""ET WEB_SPECIFIC_APPS D-Link NAS devices Backdoor Account Access and Command Injection Attempt (CVE-2024-3273)""

SID: 2051955

Revision: 1

Class Type: attempted-admin

Metadata: affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_04_08, deployment Perimeter, deployment SSLDecrypt, confidence High, updated_at 2024_04_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services

Reference:

• cve

• 2024-3273

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: $HOME_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "GET"

• Value: "/cgi-bin/nas_sharing.cgi?" Depth: 25

• Value: "user|3d|messagebus"

• Value: "passwd|3d|"

• Value: "cmd|3d|15"

• Value: "system|3d|"

Within:

PCRE:

Special Options:

• http_method

• http_uri

• http_uri

• fast_pattern

• http_uri

• http_uri

• http_uri

source