Vulnerabilites related to dlink - dwr-111
Vulnerability from fkie_nvd
Published
2018-10-17 14:29
Modified
2024-11-21 03:42
Severity ?
Summary
An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://sploit.tech/2018/10/12/D-Link.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2018/Oct/36 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://sploit.tech/2018/10/12/D-Link.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2018/Oct/36 | Exploit, Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dwr-116_firmware | * | |
| dlink | dwr-116 | - | |
| dlink | dwr-512_firmware | * | |
| dlink | dwr-512 | - | |
| dlink | dwr-912_firmware | * | |
| dlink | dwr-921 | - | |
| dlink | dwr-111_firmware | * | |
| dlink | dwr-111 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-116_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B75F8993-E3DE-4E8E-A202-F65B73BCBE4B",
"versionEndIncluding": "1.06",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-116:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B307E277-9C31-4D69-B4E2-4FE28B2E2AE3",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-512_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "41CAC2C7-FAC8-48DA-B28E-8112209B8898",
"versionEndIncluding": "2.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-512:-:*:*:*:*:*:*:*",
"matchCriteriaId": "90DE6771-50FB-492D-B931-193BB9286B52",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-912_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37FEC076-CCD2-4153-9E49-50F6BE0E4F8E",
"versionEndIncluding": "2.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-921:-:*:*:*:*:*:*:*",
"matchCriteriaId": "43F0390E-B9E1-463A-A08C-B529778EE72F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-111_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16948147-16DB-4365-A4EC-3F5B4298B564",
"versionEndIncluding": "1.01",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-111:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B3B810AA-0D3A-439F-8AD9-D42CB368343B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals."
},
{
"lang": "es",
"value": "Se ha descubierto un problema en dispositivos D-Link DWR-116 hasta la versi\u00f3n 1.06, DWR-512 hasta la versi\u00f3n 2.02, DWR-712 hasta la versi\u00f3n 2.02, DWR-912 hasta la versi\u00f3n 2.02, DWR-921 hasta la versi\u00f3n 2.02 y DWR-111 hasta la versi\u00f3n 1.01. Un atacante autenticado podr\u00eda ejecutar c\u00f3digo arbitrario inyectando el comando shell en el par\u00e1metro Sip de la p\u00e1gina chkisg.htm. Esto permite el control total de las partes internas del dispositivo."
}
],
"id": "CVE-2018-10823",
"lastModified": "2024-11-21T03:42:05.663",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-10-17T14:29:00.787",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://sploit.tech/2018/10/12/D-Link.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://sploit.tech/2018/10/12/D-Link.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-10-17 14:29
Modified
2024-11-21 03:42
Severity ?
Summary
Directory traversal vulnerability in the web interface on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://sploit.tech/2018/10/12/D-Link.html | Exploit | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2018/Oct/36 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://sploit.tech/2018/10/12/D-Link.html | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2018/Oct/36 | Exploit, Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dwr-116_firmware | * | |
| dlink | dwr-116 | - | |
| dlink | dir-140l_firmware | * | |
| dlink | dir-140l | - | |
| dlink | dir-640l_firmware | * | |
| dlink | dir-640l | - | |
| dlink | dwr-512_firmware | * | |
| dlink | dwr-512 | - | |
| dlink | dwr-712_firmware | * | |
| dlink | dwr-712 | - | |
| dlink | dwr-912_firmware | * | |
| dlink | dwr-921 | - | |
| dlink | dwr-921_firmware | * | |
| dlink | dwr-921 | - | |
| dlink | dwr-111_firmware | * | |
| dlink | dwr-111 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-116_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B75F8993-E3DE-4E8E-A202-F65B73BCBE4B",
"versionEndIncluding": "1.06",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-116:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B307E277-9C31-4D69-B4E2-4FE28B2E2AE3",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dir-140l_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DB18157B-E01A-436D-BE12-67F98EED68E3",
"versionEndIncluding": "1.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dir-140l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB31E266-B075-42EA-891D-B4EB8E800091",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dir-640l_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C5749C6C-2149-4BE0-971D-B01897BEC22D",
"versionEndIncluding": "1.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dir-640l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "420C6BC9-082D-47D7-9612-553B3B8EEBBA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-512_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "41CAC2C7-FAC8-48DA-B28E-8112209B8898",
"versionEndIncluding": "2.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-512:-:*:*:*:*:*:*:*",
"matchCriteriaId": "90DE6771-50FB-492D-B931-193BB9286B52",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-712_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB35A612-8DBD-46BD-80C5-4CA982D414C6",
"versionEndIncluding": "2.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-712:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F45AFE88-4369-4CD5-BFC0-69AF3DF0A77A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-912_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37FEC076-CCD2-4153-9E49-50F6BE0E4F8E",
"versionEndIncluding": "2.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-921:-:*:*:*:*:*:*:*",
"matchCriteriaId": "43F0390E-B9E1-463A-A08C-B529778EE72F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-921_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "98B01219-1B35-45CF-AD67-53E59C5A2C99",
"versionEndIncluding": "2.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-921:-:*:*:*:*:*:*:*",
"matchCriteriaId": "43F0390E-B9E1-463A-A08C-B529778EE72F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-111_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16948147-16DB-4365-A4EC-3F5B4298B564",
"versionEndIncluding": "1.01",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-111:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B3B810AA-0D3A-439F-8AD9-D42CB368343B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the web interface on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices allows remote attackers to read arbitrary files via a /.. or // after \"GET /uir\" in an HTTP request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en la interfaz web en dispositivos D-Link DWR-116 hasta la versi\u00f3n 1.06, DIR-140L hasta la versi\u00f3n 1.02, DIR-640L hasta la versi\u00f3n 1.02, DWR-512 hasta la versi\u00f3n 2.02, DWR-712 hasta la versi\u00f3n 2.02, DWR-912 hasta la versi\u00f3n 2.02, DWR-921 hasta la versi\u00f3n 2.02 y DWR-111 hasta la versi\u00f3n 1.01 permite que atacantes remotos lean archivos arbitrarios mediante /.. o // tras \"GET /uir\" en una petici\u00f3n HTTP. NOTA: Esta vulnerabilidad existe debido a una soluci\u00f3n incorrecta para CVE-2017-6190."
