In April, an OS command injection vulnerability in various D-Link NAS devices was made public [1]. The vulnerability, %%CVE:2024-3273%% was exploited soon after it became public. Many of the affected devices are no longer supported.

We have seen different exploits following similar patterns:

/cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=[base 64 encoded payload]

After the initial scans, we had two more “spikes” in scans for this vulnerability. The second one just started two days ago.

The latest set of scans uses this payload:

ZWNobwktZQlcXHg2NVxceDYzXFx4NjhcXHg2ZlxceDIwXFx4MjdcXHg3OFxceDc4XFx4NzhcXHg3OFxceDc4XFx4NjNcXHg2M1xceDYzXFx4NjNcXHg2M1xceDI3fHNo

This payload decodes to

echo    -e    \x65\x63\x68\x6f\x20\x27\x78\x78\x78\x78\x78\x63\x63\x63\x63\x63\x27|sh

Encoding strings as hexadecimal with “echo -e” has been popular for a while and took off after Mirai started using it. In this case, the command to be executed is:

echo ‘xxxxxccccc’|sh

The goal of this exploit is to find vulnerable machines. The “double obfuscation” is likely supposed to bypass some filters and better discriminate against honeypots. I have seen “non functional” exploits used to detect honeypots by attempting to fingerprint the error message returned. Maybe a pattern to add to our honeypots after lunch.

The single source (%%ip:192.227.190.158%%) scanning for this particular version of the exploit on July 19th has now switched to related scans for nas_sharing.cgi

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-3273

—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.