dynamic analysis solutions for kernel rootkits are severely lacking; indeed, most […]