}
],
"id": "CVE-2018-10822",
"lastModified": "2024-11-21T03:42:05.497",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-10-17T14:29:00.663",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://sploit.tech/2018/10/12/D-Link.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://sploit.tech/2018/10/12/D-Link.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-10-17 14:29
Modified
2024-11-21 03:42
Severity ?
Summary
An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. The administrative password is stored in plaintext in the /tmp/csman/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://sploit.tech/2018/10/12/D-Link.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2018/Oct/36 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://sploit.tech/2018/10/12/D-Link.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2018/Oct/36 | Exploit, Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dwr-116_firmware | * | |
| dlink | dwr-116 | - | |
| dlink | dir-140l_firmware | * | |
| dlink | dir-140l | - | |
| dlink | dir-640l_firmware | * | |
| dlink | dir-640l | - | |
| dlink | dwr-512_firmware | * | |
| dlink | dwr-512 | - | |
| dlink | dwr-712_firmware | * | |
| dlink | dwr-712 | - | |
| dlink | dwr-912_firmware | * | |
| dlink | dwr-921 | - | |
| dlink | dwr-921_firmware | * | |
| dlink | dwr-921 | - | |
| dlink | dwr-111_firmware | * | |
| dlink | dwr-111 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-116_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B75F8993-E3DE-4E8E-A202-F65B73BCBE4B",
"versionEndIncluding": "1.06",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-116:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B307E277-9C31-4D69-B4E2-4FE28B2E2AE3",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dir-140l_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DB18157B-E01A-436D-BE12-67F98EED68E3",
"versionEndIncluding": "1.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dir-140l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB31E266-B075-42EA-891D-B4EB8E800091",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dir-640l_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C5749C6C-2149-4BE0-971D-B01897BEC22D",
"versionEndIncluding": "1.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dir-640l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "420C6BC9-082D-47D7-9612-553B3B8EEBBA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-512_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "41CAC2C7-FAC8-48DA-B28E-8112209B8898",
"versionEndIncluding": "2.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-512:-:*:*:*:*:*:*:*",
"matchCriteriaId": "90DE6771-50FB-492D-B931-193BB9286B52",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-712_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB35A612-8DBD-46BD-80C5-4CA982D414C6",
"versionEndIncluding": "2.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-712:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F45AFE88-4369-4CD5-BFC0-69AF3DF0A77A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-912_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37FEC076-CCD2-4153-9E49-50F6BE0E4F8E",
"versionEndIncluding": "2.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-921:-:*:*:*:*:*:*:*",
"matchCriteriaId": "43F0390E-B9E1-463A-A08C-B529778EE72F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-921_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "98B01219-1B35-45CF-AD67-53E59C5A2C99",
"versionEndIncluding": "2.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-921:-:*:*:*:*:*:*:*",
"matchCriteriaId": "43F0390E-B9E1-463A-A08C-B529778EE72F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-111_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16948147-16DB-4365-A4EC-3F5B4298B564",
"versionEndIncluding": "1.01",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-111:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B3B810AA-0D3A-439F-8AD9-D42CB368343B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. The administrative password is stored in plaintext in the /tmp/csman/0 file. An attacker having a directory traversal (or LFI) can easily get full router access."
},
{
"lang": "es",
"value": "Se ha descubierto un problema en dispositivos D-Link DWR-116 hasta la versi\u00f3n 1.06, DIR-140L hasta la versi\u00f3n 1.02, DWR-512 hasta la versi\u00f3n 2.02, DWR-712 hasta la versi\u00f3n 2.02, DWR-912 hasta la versi\u00f3n 2.02, DWR-921 hasta la versi\u00f3n 2.02 y DWR-111 hasta la versi\u00f3n 1.01. La contrase\u00f1a administrativa se almacena en texto plano en el archivo /tmp/csman/0. Un atacante que tenga un salto de directorio (o LFI) puede obtener f\u00e1cilmente el acceso total al router."
}
],
"id": "CVE-2018-10824",
"lastModified": "2024-11-21T03:42:05.830",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-10-17T14:29:00.930",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://sploit.tech/2018/10/12/D-Link.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://sploit.tech/2018/10/12/D-Link.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-11 16:29
Modified
2024-11-21 03:57
Severity ?
Summary
On D-Link DAP-1530 (A1) before firmware version 1.06b01, DAP-1610 (A1) before firmware version 1.06b01, DWR-111 (A1) before firmware version 1.02v02, DWR-116 (A1) before firmware version 1.06b03, DWR-512 (B1) before firmware version 2.02b01, DWR-711 (A1) through firmware version 1.11, DWR-712 (B1) before firmware version 2.04b01, DWR-921 (A1) before firmware version 1.02b01, and DWR-921 (B1) before firmware version 2.03b01, there exists an EXCU_SHELL file in the web directory. By sending a GET request with specially crafted headers to the /EXCU_SHELL URI, an attacker could execute arbitrary shell commands in the root context on the affected device. Other devices might be affected as well.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| d-link | dap-1530_firmware | * | |
| dlink | dap-1530 | - | |
| d-link | dap-1610_firmware | * | |
| dlink | dap-1610 | - | |
| dlink | dwr-111_firmware | * | |
| dlink | dwr-111 | - | |
| d-link | dwr-116_firmware | 1.06 | |
| d-link | dwr-116_firmware | 1.06 | |
| dlink | dwr-116_firmware | * | |
| dlink | dwr-116 | - | |
| dlink | dwr-512_firmware | * | |
| dlink | dwr-512 | - | |
| d-link | dwr-711_firmware | * | |
| dlink | dwr-711 | - | |
| dlink | dwr-712_firmware | * | |
| dlink | dwr-712 | - | |
| dlink | dwr-921_firmware | * | |
| dlink | dwr-921 | - | |
| dlink | dwr-921_firmware | * | |
| dlink | dwr-921 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:d-link:dap-1530_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "845DE000-42DB-4310-9E22-061586F3C3EE",
"versionEndIncluding": "1.05",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dap-1530:-:*:*:*:*:*:*:*",
"matchCriteriaId": "63BAF83E-E5D6-4585-B23D-A8B99CF1F47D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:d-link:dap-1610_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "130044B1-A22A-40F4-8BCF-20FE0E8F768C",
