Determine the device model affected by CVE-2019–16920 by ZoomEye

by Heige(a.k.a Superhei) of KnownSec 404 Team 10/09/2019

CVE-2019–16920 is a RCE vulnerability in D-Link products that was discovered and reported by Fortinet’s FortiGuard Labs

In their report, the device models affected by the vulnerability are DIR-655C, DIR-866L, DIR-652, and DHP-1565. In fact, through our KnownSec 404 team’s research, we found that the device model affected by this vulnerability is far more than these. Other device models affected by the vulnerability are:

• DIR-855L
• DAP-1533
• DIR-862L
• DIR-615
• DIR-835
• DIR-825

Obviously, these device models are determined to be based on ZoomEye’s search results.First we determined the device banner fingerprints (ZoomEye dork)affected by CVE-2019–16920.

dork: “lighttpd” +”login_pic.asp”

Then we just call the ZoomEye api to determine the model string in the vulnerable device. It’s very easy to do this with Pocsuite


Thanks Hcamael of Knownsec 404 Team

If you have any questions about ZoomEye, please contact me:

The Leader of the KnownSec 404 Team ( ZoomEye SeeBug KCon