New Exploit Variation Against D-Link NAS Devices (CVE-2024-3273)

    Published: 2024-07-23
    Last Updated: 2024-07-23 15:46:51 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    In April, an OS command injection vulnerability in various D-Link NAS devices was made public [1]. The vulnerability, CVE-2024-3273 was exploited soon after it became public. Many of the affected devices are no longer supported.

    We have seen different exploits following similar patterns:

    /cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=[base 64 encoded payload]

    After the initial scans, we had two more "spikes" in scans for this vulnerability. The second one just started two days ago.

    graph of DLink exploit scans between April and today

    The latest set of scans uses this payload:


    This payload decodes to

    echo    -e    \\x65\\x63\\x68\\x6f\\x20\\x27\\x78\\x78\\x78\\x78\\x78\\x63\\x63\\x63\\x63\\x63\\x27|sh

    Encoding strings as hexadecimal with "echo -e" has been popular for a while and took off after Mirai started using it. In this case, the command to be executed is:

    echo 'xxxxxccccc'|sh

    The goal of this exploit is to find vulnerable machines. The "double obfuscation" is likely supposed to bypass some filters and better discriminate against honeypots. I have seen "non functional" exploits used to detect honeypots by attempting to fingerprint the error message returned. Maybe a pattern to add to our honeypots after lunch.

    The single source ( scanning for this particular version of the exploit on July 19th has now switched to related scans for nas_sharing.cgi


    Johannes B. Ullrich, Ph.D. , Dean of Research,

    0 comment(s)
    ISC Stormcast For Tuesday, July 23rd, 2024


      Diary Archives