"versionEndIncluding": "1.05",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dap-1610:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F0EBA8A8-05EB-450D-864E-D213E104C120",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-111_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16948147-16DB-4365-A4EC-3F5B4298B564",
"versionEndIncluding": "1.01",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-111:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B3B810AA-0D3A-439F-8AD9-D42CB368343B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:d-link:dwr-116_firmware:1.06:b1:*:*:*:*:*:*",
"matchCriteriaId": "4145C196-EC38-41E5-9006-AA44E9E91DF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:d-link:dwr-116_firmware:1.06:b2:*:*:*:*:*:*",
"matchCriteriaId": "BC35D145-1B2E-40E4-9121-DD2DAF4E08EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:dlink:dwr-116_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E0B0B1E9-B378-4B4D-A0F7-301F083FE646",
"versionEndIncluding": "1.05",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-116:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B307E277-9C31-4D69-B4E2-4FE28B2E2AE3",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-512_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "41CAC2C7-FAC8-48DA-B28E-8112209B8898",
"versionEndIncluding": "2.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-512:-:*:*:*:*:*:*:*",
"matchCriteriaId": "90DE6771-50FB-492D-B931-193BB9286B52",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:d-link:dwr-711_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FE51A73E-AAA1-4FAB-8E98-FCB660C94DE3",
"versionEndIncluding": "1.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-711:-:*:*:*:*:*:*:*",
"matchCriteriaId": "26BAFD36-2C9A-4086-BF3E-79D7495E5D59",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-712_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB35A612-8DBD-46BD-80C5-4CA982D414C6",
"versionEndIncluding": "2.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-712:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F45AFE88-4369-4CD5-BFC0-69AF3DF0A77A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-921_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "240D9593-9420-4513-9CDB-E4289491907B",
"versionEndIncluding": "1.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-921:-:*:*:*:*:*:*:*",
"matchCriteriaId": "43F0390E-B9E1-463A-A08C-B529778EE72F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dwr-921_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "98B01219-1B35-45CF-AD67-53E59C5A2C99",
"versionEndIncluding": "2.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dwr-921:-:*:*:*:*:*:*:*",
"matchCriteriaId": "43F0390E-B9E1-463A-A08C-B529778EE72F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "On D-Link DAP-1530 (A1) before firmware version 1.06b01, DAP-1610 (A1) before firmware version 1.06b01, DWR-111 (A1) before firmware version 1.02v02, DWR-116 (A1) before firmware version 1.06b03, DWR-512 (B1) before firmware version 2.02b01, DWR-711 (A1) through firmware version 1.11, DWR-712 (B1) before firmware version 2.04b01, DWR-921 (A1) before firmware version 1.02b01, and DWR-921 (B1) before firmware version 2.03b01, there exists an EXCU_SHELL file in the web directory. By sending a GET request with specially crafted headers to the /EXCU_SHELL URI, an attacker could execute arbitrary shell commands in the root context on the affected device. Other devices might be affected as well."
},
{
"lang": "es",
"value": "En D-Link DAP-1530 (A1) anterior a la versi\u00f3n de firmware 1.06b01, DAP-1610 (A1) anterior a la versi\u00f3n de firmware 1.06b01, DWR-111 (A1) anterior a la versi\u00f3n de firmware 1.02v02, DWR-116 (A1) anterior a la versi\u00f3n de firmware 1.06b03, DWR-512 (B1) anterior a la versi\u00f3n de firmware 2.02b01, DWR-711 (A1) hasta la versi\u00f3n de firmware 1.11, DWR-712 (B1) anterior a la versi\u00f3n de firmware 2.04b01, DWR-921 (A1) anterior a la versi\u00f3n de firmware 1.02b01, y DWR-921 (B1) anterior a la versi\u00f3n de firmware 2.03b01, existe un archivo EXCU_SHELL en el directorio web. Al enviar una petici\u00f3n GET con cabeceras especialmente dise\u00f1adas a la URI /EXCU_SHELL, un atacante podr\u00eda ejecutar comandos shell arbitrarios en el contexto ra\u00edz del dispositivo afectado. Otros dispositivos tambi\u00e9n pueden verse afectados."
}
],
"id": "CVE-2018-19300",
"lastModified": "2024-11-21T03:57:42.013",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-11T16:29:00.620",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://community.greenbone.net/t/cve-2018-19300-remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers/1772"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://eu.dlink.com/de/de/support/support-news/2019/march/19/remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.greenbone.net/en/serious-vulnerability-discovered-in-d-link-routers/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.greenbone.net/schwerwiegende-sicherheitsluecke-in-d-link-routern-entdeckt/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://community.greenbone.net/t/cve-2018-19300-remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers/1772"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://eu.dlink.com/de/de/support/support-news/2019/march/19/remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.greenbone.net/en/serious-vulnerability-discovered-in-d-link-routers/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.greenbone.net/schwerwiegende-sicherheitsluecke-in-d-link-routern-entdeckt/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
var-201810-0937
Vulnerability from variot
An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. The administrative password is stored in plaintext in the /tmp/csman/0 file. An attacker having a directory traversal (or LFI) can easily get full router access. plural D-Link The product contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. DWR-116, DIR-140, DIR-640, etc. are all D-Link router products. There are password plaintext storage vulnerabilities in multiple series of D-Link routers. D-Link DWR-116, etc. The following products and versions are affected: D-Link DWR-116 1.06 and earlier; DIR-140L 1.02 and earlier; DIR-640L 1.02 and earlier; DWR-512 2.02 and earlier; DWR-712 2.02 and earlier; DWR-912 2.02 and earlier; DWR-921 2.02 and earlier; DWR-111 1.01 and earlier. aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa MULTIPLE VULNERABILITIES IN D-LINK ROUTERS
Blazej Adamczyk (br0x)
blazej.adamczyk@gmail.com
http://sploit.tech/
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
12.10.2018
1 Directory Traversal in httpd server in several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aa
CVE: CVE-2018-10822
CVSS v3: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
Directory traversal vulnerability in the web interface on D-Link routers: aC/ DWR-116 through 1.06, aC/ DIR-140L through 1.02, aC/ DIR-640L through 1.02, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware
allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request.
NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.
PoC: aaaaa a $ curl http://routerip/uir//etc/passwd aaaaa
The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824
This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash.
2 Password stored in plaintext in several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
CVE: CVE-2018-10824
An issue was discovered on D-Link routers: aC/ DWR-116 through 1.06, aC/ DIR-140L through 1.02, aC/ DIR-640L through 1.02, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware.
NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple.
PoC using the directory traversal vulnerability disclosed at the same time - CVE-2018-10822
aaaaa a $ curl http://routerip/uir//tmp/XXX/0 aaaaa
This command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.
3 Shell command injection in httpd server of a several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaa
CVE: CVE-2018-10823
CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
An issue was discovered on D-Link routers: aC/ DWR-116 through 1.06, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware.
An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.
PoC: 1. 2. Request the following URL after login: aaaaa a $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20 %2Fetc%2Fpasswd aaaaa 3. See the passwd file contents in the response.
4 Exploiting all together aaaaaaaaaaaaaaaaaaaaaaaaa
CVSS v3: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Taking all the three together it is easy to gain full router control including arbitrary code execution.
Description with video: [http://sploit.tech/2018/10/12/D-Link.html]
5 Timeline aaaaaaaaaa
aC/ 09.05.2018 - vendor notified aC/ 06.06.2018 - asked vendor about the status because of long vendor response aC/ 22.06.2018 - received a reply that a patch will be released for DWR-116 and DWR-111, for the other devices which are EOL an announcement will be released aC/ 09.09.2018 - still no reply from vendor about the patches or announcement, I have warned the vendor that if I will not get a reply in a month I will publish the disclosure aC/ 12.10.2018 - disclosing the vulnerabilities
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201810-0937",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dir-640l",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.02"
},
{
"model": "dir-140l",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.02"
},
{
"model": "dwr-921",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "2.02"
},
{
"model": "dwr-111",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.01"
},
{
"model": "dwr-912",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "2.02"
},
{
"model": "dwr-116",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.06"
},
{
"model": "dwr-512",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "2.02"
},
{
"model": "dwr-712",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "2.02"
},
{
"model": "dir-140l",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "1.02"
},
{
"model": "dir-640l",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "1.02"
},
{
"model": "dwr-111",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "1.01"
},
{
"model": "dwr-116",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "1.06"
},
{
"model": "dwr-512",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-712",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-912",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-921",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-116",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "1.06"
},
{
"model": "dir-140l",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "1.02"
},
{
"model": "dir-640l",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "1.02"
},
{
"model": "dwr-512",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-712",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-912",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-921",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-111",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "1.01"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21068"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013711"
},
{
"db": "NVD",
"id": "CVE-2018-10824"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:d-link:dir-140l_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dir-640l_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-111_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-116_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-512_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-712_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-912_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-921_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-013711"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Blazej Adamczyk",
"sources": [
{
"db": "PACKETSTORM",
"id": "149844"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10824",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2018-10824",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-21068",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-120622",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2018-10824",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10824",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-10824",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2018-10824",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2018-21068",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201810-1014",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-120622",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21068"
},
{
"db": "VULHUB",
"id": "VHN-120622"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013711"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1014"
},
{
"db": "NVD",
"id": "CVE-2018-10824"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. The administrative password is stored in plaintext in the /tmp/csman/0 file. An attacker having a directory traversal (or LFI) can easily get full router access. plural D-Link The product contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. DWR-116, DIR-140, DIR-640, etc. are all D-Link router products. There are password plaintext storage vulnerabilities in multiple series of D-Link routers. D-Link DWR-116, etc. The following products and versions are affected: D-Link DWR-116 1.06 and earlier; DIR-140L 1.02 and earlier; DIR-640L 1.02 and earlier; DWR-512 2.02 and earlier; DWR-712 2.02 and earlier; DWR-912 2.02 and earlier; DWR-921 2.02 and earlier; DWR-111 1.01 and earlier. aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n MULTIPLE VULNERABILITIES IN D-LINK ROUTERS\n\n\n Blazej Adamczyk (br0x)\n blazej.adamczyk@gmail.com\n http://sploit.tech/\n aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n\n\n 12.10.2018\n\n\n1 Directory Traversal in httpd server in several series of D-Link\nrouters\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naa\n\n CVE: CVE-2018-10822\n\n CVSS v3: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n Directory traversal vulnerability in the web interface on D-Link\n routers:\n aC/ DWR-116 through 1.06,\n aC/ DIR-140L through 1.02,\n aC/ DIR-640L through 1.02,\n aC/ DWR-512 through 2.02,\n aC/ DWR-712 through 2.02,\n aC/ DWR-912 through 2.02,\n aC/ DWR-921 through 2.02,\n aC/ DWR-111 through 1.01,\n aC/ and probably others with the same type of firmware\n\n allows remote attackers to read arbitrary files via a /.. or // after\n \"GET /uir\" in an HTTP request. \n\n NOTE: this vulnerability exists because of an incorrect fix for\n CVE-2017-6190. \n\n PoC:\n aaaaa\n a $ curl http://routerip/uir//etc/passwd\n aaaaa\n\n The vulnerability can be used retrieve administrative password using\n the other disclosed vulnerability - CVE-2018-10824\n\n This vulnerability was reported previously by Patryk Bogdan in\n CVE-2017-6190 but he reported it is fixed in certain release but\n unfortunately it is still present in even newer releases. The\n vulnerability