D-Link NAS Device Backdoor Abused, (Mon, Apr 29th)

Category :

SANS Full Feed

Posted On :

End of March, NetworkSecurityFish disclosed a vulnerability in various D-Link NAS devices [1]. The vulnerability allows access to the device using the user “messagebus” without credentials. The sample URL used by the PoC was:

GET /cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=<BASE64_ENCODED_COMMAND_TO_BE_EXECUTED>

In addition to not requiring a password, the URL also accepts arbitrary system commands, which must be base64 encoded. Initial exploit attempts were detected as soon as April 8th. The vulnerability is particularly dangerous as some affected devices are no longer supported by DLink, and no patch is expected to be released. DLink instead advised to replace affected devices [2]. I have not been able to find an associated CVE number.

After the initial exploit attempts at the beginning of the month, we now see a new distinct set of exploit attempts, some of which use different URLs to attack vulnerable systems. It appears that nas_sharing.cgi is not the only endpoint that can be used to take advantage of the passwordless “messagebus” account.

So far, we do see these three different URLs


It is not clear if “orospucoc.cgi” is a distinct different vulnerability. But it appears more like another endpoint allowing for command execution, just like the original “nas_sharing.cgi” endpoint. I found no documentation mentioning the “orospucoc.cgi” endpoint. If anybody has an affected D-Link NAS device, let me know if this endpoint exists. In particular, “/.most/orospucoc.cgi” is odd. This URL starts showing up in our logs on April 17th. The term “orospucoc” in Turkish translates to the English “bitch”, which could indicate that this is not an actual vulnerable URL, but maybe a backdoor left behind by earlier attacks. The use of the directory “.most” and the payload “echo most” may point to a backdoor rather than a valid binary shipped with the device’s firmware.

Any feedback from DLink NAS users is appreciated.

The most common command executed is “uname -m” which is likely used to identify vulnerable devices. Other commands include:

echo    @hackerlor0510
echo    most


[1] https://github.com/netsecfish/dlink
[2] https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.