Vulnerabilities > CVE-2014-8361

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

dlink

realtek

aterm

critical

nessus

exploit available

metasploit

NVD

Published: 2015-05-01

Updated: 2024-06-27

Summary

The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request, as exploited in the wild through 2023.

Vulnerable Configurations

Part	Description	Count
Hardware	Dlink Dlink DIR 905L A1 Dlink DIR 905L B1 Dlink DIR 605L A1 Dlink DIR 605L B1 Dlink DIR 605L C1 Dlink DIR 600L A1 Dlink DIR 600L B1 Dlink DIR 619L A1 Dlink DIR 619L B1 Dlink DIR 809 A1 Dlink DIR 809 A2 Dlink DIR 501 A1 Dlink DIR 515 A1 Dlink DIR 615 J1 Dlink DIR 615 Fx	15
Hardware	Aterm Aterm Wg1900Hp2 - Aterm Wg1900Hp - Aterm Wg1800Hp4 - Aterm Wg1800Hp3 - Aterm Wg1200Hs2 - Aterm Wg1200Hp3 - Aterm Wg1200Hp2 - Aterm W1200Ex - Aterm W1200Ex MS - Aterm Wg1200Hs - Aterm Wg1200Hp - Aterm Wf800Hp - Aterm Wf300Hp2 - Aterm Wr8165N - Aterm W500P - Aterm W300P -	16
OS	Dlink Dlink DIR 905L Firmware 1.00 Dlink DIR 905L Firmware 1.02 Dlink DIR 905L Firmware 2.05B01 Dlink DIR 605L Firmware 1.00 Dlink DIR 605L Firmware 1.13 Dlink DIR 605L Firmware 1.14B06 Dlink DIR 605L Firmware 1.17B01 Dlink DIR 605L Firmware 2.00 Dlink DIR 605L Firmware 2.01Mt Dlink DIR 605L Firmware 2.04 Dlink DIR 605L Firmware 2.07B02 Dlink DIR 605L Firmware 2.08B01 Dlink DIR 605L Firmware 2.12B1 Dlink DIR 605L Firmware 2.13B01 Dlink DIR 605L Firmware 3.03B07 Dlink DIR 600L Firmware 1.00 Dlink DIR 600L Firmware 1.15 Dlink DIR 600L Firmware 1.16 Dlink DIR 600L Firmware 2.00 Dlink DIR 600L Firmware 2.05 Dlink DIR 600L Firmware 2.056B06 Dlink DIR 619L Firmware 1.00 Dlink DIR 619L Firmware 1.15 Dlink DIR 619L Firmware 2.00 Dlink DIR 619L Firmware 2.02 Dlink DIR 619L Firmware 2.03 Dlink DIR 619L Firmware 2.04 Dlink DIR 619L Firmware 2.06 Dlink DIR 619L Firmware 2.06B1 Dlink DIR 619L Firmware 2.07B02 Dlink DIR 809 Firmware 1.00 Dlink DIR 809 Firmware 1.02 Dlink DIR 501 Firmware 1.01B04 Dlink DIR 515 Firmware 1.01B04 Dlink DIR 615 Firmware 10.01B02 Dlink DIR 615 Firmware - Dlink DIR 615 Firmware 2.5.17 Dlink DIR 615 Firmware 3.03Ww Dlink DIR 615 Firmware 6.06B03	39
OS	Aterm Aterm Wg1900Hp2 Firmware 1.3.1 Aterm Wg1900Hp Firmware 2.5.1 Aterm Wg1800Hp4 Firmware 1.3.1 Aterm Wg1800Hp3 Firmware 1.5.1 Aterm Wg1200Hs2 Firmware 2.5.0 Aterm Wg1200Hp3 Firmware 1.3.1 Aterm Wg1200Hp2 Firmware 2.5.0 Aterm W1200Ex Firmware 1.3.1 Aterm W1200Ex MS Firmware - Aterm W1200Ex MS Firmware 1.3.1 Aterm Wg1200Hs Firmware * Aterm Wg1200Hp Firmware * Aterm Wf800Hp Firmware * Aterm Wf300Hp2 Firmware * Aterm Wr8165N Firmware * Aterm W500P Firmware * Aterm W300P Firmware *	17
Application	Realtek Realtek Realtek SDK -	1

Exploit-Db

description	Realtek SDK Miniigd UPnP SOAP Command Execution. CVE-2014-8361. Remote exploit for linux platform
file	exploits/linux/remote/37169.rb
id	EDB-ID:37169
last seen	2016-02-04
modified	2015-06-01
platform	linux
port	52869
published	2015-06-01
reporter	metasploit
source	https://www.exploit-db.com/download/37169/
title	Realtek SDK Miniigd UPnP SOAP Command Execution
type	remote