is also present in other D-Link routers and can be\n exploited not only (as the original author stated) by double dot but\n also absolutely using double slash. \n\n\n2 Password stored in plaintext in several series of D-Link routers\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n\n CVE: CVE-2018-10824\n\n An issue was discovered on D-Link routers:\n aC/ DWR-116 through 1.06,\n aC/ DIR-140L through 1.02,\n aC/ DIR-640L through 1.02,\n aC/ DWR-512 through 2.02,\n aC/ DWR-712 through 2.02,\n aC/ DWR-912 through 2.02,\n aC/ DWR-921 through 2.02,\n aC/ DWR-111 through 1.01,\n aC/ and probably others with the same type of firmware. \n\n NOTE: I have changed the filename in description to XXX because the\n vendor leaves some EOL routers unpatched and the attack is too\nsimple. \n\n PoC using the directory traversal vulnerability disclosed at the same\n time - CVE-2018-10822\n\n aaaaa\n a $ curl http://routerip/uir//tmp/XXX/0\n aaaaa\n\n This command returns a binary config file which contains admin\n username and password as well as many other router configuration\n settings. By using the directory traversal vulnerability it is\n possible to read the file without authentication. \n\n\n3 Shell command injection in httpd server of a several series of D-Link \nrouters\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naaaaaaaa\n\n CVE: CVE-2018-10823\n\n CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)\n\n An issue was discovered on D-Link routers:\n aC/ DWR-116 through 1.06,\n aC/ DWR-512 through 2.02,\n aC/ DWR-712 through 2.02,\n aC/ DWR-912 through 2.02,\n aC/ DWR-921 through 2.02,\n aC/ DWR-111 through 1.01,\n aC/ and probably others with the same type of firmware. \n\n An authenticated attacker may execute arbitrary code by injecting the\n shell command into the chkisg.htm page Sip parameter. This allows for\n full control over the device internals. \n\n PoC:\n 1. \n 2. Request the following URL after login:\n aaaaa\n a $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20\n%2Fetc%2Fpasswd\n aaaaa\n 3. See the passwd file contents in the response. \n\n\n4 Exploiting all together\naaaaaaaaaaaaaaaaaaaaaaaaa\n\n CVSS v3: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n Taking all the three together it is easy to gain full router control\n including arbitrary code execution. \n\n Description with video: [http://sploit.tech/2018/10/12/D-Link.html]\n\n\n5 Timeline\naaaaaaaaaa\n\n aC/ 09.05.2018 - vendor notified\n aC/ 06.06.2018 - asked vendor about the status because of long vendor\n response\n aC/ 22.06.2018 - received a reply that a patch will be released for\n DWR-116 and DWR-111, for the other devices which are EOL an\n announcement will be released\n aC/ 09.09.2018 - still no reply from vendor about the patches or\n announcement, I have warned the vendor that if I will not get a\n reply in a month I will publish the disclosure\n aC/ 12.10.2018 - disclosing the vulnerabilities\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10824"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013711"
},
{
"db": "CNVD",
"id": "CNVD-2018-21068"
},
{
"db": "VULHUB",
"id": "VHN-120622"
},
{
"db": "PACKETSTORM",
"id": "149844"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10824",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013711",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1014",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2018-21068",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120622",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149844",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21068"
},
{
"db": "VULHUB",
"id": "VHN-120622"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013711"
},
{
"db": "PACKETSTORM",
"id": "149844"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1014"
},
{
"db": "NVD",
"id": "CVE-2018-10824"
}
]
},
"id": "VAR-201810-0937",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21068"
},
{
"db": "VULHUB",
"id": "VHN-120622"
}
],
"trust": 1.3574404912499998
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21068"
}
]
},
"last_update_date": "2024-11-23T22:59:19.802000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.dlink.lt/en/"
},
{
"title": "D-Link Router Password Plaintext Storage Vulnerability Patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/142549"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21068"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013711"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.1
},
{
"problemtype": "CWE-522",
"trust": 1.1
},
{
"problemtype": "CWE-200",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120622"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013711"
},
{
"db": "NVD",
"id": "CVE-2018-10824"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://sploit.tech/2018/10/12/d-link.html"
},
{
"trust": 2.3,
"url": "https://seclists.org/fulldisclosure/2018/oct/36"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10824"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10824"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-6190"
},
{
"trust": 0.1,
"url": "http://routerip/uir//tmp/xxx/0"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10822"
},
{
"trust": 0.1,
"url": "http://sploit.tech/"
},
{
"trust": 0.1,
"url": "http://routerip/uir//etc/passwd"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10823"
},
{
"trust": 0.1,
"url": "http://sploit.tech/2018/10/12/d-link.html]"
},
{
"trust": 0.1,
"url": "http://routerip/chkisg.htm%3fsip%3d1.1.1.1%20%7c%20cat%20"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21068"
},
{
"db": "VULHUB",
"id": "VHN-120622"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013711"
},
{
"db": "PACKETSTORM",
"id": "149844"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1014"
},
{
"db": "NVD",
"id": "CVE-2018-10824"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-21068"
},
{
"db": "VULHUB",
"id": "VHN-120622"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013711"
},
{
"db": "PACKETSTORM",
"id": "149844"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1014"
},
{
"db": "NVD",
"id": "CVE-2018-10824"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-21068"
},
{
"date": "2018-10-17T00:00:00",
"db": "VULHUB",
"id": "VHN-120622"
},
{
"date": "2019-02-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-013711"
},
{
"date": "2018-10-18T03:47:09",
"db": "PACKETSTORM",
"id": "149844"
},
{
"date": "2018-10-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-1014"
},
{
"date": "2018-10-17T14:29:00.930000",
"db": "NVD",
"id": "CVE-2018-10824"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-21068"
},
{
"date": "2019-10-03T00:00:00",
"db": "VULHUB",
"id": "VHN-120622"
},
{
"date": "2019-02-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-013711"
},
{
"date": "2019-10-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-1014"
},
{
"date": "2024-11-21T03:42:05.830000",
"db": "NVD",
"id": "CVE-2018-10824"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-1014"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural D-Link Information disclosure vulnerability in products",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-013711"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-1014"
}
],
"trust": 0.6
}
}
var-201810-0934
Vulnerability from variot
Directory traversal vulnerability in the web interface on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190. plural D-Link The product contains a path traversal vulnerability. DWR-116, DIR-140, DIR-640, etc. are all D-Link router products. D-Link DWR-116, etc. The following products and versions are affected: D-Link DWR-116 1.06 and earlier; DIR-140L 1.02 and earlier; DIR-640L 1.02 and earlier; DWR-512 2.02 and earlier; DWR-712 2.02 and earlier; DWR-912 2.02 and earlier; DWR-921 2.02 and earlier; DWR-111 1.01 and earlier.
PoC: aaaaa a $ curl http://routerip/uir//etc/passwd aaaaa
The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824
This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash.
