Determine the device model affected by CVE-2019–16920 by ZoomEye

by Heige(a.k.a Superhei) of KnownSec 404 Team 10/09/2019

CVE-2019–16920 https://nvd.nist.gov/vuln/detail/CVE-2019-16920 is a RCE vulnerability in D-Link products that was discovered and reported by Fortinet’s FortiGuard Labs https://www.fortinet.com/blog/threat-research/d-link-routers-found-vulnerable-rce.html

In their report, the device models affected by the vulnerability are DIR-655C, DIR-866L, DIR-652, and DHP-1565. In fact, through our KnownSec 404 team’s research, we found that the device model affected by this vulnerability is far more than these. Other device models affected by the vulnerability are:

• DIR-855L
• DAP-1533
• DIR-862L
• DIR-615
• DIR-835
• DIR-825

Obviously, these device models are determined to be based on ZoomEye’s search results.First we determined the device banner fingerprints (ZoomEye dork)affected by CVE-2019–16920.

dork: “lighttpd” +”login_pic.asp”

Then we just call the ZoomEye api to determine the model string in the vulnerable device. It’s very easy to do this with Pocsuite https://github.com/knownsec/pocsuite3

PocSuite

Thanks Hcamael of Knownsec 404 Team

If you have any questions about ZoomEye, please contact me:https://twitter.com/80vul

The Leader of the KnownSec 404 Team ( ZoomEye http://www.zoomeye.org SeeBug http://www.seebug.org KCon http://kcon.knownsec.com)

The Leader of the KnownSec 404 Team ( ZoomEye http://www.zoomeye.org SeeBug http://www.seebug.org KCon http://kcon.knownsec.com)