D-Link Routers - Directory Traversal Vulnerability

ID 1337DAY-ID-31401
Type zdt
Reporter Blazej Adamczyk
Modified 2018-10-25T00:00:00


Exploit for hardware platform in category web applications

                                            Directory Traversal
CVE: CVE-2018-10822
CVSS v3: 8.6
Description: Directory traversal vulnerability in the web interface on D-Link routers:
DWR-116 through 1.06,
DIR-140L through 1.02,
DIR-640L through 1.02,
DWR-512 through 2.02,
DWR-712 through 2.02,
DWR-912 through 2.02,
DWR-921 through 2.02,
DWR-111 through 1.01,
and probably others with the same type of firmware
allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request.
NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.
`$ curl http://routerip/uir//etc/passwd`
The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824.
This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash.

#  0day.today [2018-10-25]  #