Published: 01/05/2015 Updated: 14/08/2019
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

The miniigd SOAP service in Realtek SDK allows remote malicious users to execute arbitrary code via a crafted NewInternalClient request.

Vulnerability Trend


## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include REXML def initialize(info = {}) ...

Metasploit Modules

Realtek SDK Miniigd UPnP SOAP Command Execution

Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested successfully on a Trendnet TEW-731BR router with emulation.

msf > use exploit/linux/http/realtek_miniigd_upnp_exec_noauth
      msf exploit(realtek_miniigd_upnp_exec_noauth) > show targets
      msf exploit(realtek_miniigd_upnp_exec_noauth) > set TARGET <target-id>
      msf exploit(realtek_miniigd_upnp_exec_noauth) > show options
            ...show and set options...
      msf exploit(realtek_miniigd_upnp_exec_noauth) > exploit
D-Link Devices UPnP SOAP Command Execution

Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on DIR-865 and DIR-645 devices.

msf > use exploit/linux/http/dlink_upnp_exec_noauth
      msf exploit(dlink_upnp_exec_noauth) > show targets
      msf exploit(dlink_upnp_exec_noauth) > set TARGET <target-id>
      msf exploit(dlink_upnp_exec_noauth) > show options
            ...show and set options...
      msf exploit(dlink_upnp_exec_noauth) > exploit

Github Repositories

GreyNoise Intelligence Alpha API Summary: GreyNoise is a system that collects and analyzes data on Internet-wide scanners GreyNoise collects data on benign scanners such as Shodanio, as well as malicious actors like SSH and telnet worms The data is collected by a network of sensors deployed around the Internet in various datacenters, cloud providers, and regions URL: https:

Recent Articles

Valve Source Engine, Fortnite Servers Crippled By Gafgyt Variant
Threatpost • Lindsey O'Donnell • 31 Oct 2019

A new Gafgyt variant is adding vulnerable internet of things (IoT) devices to its botnet arsenal and using them to cripple gaming servers worldwide.
The newly-discovered variant is capable of launching a variety of denial-of-service (DoS) attacks against the Valve Source Engine, a video game engine developed by Valve Corp. that runs popular games such as ​Half-Life and ​Team Fortress 2. Other gaming servers have also been targeted by the botnet, such as those hosting widely-played game...

New Mirai Samples Grow the Number of Processors Targets
Threatpost • Lindsey O'Donnell • 08 Apr 2019

New samples of the Mirai malware have been identified, targeting an array of embedded processors and architectures within connected devices.
Researchers said that they discovered new Mirai samples in February 2019, capable of infecting IoT devices running Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. Variants of Mirai have previously targeted CPU architectures like ARM and x86.
While it’s not the first time Mirai’s targeting of new processor archit...

Huawei Router Flaw Leaks Default Credential Status
Threatpost • Tara Seals • 20 Dec 2018

A vulnerability in some Huawei routers used for carrier ISP services allows cybercriminals to identify whether the devices have default credentials or not – without ever connecting to them.
CVE-2018-7900 exists in the router panel and allows credentials information to leak – so attackers can simply perform a ZoomEye or Shodan IoT search to find list of the devices having default passwords – no need for bruteforcing or running the risk of running into a generic honeypot.

Router Crapfest: Malware Author Builds 18,000-Strong Botnet in a Day
BleepingComputer • Catalin Cimpanu • 19 Jul 2018

A malware author has built a huge botnet comprised of over 18,000 routers in the span of only one day.
This new botnet has been spotted yesterday by security researchers from NewSky Security, and their findings have been confirmed today by Qihoo 360 Netlab, Rapid7, and Greynoise.
The botnet has been built by exploiting a vulnerability in Huawei HG532 routers, tracked as CVE-2017-17215.
Scans for this vulnerability, which can be exploited via port 37215, started yesterday mornin...

Threat Landscape for Industrial Automation Systems in H2 2017
Securelist • Kaspersky Lab ICS CERT • 26 Mar 2018

For many years, Kaspersky Lab experts have been uncovering and researching cyberthreats that target a variety of information systems – those of commercial and government organizations, banks, telecoms operators, industrial enterprises, and individual users. In this report, Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the findings of its research on the threat landscape for industrial automation systems conducted during the second hal...