2 Password stored in plaintext in several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
CVE: CVE-2018-10824
An issue was discovered on D-Link routers: aC/ DWR-116 through 1.06, aC/ DIR-140L through 1.02, aC/ DIR-640L through 1.02, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware.
NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple.
The administrative password is stored in plaintext in the /tmp/XXX/0 file.
PoC using the directory traversal vulnerability disclosed at the same time - CVE-2018-10822
aaaaa a $ curl http://routerip/uir//tmp/XXX/0 aaaaa
This command returns a binary config file which contains admin username and password as well as many other router configuration settings.
3 Shell command injection in httpd server of a several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaa
CVE: CVE-2018-10823
CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
An issue was discovered on D-Link routers: aC/ DWR-116 through 1.06, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware.
An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.
PoC: 1. 2. Request the following URL after login: aaaaa a $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20 %2Fetc%2Fpasswd aaaaa 3. See the passwd file contents in the response.
4 Exploiting all together aaaaaaaaaaaaaaaaaaaaaaaaa
CVSS v3: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Taking all the three together it is easy to gain full router control including arbitrary code execution.
Description with video: [http://sploit.tech/2018/10/12/D-Link.html]
5 Timeline aaaaaaaaaa
aC/ 09.05.2018 - vendor notified aC/ 06.06.2018 - asked vendor about the status because of long vendor response aC/ 22.06.2018 - received a reply that a patch will be released for DWR-116 and DWR-111, for the other devices which are EOL an announcement will be released aC/ 09.09.2018 - still no reply from vendor about the patches or announcement, I have warned the vendor that if I will not get a reply in a month I will publish the disclosure aC/ 12.10.2018 - disclosing the vulnerabilities
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201810-0934",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dir-640l",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.02"
},
{
"model": "dir-140l",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.02"
},
{
"model": "dwr-921",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "2.02"
},
{
"model": "dwr-111",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.01"
},
{
"model": "dwr-912",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "2.02"
},
{
"model": "dwr-116",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.06"
},
{
"model": "dwr-512",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "2.02"
},
{
"model": "dwr-712",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "2.02"
},
{
"model": "dir-140l",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "1.02"
},
{
"model": "dir-640l",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "1.02"
},
{
"model": "dwr-111",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "1.01"
},
{
"model": "dwr-116",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "1.06"
},
{
"model": "dwr-512",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-712",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-912",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-921",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-116",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "1.06"
},
{
"model": "dir-140l",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "1.02"
},
{
"model": "dir-640l",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "1.02"
},
{
"model": "dwr-512",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-712",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-912",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-921",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-111",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "1.01"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21069"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013709"
},
{
"db": "NVD",
"id": "CVE-2018-10822"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:d-link:dir-140l_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dir-640l_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-111_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-116_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-512_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-712_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-912_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-921_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-013709"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Blazej Adamczyk",
"sources": [
{
"db": "PACKETSTORM",
"id": "149844"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10822",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2018-10822",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-21069",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-120620",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2018-10822",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10822",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-10822",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2018-10822",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2018-21069",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201810-1016",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-120620",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-10822",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21069"
},
{
"db": "VULHUB",
"id": "VHN-120620"
},
{
"db": "VULMON",
"id": "CVE-2018-10822"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013709"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1016"
},
{
"db": "NVD",
"id": "CVE-2018-10822"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Directory traversal vulnerability in the web interface on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices allows remote attackers to read arbitrary files via a /.. or // after \"GET /uir\" in an HTTP request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190. plural D-Link The product contains a path traversal vulnerability. DWR-116, DIR-140, DIR-640, etc. are all D-Link router products. D-Link DWR-116, etc. The following products and versions are affected: D-Link DWR-116 1.06 and earlier; DIR-140L 1.02 and earlier; DIR-640L 1.02 and earlier; DWR-512 2.02 and earlier; DWR-712 2.02 and earlier; DWR-912 2.02 and earlier; DWR-921 2.02 and earlier; DWR-111 1.01 and earlier. \n\n PoC:\n aaaaa\n a $ curl http://routerip/uir//etc/passwd\n aaaaa\n\n The vulnerability can be used retrieve administrative password using\n the other disclosed vulnerability - CVE-2018-10824\n\n This vulnerability was reported previously by Patryk Bogdan in\n CVE-2017-6190 but he reported it is fixed in certain release but\n unfortunately it is still present in even newer releases. The\n vulnerability is also present in other D-Link routers and can be\n exploited not only (as the original author stated) by double dot but\n also absolutely using double slash. \n\n\n2 Password stored in plaintext in several series of D-Link routers\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n\n CVE: CVE-2018-10824\n\n An issue was discovered on D-Link routers:\n aC/ DWR-116 through 1.06,\n aC/ DIR-140L through 1.02,\n aC/ DIR-640L through 1.02,\n aC/ DWR-512 through 2.02,\n aC/ DWR-712 through 2.02,\n aC/ DWR-912 through 2.02,\n aC/ DWR-921 through 2.02,\n aC/ DWR-111 through 1.01,\n aC/ and probably others with the same type of firmware. \n\n NOTE: I have changed the filename in description to XXX because the\n vendor leaves some EOL routers unpatched and the attack is too\nsimple. \n\n The administrative password is stored in plaintext in the /tmp/XXX/0\n file. \n\n PoC using the directory traversal vulnerability disclosed at the same\n