var-201810-0936
Vulnerability from variot

An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals. plural D-Link The product contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. DWR-116, DIR-140, DIR-640, etc. are all D-Link router products. There are shell command injection vulnerabilities in multiple series of http-servers of D-Link routers. D-Link DWR-116, etc. The following products and versions are affected: D-Link DWR-116 1.06 and earlier; DWR-512 2.02 and earlier; DWR-712 2.02 and earlier; DWR-912 2.02 and earlier; DWR-921 2.02 and earlier; DWR-111 1.01 and earlier versions. An issue exists on D-Link DWR-116 up to and including 1.06, DWR-512 up to and including 2.02, DWR-712 up to and including 2.02, DWR-912 up to and including 2.02, DWR-921 up to and including 2.02, and DWR-111 up to and including 1.01 devices. aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa MULTIPLE VULNERABILITIES IN D-LINK ROUTERS

                     Blazej Adamczyk (br0x)
                   blazej.adamczyk@gmail.com
                      http://sploit.tech/
          aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


                           12.10.2018

1 Directory Traversal in httpd server in several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aa

CVE: CVE-2018-10822

CVSS v3: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Directory traversal vulnerability in the web interface on D-Link routers: aC/ DWR-116 through 1.06, aC/ DIR-140L through 1.02, aC/ DIR-640L through 1.02, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware

allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request.

NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.

PoC: aaaaa a $ curl http://routerip/uir//etc/passwd aaaaa

The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824

This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash.

2 Password stored in plaintext in several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

CVE: CVE-2018-10824

An issue was discovered on D-Link routers: aC/ DWR-116 through 1.06, aC/ DIR-140L through 1.02, aC/ DIR-640L through 1.02, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware.

NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple.

The administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.

PoC using the directory traversal vulnerability disclosed at the same time - CVE-2018-10822

aaaaa a $ curl http://routerip/uir//tmp/XXX/0 aaaaa

This command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.

3 Shell command injection in httpd server of a several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaa

CVE: CVE-2018-10823

CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

An issue was discovered on D-Link routers: aC/ DWR-116 through 1.06, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware.

PoC: 1. 2. Request the following URL after login: aaaaa a $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20 %2Fetc%2Fpasswd aaaaa 3. See the passwd file contents in the response.

4 Exploiting all together aaaaaaaaaaaaaaaaaaaaaaaaa

CVSS v3: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Taking all the three together it is easy to gain full router control including arbitrary code execution.

Description with video: [http://sploit.tech/2018/10/12/D-Link.html]

5 Timeline aaaaaaaaaa

aC/ 09.05.2018 - vendor notified aC/ 06.06.2018 - asked vendor about the status because of long vendor response aC/ 22.06.2018 - received a reply that a patch will be released for DWR-116 and DWR-111, for the other devices which are EOL an announcement will be released aC/ 09.09.2018 - still no reply from vendor about the patches or announcement, I have warned the vendor that if I will not get a reply in a month I will publish the disclosure aC/ 12.10.2018 - disclosing the vulnerabilities

