D-Link DNS-320 through 2.05.B10 is affected by command injection in the login_mgr.cgi component, which can lead to remote arbitrary code execution. The port parameter in the script could be poisoned to execute arbitrary commands, opening the door to an RCE attack. If the vulnerability is exploited a remote, unauthenticated attacker can access all application commands with root permission.
Note that Nessus has not tested for this issue but has instead relied only on the router’s self-reported model.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(172032);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/08/09");
script_cve_id("CVE-2019-16057");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/06");
script_name(english:"D-Link Routers RCE (CVE-2019-16057)");
script_set_attribute(attribute:"synopsis", value:
"The remote router is affected by a remote command execution vulnerability.");
script_set_attribute(attribute:"description", value:
"D-Link DNS-320 through 2.05.B10 is affected by command injection in the login_mgr.cgi component,
which can lead to remote arbitrary code execution. The port parameter in the script could be poisoned
to execute arbitrary commands, opening the door to an RCE attack. If the vulnerability is exploited
a remote, unauthenticated attacker can access all application commands with root permission.
Note that Nessus has not tested for this issue but has instead relied only on the router's self-reported model.");
# https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10123
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8234be61");
script_set_attribute(attribute:"solution", value:
"Upgrade to a supported device.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-16057");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15");
script_set_attribute(attribute:"patch_publication_date", value:"2019/04/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/03/01");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2023 Tenable, Inc.");
script_dependencies("d-link_router_detect.nasl");
script_require_keys("www/d-link", "d-link/model");
script_require_ports("Services/www", 80);
exit(0);
}
include('http.inc');
var model = toupper(get_kb_item_or_exit('d-link/model'));
if (model !~ "^DNS-320$")
audit(AUDIT_HOST_NOT, 'an affected D-Link model');
if (report_paranoia < 2) audit(AUDIT_POTENTIAL_VULN, 'D-Link model ' + model);
var port = get_http_port(default:80, embedded:1);
var items = make_array('Model', model, 'Solution', 'Upgrade to a supported device');
var order = make_list('Model', 'Solution');
var report = report_items_str(report_items:items, ordered_fields:order);
security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);