by Heige(a.k.a Superhei) of KnownSec 404 Team 10/09/2019
CVE-2019–16920 https://nvd.nist.gov/vuln/detail/CVE-2019-16920 is a RCE vulnerability in D-Link products that was discovered and reported by Fortinet’s FortiGuard Labs https://www.fortinet.com/blog/threat-research/d-link-routers-found-vulnerable-rce.html
In their report, the device models affected by the vulnerability are DIR-655C, DIR-866L, DIR-652, and DHP-1565. In fact, through our KnownSec 404 team’s research, we found that the device model affected by this vulnerability is far more than these. Other device models affected by the vulnerability are:
• DIR-855L
• DAP-1533
• DIR-862L
• DIR-615
• DIR-835
• DIR-825
Obviously, these device models are determined to be based on ZoomEye’s search results.First we determined the device banner fingerprints (ZoomEye dork)affected by CVE-2019–16920.
dork: “lighttpd” +”login_pic.asp”
Then we just call the ZoomEye api to determine the model string in the vulnerable device. It’s very easy to do this with Pocsuite https://github.com/knownsec/pocsuite3
Thanks Hcamael of Knownsec 404 Team
If you have any questions about ZoomEye, please contact me:https://twitter.com/80vul