Show details on source website


{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201810-0936",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "dwr-111",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "dlink",
        "version": "1.01"
      },
      {
        "model": "dwr-512",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "dlink",
        "version": "2.02"
      },
      {
        "model": "dwr-912",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "dlink",
        "version": "2.02"
      },
      {
        "model": "dwr-116",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "dlink",
        "version": "1.06"
      },
      {
        "model": "dwr-111",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "d link",
        "version": "1.01"
      },
      {
        "model": "dwr-116",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "d link",
        "version": "1.06"
      },
      {
        "model": "dwr-512",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "d link",
        "version": "2.02"
      },
      {
        "model": "dwr-912",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "d link",
        "version": "2.02"
      },
      {
        "model": "dwr-116",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "d link",
        "version": "1.06"
      },
      {
        "model": "dir-140l",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "d link",
        "version": "1.02"
      },
      {
        "model": "dir-640l",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "d link",
        "version": "1.02"
      },
      {
        "model": "dwr-512",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "d link",
        "version": "2.02"
      },
      {
        "model": "dwr-712",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "d link",
        "version": "2.02"
      },
      {
        "model": "dwr-912",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "d link",
        "version": "2.02"
      },
      {
        "model": "dwr-921",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "d link",
        "version": "2.02"
      },
      {
        "model": "dwr-111",
        "scope": "lt",
        "trust": 0.6,
        "vendor": "d link",
        "version": "1.01"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-21067"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013710"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10823"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:dlink:dwr-116_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.06",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:dlink:dwr-116:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:dlink:dwr-512_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "2.02",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:dlink:dwr-512:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:dlink:dwr-912_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "2.02",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:dlink:dwr-921:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:dlink:dwr-111_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.01",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:dlink:dwr-111:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-10823"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Blazej Adamczyk",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "149844"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2018-10823",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "Single",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 9.0,
            "confidentialityImpact": "Complete",
            "exploitabilityScore": null,
            "id": "CVE-2018-10823",
            "impactScore": null,
            "integrityImpact": "Complete",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.9,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2018-21067",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "id": "VHN-120621",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 8.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2018-10823",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "Low",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2018-10823",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2018-21067",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201810-1015",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-120621",
            "trust": 0.1,
            "value": "HIGH"
          },
          {
            "author": "VULMON",
            "id": "CVE-2018-10823",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-21067"
      },
      {
        "db": "VULHUB",
        "id": "VHN-120621"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-10823"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013710"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-1015"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10823"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals. plural D-Link The product contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. DWR-116, DIR-140, DIR-640, etc. are all D-Link router products. There are shell command injection vulnerabilities in multiple series of http-servers of D-Link routers. D-Link DWR-116, etc. The following products and versions are affected: D-Link DWR-116 1.06 and earlier; DWR-512 2.02 and earlier; DWR-712 2.02 and earlier; DWR-912 2.02 and earlier; DWR-921 2.02 and earlier; DWR-111 1.01 and earlier versions. An issue exists on D-Link DWR-116 up to and including 1.06, DWR-512 up to and including 2.02, DWR-712 up to and including 2.02, DWR-912 up to and including 2.02, DWR-921 up to and including 2.02, and DWR-111 up to and including 1.01 devices.               aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n               MULTIPLE VULNERABILITIES IN D-LINK ROUTERS\n\n\n                         Blazej Adamczyk (br0x)\n                       blazej.adamczyk@gmail.com\n                          http://sploit.tech/\n              aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n\n\n                               12.10.2018\n\n\n1 Directory Traversal in httpd server in several series of D-Link\nrouters\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naa\n\n  CVE: CVE-2018-10822\n\n  CVSS v3: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n  Directory traversal vulnerability in the web interface on D-Link\n  routers:\n  aC/ DWR-116 through 1.06,\n  aC/ DIR-140L through 1.02,\n  aC/ DIR-640L through 1.02,\n  aC/ DWR-512 through 2.02,\n  aC/ DWR-712 through 2.02,\n  aC/ DWR-912 through 2.02,\n  aC/ DWR-921 through 2.02,\n  aC/ DWR-111 through 1.01,\n  aC/ and probably others with the same type of firmware\n\n  allows remote attackers to read arbitrary files via a /.. or // after\n  \"GET /uir\" in an HTTP request. \n\n  NOTE: this vulnerability exists because of an incorrect fix for\n  CVE-2017-6190. \n\n  PoC:\n  aaaaa\n  a $ curl http://routerip/uir//etc/passwd\n  aaaaa\n\n  The vulnerability can be used retrieve administrative password using\n  the other disclosed vulnerability - CVE-2018-10824\n\n  This vulnerability was reported previously by Patryk Bogdan in\n  CVE-2017-6190 but he reported it is fixed in certain release but\n  unfortunately it is still present in even newer releases. The\n  vulnerability is also present in other D-Link routers and can be\n  exploited not only (as the original author stated) by double dot but\n  also absolutely using double slash. \n\n\n2 Password stored in plaintext in several series of D-Link routers\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n\n  CVE: CVE-2018-10824\n\n  An issue was discovered on D-Link routers:\n  aC/ DWR-116 through 1.06,\n  aC/ DIR-140L through 1.02,\n  aC/ DIR-640L through 1.02,\n  aC/ DWR-512 through 2.02,\n  aC/ DWR-712 through 2.02,\n  aC/ DWR-912 through 2.02,\n  aC/ DWR-921 through 2.02,\n  aC/ DWR-111 through 1.01,\n  aC/ and probably others with the same type of firmware. \n\n  NOTE: I have changed the filename in description to XXX because the\n  vendor leaves some EOL routers unpatched and the attack is too\nsimple. \n\n  The administrative password is stored in plaintext in the /tmp/XXX/0\n  file. An attacker having a directory traversal (or LFI) can easily\nget\n  full router access. \n\n  PoC using the directory traversal vulnerability disclosed at the same\n  time - CVE-2018-10822\n\n  aaaaa\n  a $ curl http://routerip/uir//tmp/XXX/0\n  aaaaa\n\n  This command returns a binary config file which contains admin\n  username and password as well as many other router configuration\n  settings. By using the directory traversal vulnerability it is\n  possible to read the file without authentication. \n\n\n3 Shell command injection in httpd server of a several series of D-Link \nrouters\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naaaaaaaa\n\n  CVE: CVE-2018-10823\n\n  CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)\n\n  An issue was discovered on D-Link routers:\n  aC/ DWR-116 through 1.06,\n  aC/ DWR-512 through 2.02,\n  aC/ DWR-712 through 2.02,\n  aC/ DWR-912 through 2.02,\n  aC/ DWR-921 through 2.02,\n  aC/ DWR-111 through 1.01,\n  aC/ and probably others with the same type of firmware. \n\n  PoC:\n  1. \n  2. Request the following URL after login:\n     aaaaa\n     a $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20\n%2Fetc%2Fpasswd\n     aaaaa\n  3. See the passwd file contents in the response. \n\n\n4 Exploiting all together\naaaaaaaaaaaaaaaaaaaaaaaaa\n\n  CVSS v3: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n  Taking all the three together it is easy to gain full router control\n  including arbitrary code execution. \n\n  Description with video: [http://sploit.tech/2018/10/12/D-Link.html]\n\n\n5 Timeline\naaaaaaaaaa\n\n  aC/ 09.05.2018 - vendor notified\n  aC/ 06.06.2018 - asked vendor about the status because of long vendor\n    response\n  aC/ 22.06.2018 - received a reply that a patch will be released for\n    DWR-116 and DWR-111, for the other devices which are EOL an\n    announcement will be released\n  aC/ 09.09.2018 - still no reply from vendor about the patches or\n    announcement, I have warned the vendor that if I will not get a\n    reply in a month I will publish the disclosure\n  aC/ 12.10.2018 - disclosing the vulnerabilities\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-10823"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013710"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-21067"
      },
      {
        "db": "VULHUB",
        "id": "VHN-120621"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-10823"
      },
      {
        "db": "PACKETSTORM",
        "id": "149844"
      }
    ],
    "trust": 2.43
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-10823",
        "trust": 3.3
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013710",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-1015",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-21067",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-120621",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-10823",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "149844",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-21067"
      },
      {
        "db": "VULHUB",
        "id": "VHN-120621"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-10823"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013710"
      },
      {
        "db": "PACKETSTORM",
        "id": "149844"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-1015"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10823"
      }
    ]
  },
  "id": "VAR-201810-0936",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-21067"
      },
      {
        "db": "VULHUB",
        "id": "VHN-120621"
      }
    ],
    "trust": 1.36934525375
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS",
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-21067"
      }
    ]
  },
  "last_update_date": "2024-02-13T01:35:59.228000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "http://www.dlink.lt/en/"
      },
      {
        "title": "D-Link router httpdservershell command to inject vulnerability patch",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/142553"
      },
      {
        "title": "Kenzer Templates [5170] [DEPRECATED]",
        "trust": 0.1,
        "url": "https://github.com/arpsyndicate/kenzer-templates "
      },
      {
        "title": "The Register",
        "trust": 0.1,
        "url": "https://www.theregister.co.uk/2018/10/17/dlink_security_flaws/"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-21067"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-10823"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013710"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-78",
        "trust": 1.1
      },
      {
        "problemtype": "CWE-77",
        "trust": 0.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-120621"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013710"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10823"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.6,
        "url": "http://sploit.tech/2018/10/12/d-link.html"
      },
      {
        "trust": 2.5,
        "url": "https://seclists.org/fulldisclosure/2018/oct/36"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10823"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10823"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/78.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/arpsyndicate/kenzer-templates"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-6190"
      },
      {
        "trust": 0.1,
        "url": "http://routerip/uir//tmp/xxx/0"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10822"
      },
      {
        "trust": 0.1,
        "url": "http://sploit.tech/"
      },
      {
        "trust": 0.1,
        "url": "http://routerip/uir//etc/passwd"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10824"
      },
      {
        "trust": 0.1,
        "url": "http://sploit.tech/2018/10/12/d-link.html]"
      },
      {
        "trust": 0.1,
        "url": "http://routerip/chkisg.htm%3fsip%3d1.1.1.1%20%7c%20cat%20"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-21067"
      },
      {
        "db": "VULHUB",
        "id": "VHN-120621"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-10823"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013710"
      },
      {
        "db": "PACKETSTORM",
        "id": "149844"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-1015"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10823"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-21067"
      },
      {
        "db": "VULHUB",
        "id": "VHN-120621"
      },
      {
        "db": "VULMON",
        "id": "CVE-2018-10823"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013710"
      },
      {
        "db": "PACKETSTORM",
        "id": "149844"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-1015"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10823"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-10-17T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-21067"
      },
      {
        "date": "2018-10-17T00:00:00",
        "db": "VULHUB",
        "id": "VHN-120621"
      },
      {
        "date": "2018-10-17T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-10823"
      },
      {
        "date": "2019-02-28T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-013710"
      },
      {
        "date": "2018-10-18T03:47:09",
        "db": "PACKETSTORM",
        "id": "149844"
      },
      {
        "date": "2018-10-18T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201810-1015"
      },
      {
        "date": "2018-10-17T14:29:00.787000",
        "db": "NVD",
        "id": "CVE-2018-10823"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-10-17T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-21067"
      },
      {
        "date": "2019-10-03T00:00:00",
        "db": "VULHUB",
        "id": "VHN-120621"
      },
      {
        "date": "2023-11-08T00:00:00",
        "db": "VULMON",
        "id": "CVE-2018-10823"
      },
      {
        "date": "2019-02-28T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-013710"
      },
      {
        "date": "2019-10-23T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201810-1015"
      },
      {
        "date": "2023-11-08T22:46:49.570000",
        "db": "NVD",
        "id": "CVE-2018-10823"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-1015"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "plural  D-Link Command injection vulnerability in the product",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-013710"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "operating system commend injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201810-1015"
      }
    ],
    "trust": 0.6
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.