Determine the device model affected by CVE-2019–16920 by ZoomEye

heige
heige
Oct 9 · 1 min read

by Heige(a.k.a Superhei) of KnownSec 404 Team 10/09/2019

CVE-2019–16920 https://nvd.nist.gov/vuln/detail/CVE-2019-16920 is a RCE vulnerability in D-Link products that was discovered and reported by Fortinet’s FortiGuard Labs https://www.fortinet.com/blog/threat-research/d-link-routers-found-vulnerable-rce.html

In their report, the device models affected by the vulnerability are DIR-655C, DIR-866L, DIR-652, and DHP-1565. In fact, through our KnownSec 404 team’s research, we found that the device model affected by this vulnerability is far more than these. Other device models affected by the vulnerability are:

• DIR-855L
• DAP-1533
• DIR-862L
• DIR-615
• DIR-835
• DIR-825

Obviously, these device models are determined to be based on ZoomEye’s search results.First we determined the device banner fingerprints (ZoomEye dork)affected by CVE-2019–16920.

dork: “lighttpd” +”login_pic.asp”

Then we just call the ZoomEye api to determine the model string in the vulnerable device. It’s very easy to do this with Pocsuite https://github.com/knownsec/pocsuite3

PocSuite

Thanks Hcamael of Knownsec 404 Team

If you have any questions about ZoomEye, please contact me:https://twitter.com/80vul

heige
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade