CVE-2020-8515 Exploitation Attempt

Aug 21, 2020 ·

Detection of pre-auth RCE attack in DrayTek Vigor series observed from our Honeypots

Sigma rule (View on GitHub)

 1title: CVE-2020-8515 Exploitation Attempt
 2id: 6b33d338-c93b-4cd6-b8eb-169398125b02
 3status: experimental
 4description: Detection of pre-auth RCE attack in DrayTek Vigor series observed from our Honeypots
 5references:
 6  - https://www.exploit-db.com/exploits/48268
 7author: Loginsoft Research Unit 
 8date: 2020/06/19
 9logsource:
10  product: draytek
11  category: webserver
12detection:
13  selection:
14    cs-method: 'POST' 
15    c-uri: '/cgi-bin/mainfunction.cgi' 
16    c-uri-query: 'action=login&keyPath'
17  keywords: 
18      -  'wget*'
19      -  '${IFS}'
20      -  '{IFS}/bin/bash'
21  condition: selection and keywords
22falsepositives:
23  - Unknown
24level: high```

References

OffSec’s Exploit Database Archive

Multiple DrayTek Products - Pre-authentication Remote Root Code Execution. CVE-2020-8515 . remote exploit for Linux platform

Read More

CVE-2020-8515 Exploitation Attempt

Sigma rule (View on GitHub)

References

OffSec’s Exploit Database Archive