New JenX IoT DDoS Botnet Offered Part of Gaming Server Rental Scheme
BleepingComputer • Catalin Cimpanu • 03 Feb 2018

The operators of a gaming server rental business are believed to have built an IoT DDoS botnet, which they are now offering as part of the server rental scheme.
The prime and pretty obvious clue that ties this new IoT botnet — named JenX— with the gaming server rental service is the IoT's command-and-control server, located at skids.sancalvicie.com.
The botnet's C&C server is found on the same server and domain used by the gaming server rental business —San Calvicie (sancal...

JenX Botnet Has Grand Theft Auto Hook
Threatpost • Christopher Kanaracus • 02 Feb 2018

Researchers at Radware have discovered a new botnet that uses vulnerabilities linked with the Satori botnet and is leveraging the Grand Theft Auto videogame community to infect IoT devices.
Satori is a derivative of Mirai, the notorious botnet that in 2016 infamously managed to take down Dyn, a DNS hosting provider that supports some of the world’s largest websites.
The vulnerabilities in question are CVE-2014-8361 and CVE-2017-17215, which affect certain Huawei and Realtek routers...

Satori Author Linked to New Mirai Variant Masuta
Threatpost • Tom Spring • 23 Jan 2018

Researchers at NewSky Security say the hacker behind a Mirai malware variant called Satori, also known as Mirai Okiru, is the same hacker behind two new Mirai variants called Masuta and PureMasuta.
Based on source code for Masuta malware recently found on the dark web, researchers at NewSky Security said they were able to connect the dots between Satori and Masuta. The hacker is identified as Nexus Zeta.
Last month researchers first identified Nexus Zeta as the principle behind a ser...

Satori Botnet Is Now Attacking Ethereum Mining Rigs
BleepingComputer • Catalin Cimpanu • 17 Jan 2018

A new variant of the Satori botnet has sprung back to life, and this one is hacking into Claymore mining rigs and replacing the device owner's mining credentials with the attacker's own.
The attacks started on January 8, a Qihoo 360 Netlab security researcher has told Bleeping Computer. Analysis of the malware's code suggests the same person behind the original Satori bot is behind this new wave as well.
The Satori botnet appeared in early December 2017 and was a heavily modified ver...

Code Used in Zero Day Huawei Router Attack Made Public
Threatpost • Tom Spring • 28 Dec 2017

Exploit code used in the Mirai malware variant called Satori, which was used to attack hundreds of thousands of Huawei routers over the past several weeks, is now public. Researchers warn the code will quickly become a commodity and be leveraged in DDoS attacks via botnets such as Reaper or IOTrooper.
Ankit Anubhav, researcher at NewSky Security first identified the code on Monday that was posted publicly on Pastebin.com. The code is the zero-day vulnerability CVE- 2017-17215 used by a hac...

Amateur Hacker Behind Satori Botnet
BleepingComputer • Catalin Cimpanu • 22 Dec 2017

A so-called "script kiddie" is behind the recently discovered Satori botnet that has scared security researchers because of its rapid rise to a size of hundreds of thousands of compromised devices.
Researchers say that a hacker named Nexus Zeta created Satori, which is a variant of the Mirai IoT malware that was released online in October 2016.
Satori, which is also tracked under the name of Mirai Okiru, came to life around November 23, when the malware started spreading on the Inter...

Satori Botnet Has Sudden Awakening With Over 280,000 Active Bots
BleepingComputer • Catalin Cimpanu • 05 Dec 2017

Security researchers are raising the alarm in regards to a new botnet named Satori that has been seen active on over 280,000 different IPs in the past 12 hours.
Satori —Japanese word for "awakening"— is not new, but a variant of the more infamous Mirai IoT DDoS malware.
Li Fengpei, a security researcher with Qihoo 360 Netlab, says the Satori variant came to life out of the blue today and started scans on ports 37215 and 52869.
According to a report Li shared with Bleeping C...

Unpatched Router Vulnerability Could Lead to Code Execution
Threatpost • Chris Brook • 30 Apr 2015

A zero day vulnerability in popular household routers from D-Link and Trendnet could be exploited by attackers to run arbitrary code on devices.
The flaw, which can be exploited without authentication, is present in version 1.3 of Realtek’s SDK, which figures into some brands of routers, according to by HP’s Zero Day Initiative who disclosed the vulnerability last Friday.
“The specific flaw exists within the miniigd SOAP service,” reads the advisory, “The issue lies in the...