Metasploit

description	Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested successfully on a Trendnet TEW-731BR router with emulation.
id	MSF:EXPLOIT/LINUX/HTTP/REALTEK_MINIIGD_UPNP_EXEC_NOAUTH
last seen	2020-06-03
modified	2017-07-24
published	2015-05-03
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361 http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb
title	Realtek SDK Miniigd UPnP SOAP Command Execution

description	Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on DIR-865 and DIR-645 devices.
id	MSF:EXPLOIT/LINUX/HTTP/DLINK_UPNP_EXEC_NOAUTH
last seen	2020-06-08
modified	2018-07-12
published	2013-07-14
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361 http://www.s3cur1ty.de/m1adv2013-020
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/dlink_upnp_exec_noauth.rb
title	D-Link Devices UPnP SOAP Command Execution

Nessus

NASL family	Misc.
NASL id	REALTEK_CVE_2014_8361.NASL
description	According to its banner, the Realtek Software Development Kit is running on the remote device. It is, therefore, affected by a flaw in the miniigd SOAP service due to a failure to properly sanitize user input when handling NewInternalClient requests. An unauthenticated, remote attacker, using a crafted request, can exploit this to execute arbitrary code with root level privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	83185
published	2015-05-01
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/83185
title	Realtek SDK miniigd SOAP Service RCE
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(83185); script_version("1.13"); script_cvs_date("Date: 2019/11/22"); script_cve_id("CVE-2014-8361"); script_bugtraq_id(74330); script_xref(name:"ZDI", value:"ZDI-15-155"); script_xref(name:"EDB-ID", value:"37169"); script_name(english:"Realtek SDK miniigd SOAP Service RCE"); script_summary(english:"Checks the banners."); script_set_attribute(attribute:"synopsis", value: "A software development kit running on the remote device is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "According to its banner, the Realtek Software Development Kit is running on the remote device. It is, therefore, affected by a flaw in the miniigd SOAP service due to a failure to properly sanitize user input when handling NewInternalClient requests. An unauthenticated, remote attacker, using a crafted request, can exploit this to execute arbitrary code with root level privileges."); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-15-155/"); script_set_attribute(attribute:"solution", value: "There is currently no fix available. As a workaround, restrict access to vulnerable devices."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Realtek SDK Miniigd UPnP SOAP Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/01"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:realtek:realtek_sdk"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("upnp_search.nasl", "http_version.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("upnp/server", "Services/www"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); global_var fix, vuln; vuln = FALSE; ## # Checks if the given server banner is from a vulnerable # version of realtek upnpd. If so, a reporting function is # called # # @param port port number of the service being tested # @param server server banner advertised on "port" # @param proto the protocol the port is accessible by (tcp or udp) ## function _check_realtek_version(port, server, proto) { local_var ver, report, banner; server = chomp(server); ver = eregmatch(string:server, pattern:"realtek/v((0(\.[0-9.]+)?\|1\.[0-3](\.[0-9.]+)?\|1)$)", icase:TRUE); if (!isnull(ver)) { vuln = TRUE; banner = ereg_replace(string:server, pattern:'SERVER: *(.+)', replace:"\1", icase:TRUE); report = '\n Server banner : ' + banner + '\n Installed version : ' + ver[1] + '\n'; security_report_v4(port:port, proto:proto, severity:SECURITY_HOLE, extra:report); } } # check the server string retrieved via UDP 1900 by upnp_search.nasl servers = get_kb_list('upnp/server'); foreach(server in servers) _check_realtek_version(port:1900, server:server, proto:'udp'); # check any server strings retrieved via HTTP www_ports = get_kb_list('Services/www'); if(!vuln && isnull(www_ports)) audit(AUDIT_HOST_NOT, 'affected'); foreach port (www_ports) { server = http_server_header(port:port); if (empty_or_null(server)) continue; _check_realtek_version(port:port, server:server, proto:'tcp'); } if (!vuln) audit(AUDIT_HOST_NOT, 'affected');

Packetstorm

data source	https://packetstormsecurity.com/files/download/132090/realtek_miniigd_upnp_exec_noauth.rb.txt
id	PACKETSTORM:132090
last seen	2016-12-05
published	2015-05-29
reporter	Michael Messner
source	https://packetstormsecurity.com/files/132090/Realtek-SDK-Miniigd-UPnP-SOAP-Command-Execution.html
title	Realtek SDK Miniigd UPnP SOAP Command Execution

Vulnerabilities > CVE-2014-8361 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2014-8361"}]}

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Nessus

Packetstorm

References

Vulnerabilities > CVE-2014-8361