time - CVE-2018-10822\n\n aaaaa\n a $ curl http://routerip/uir//tmp/XXX/0\n aaaaa\n\n This command returns a binary config file which contains admin\n username and password as well as many other router configuration\n settings. \n\n\n3 Shell command injection in httpd server of a several series of D-Link \nrouters\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naaaaaaaa\n\n CVE: CVE-2018-10823\n\n CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)\n\n An issue was discovered on D-Link routers:\n aC/ DWR-116 through 1.06,\n aC/ DWR-512 through 2.02,\n aC/ DWR-712 through 2.02,\n aC/ DWR-912 through 2.02,\n aC/ DWR-921 through 2.02,\n aC/ DWR-111 through 1.01,\n aC/ and probably others with the same type of firmware. \n\n An authenticated attacker may execute arbitrary code by injecting the\n shell command into the chkisg.htm page Sip parameter. This allows for\n full control over the device internals. \n\n PoC:\n 1. \n 2. Request the following URL after login:\n aaaaa\n a $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20\n%2Fetc%2Fpasswd\n aaaaa\n 3. See the passwd file contents in the response. \n\n\n4 Exploiting all together\naaaaaaaaaaaaaaaaaaaaaaaaa\n\n CVSS v3: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n Taking all the three together it is easy to gain full router control\n including arbitrary code execution. \n\n Description with video: [http://sploit.tech/2018/10/12/D-Link.html]\n\n\n5 Timeline\naaaaaaaaaa\n\n aC/ 09.05.2018 - vendor notified\n aC/ 06.06.2018 - asked vendor about the status because of long vendor\n response\n aC/ 22.06.2018 - received a reply that a patch will be released for\n DWR-116 and DWR-111, for the other devices which are EOL an\n announcement will be released\n aC/ 09.09.2018 - still no reply from vendor about the patches or\n announcement, I have warned the vendor that if I will not get a\n reply in a month I will publish the disclosure\n aC/ 12.10.2018 - disclosing the vulnerabilities\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10822"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013709"
},
{
"db": "CNVD",
"id": "CNVD-2018-21069"
},
{
"db": "VULHUB",
"id": "VHN-120620"
},
{
"db": "VULMON",
"id": "CVE-2018-10822"
},
{
"db": "PACKETSTORM",
"id": "149844"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10822",
"trust": 3.3
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013709",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1016",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2018-21069",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120620",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10822",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149844",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21069"
},
{
"db": "VULHUB",
"id": "VHN-120620"
},
{
"db": "VULMON",
"id": "CVE-2018-10822"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013709"
},
{
"db": "PACKETSTORM",
"id": "149844"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1016"
},
{
"db": "NVD",
"id": "CVE-2018-10822"
}
]
},
"id": "VAR-201810-0934",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21069"
},
{
"db": "VULHUB",
"id": "VHN-120620"
}
],
"trust": 1.3574404912499998
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21069"
}
]
},
"last_update_date": "2024-11-23T22:59:19.845000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.dlink.lt/en/"
},
{
"title": "D-Link router httpdserver directory traversal vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/142543"
},
{
"title": "Kenzer Templates [5170] [DEPRECATED]",
"trust": 0.1,
"url": "https://github.com/ARPSyndicate/kenzer-templates "
},
{
"title": "The Register",
"trust": 0.1,
"url": "https://www.theregister.co.uk/2018/10/17/dlink_security_flaws/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21069"
},
{
"db": "VULMON",
"id": "CVE-2018-10822"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013709"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120620"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013709"
},
{
"db": "NVD",
"id": "CVE-2018-10822"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "http://sploit.tech/2018/10/12/d-link.html"
},
{
"trust": 2.5,
"url": "https://seclists.org/fulldisclosure/2018/oct/36"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10822"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10822"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/arpsyndicate/kenzer-templates"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-6190"
},
{
"trust": 0.1,
"url": "http://routerip/uir//tmp/xxx/0"
},
{
"trust": 0.1,
"url": "http://sploit.tech/"
},
{
"trust": 0.1,
"url": "http://routerip/uir//etc/passwd"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10824"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10823"
},
{
"trust": 0.1,
"url": "http://sploit.tech/2018/10/12/d-link.html]"
},
{
"trust": 0.1,
"url": "http://routerip/chkisg.htm%3fsip%3d1.1.1.1%20%7c%20cat%20"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21069"
},
{
"db": "VULHUB",
"id": "VHN-120620"
},
{
"db": "VULMON",
"id": "CVE-2018-10822"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013709"
},
{
"db": "PACKETSTORM",
"id": "149844"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1016"
},
{
"db": "NVD",
"id": "CVE-2018-10822"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-21069"
},
{
"db": "VULHUB",
"id": "VHN-120620"
},
{
"db": "VULMON",
"id": "CVE-2018-10822"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013709"
},
{
"db": "PACKETSTORM",
"id": "149844"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1016"
},
{
"db": "NVD",
"id": "CVE-2018-10822"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-21069"
},
{
"date": "2018-10-17T00:00:00",
"db": "VULHUB",
"id": "VHN-120620"
},
{
"date": "2018-10-17T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10822"
},
{
"date": "2019-02-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-013709"
},
{
"date": "2018-10-18T03:47:09",
"db": "PACKETSTORM",
"id": "149844"
},
{
"date": "2018-10-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-1016"
},
{
"date": "2018-10-17T14:29:00.663000",
"db": "NVD",
"id": "CVE-2018-10822"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-21069"
},
{
"date": "2019-01-23T00:00:00",
"db": "VULHUB",
"id": "VHN-120620"
},
{
"date": "2023-11-08T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10822"
},
{
"date": "2019-02-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-013709"
},
{
"date": "2019-02-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-1016"
},
{
"date": "2024-11-21T03:42:05.497000",
"db": "NVD",
"id": "CVE-2018-10822"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-1016"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural D-Link Product vulnerable to path traversal",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-013709"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-1016"
}
],
"trust": 0.6
}
}
var-201904-1055
Vulnerability from variot
On D-Link DAP-1530 (A1) before firmware version 1.06b01, DAP-1610 (A1) before firmware version 1.06b01, DWR-111 (A1) before firmware version 1.02v02, DWR-116 (A1) before firmware version 1.06b03, DWR-512 (B1) before firmware version 2.02b01, DWR-711 (A1) through firmware version 1.11, DWR-712 (B1) before firmware version 2.04b01, DWR-921 (A1) before firmware version 1.02b01, and DWR-921 (B1) before firmware version 2.03b01, there exists an EXCU_SHELL file in the web directory. By sending a GET request with specially crafted headers to the /EXCU_SHELL URI, an attacker could execute arbitrary shell commands in the root context on the affected device. Other devices might be affected as well. plural D-Link The product contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-Link DAP-1530 and other products are products of Taiwan D-Link. D-Link DAP-1530 is a wireless signal expander. D-Link DAP-1610 is a wireless signal expander. D-Link DWR-111 is a wireless router.
