Security Research: Dinkleberry
Background
CVE-2024-3272 is an unauthenticated remote code execution vulnerability affecting a range of D-Link NAS devices. The vulnerable endpoint, nas_sharing.cgi, passes user-supplied input directly to system() with no sanitisation. At the time of disclosure, over 92,000 devices were publicly exposed and D-Link had no patch available for the affected (end-of-life) models.
The approach
Dinkleberry uses the vulnerability to fix itself - it executes a command via the same exploit to create a patched copy of the vulnerable binary, then redirects the CGI symlink to point to the safe version instead. The patch overwrites the system() call with NOPs so the endpoint continues to respond normally, it just no longer executes anything.
The underlying filesystem is read-only, so the patched binary is written to /usr/local/config (writable) and the symlink in /var/www/cgi-bin is updated accordingly. A side effect of this approach is that the fix doesn't survive a reboot - the filesystem is reloaded from flash on startup. For a permanent solution, reflashing the firmware is required.
The tool also exposes an optional telnet mode, which opens a shell on the device for manual inspection - useful for anyone wanting to investigate further before or after patching.