There are security holes in several D-Link products. D-Link DAP-1530, etc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201904-1055",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dwr-111",
"scope": "lt",
"trust": 1.4,
"vendor": "d link",
"version": "1.02v02"
},
{
"model": "dwr-711",
"scope": "lte",
"trust": 1.0,
"vendor": "d link",
"version": "1.11"
},
{
"model": "dwr-116",
"scope": "eq",
"trust": 1.0,
"vendor": "d link",
"version": "1.06"
},
{
"model": "dwr-921",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "2.02"
},
{
"model": "dwr-111",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.01"
},
{
"model": "dap-1610",
"scope": "lte",
"trust": 1.0,
"vendor": "d link",
"version": "1.05"
},
{
"model": "dwr-712",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "2.02"
},
{
"model": "dwr-921",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.02"
},
{
"model": "dap-1530",
"scope": "lte",
"trust": 1.0,
"vendor": "d link",
"version": "1.05"
},
{
"model": "dwr-116",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.05"
},
{
"model": "dwr-512",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "2.02"
},
{
"model": "dap-1530",
"scope": "lt",
"trust": 0.8,
"vendor": "d link",
"version": "1.06b01"
},
{
"model": "dap-1610",
"scope": "lt",
"trust": 0.8,
"vendor": "d link",
"version": "1.06b01"
},
{
"model": "dwr-116",
"scope": "lt",
"trust": 0.8,
"vendor": "d link",
"version": "1.06b03"
},
{
"model": "dwr-512",
"scope": "lt",
"trust": 0.8,
"vendor": "d link",
"version": "2.02b01"
},
{
"model": "dwr-711",
"scope": "lt",
"trust": 0.8,
"vendor": "d link",
"version": "1.11"
},
{
"model": "dwr-712",
"scope": "lt",
"trust": 0.8,
"vendor": "d link",
"version": "2.04b01"
},
{
"model": "dwr-921",
"scope": "lt",
"trust": 0.8,
"vendor": "d link",
"version": "1.02b01"
},
{
"model": "dwr-921",
"scope": "lt",
"trust": 0.8,
"vendor": "d link",
"version": "2.03b01"
},
{
"model": "dap-1530 \u003c1.06b01",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dap-1610 \u003c1.06b01",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dwr-116 \u003c1.06b03",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dwr-512 \u003c2.02b01",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dwr-711",
"scope": "lte",
"trust": 0.6,
"vendor": "d link",
"version": "\u003c=1.11"
},
{
"model": "dwr-712 \u003c2.04b01",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dwr-921 \u003c1.02b01",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dwr-921 \u003c2.03b01",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39422"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015245"
},
{
"db": "NVD",
"id": "CVE-2018-19300"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:d-link:dap-1530_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dap-1610_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-111_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-116_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-512_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-711_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-712_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-921_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015245"
}
]
},
"cve": "CVE-2018-19300",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-2018-19300",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2019-39422",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-129946",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2018-19300",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-19300",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2018-19300",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2019-39422",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201904-576",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-129946",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-19300",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39422"
},
{
"db": "VULHUB",
"id": "VHN-129946"
},
{
"db": "VULMON",
"id": "CVE-2018-19300"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015245"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-576"
},
{
"db": "NVD",
"id": "CVE-2018-19300"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "On D-Link DAP-1530 (A1) before firmware version 1.06b01, DAP-1610 (A1) before firmware version 1.06b01, DWR-111 (A1) before firmware version 1.02v02, DWR-116 (A1) before firmware version 1.06b03, DWR-512 (B1) before firmware version 2.02b01, DWR-711 (A1) through firmware version 1.11, DWR-712 (B1) before firmware version 2.04b01, DWR-921 (A1) before firmware version 1.02b01, and DWR-921 (B1) before firmware version 2.03b01, there exists an EXCU_SHELL file in the web directory. By sending a GET request with specially crafted headers to the /EXCU_SHELL URI, an attacker could execute arbitrary shell commands in the root context on the affected device. Other devices might be affected as well. plural D-Link The product contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-Link DAP-1530 and other products are products of Taiwan D-Link. D-Link DAP-1530 is a wireless signal expander. D-Link DAP-1610 is a wireless signal expander. D-Link DWR-111 is a wireless router. \n\nThere are security holes in several D-Link products. D-Link DAP-1530, etc",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-19300"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015245"
},
{
"db": "CNVD",
"id": "CNVD-2019-39422"
},
{
"db": "VULHUB",
"id": "VHN-129946"
},
{
"db": "VULMON",
"id": "CVE-2018-19300"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-19300",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015245",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201904-576",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-39422",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-129946",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-19300",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39422"
},
{
"db": "VULHUB",
"id": "VHN-129946"
},
{
"db": "VULMON",
"id": "CVE-2018-19300"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015245"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-576"
},
{
"db": "NVD",
"id": "CVE-2018-19300"
}
]
},
"id": "VAR-201904-1055",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39422"
},
{
"db": "VULHUB",
"id": "VHN-129946"
}
],
"trust": 1.3561224614285714
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39422"
}
]
},
"last_update_date": "2024-11-23T22:30:02.744000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Schwachstelle durch Command Execution in D-ink DWR und DAP Routern (/EXCU_SHELL)",
"trust": 0.8,
"url": "https://eu.dlink.com/de/de/support/support-news/2019/march/19/remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers"
},
{
"title": "Patch for Multiple D-Link Products Input Validation Error Vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/188963"
},
{
"title": "Multiple D-Link Product security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91388"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39422"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015245"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-576"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-129946"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015245"
},
{
"db": "NVD",
"id": "CVE-2018-19300"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://eu.dlink.com/de/de/support/support-news/2019/march/19/remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers"
},
{
"trust": 1.8,
"url": "https://community.greenbone.net/t/cve-2018-19300-remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers/1772"
},
{
"trust": 1.8,
"url": "https://www.greenbone.net/en/serious-vulnerability-discovered-in-d-link-routers/"
},
{
"trust": 1.8,
"url": "https://www.greenbone.net/schwerwiegende-sicherheitsluecke-in-d-link-routern-entdeckt/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-19300"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-19300"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39422"
},
{
"db": "VULHUB",
"id": "VHN-129946"
},
{
"db": "VULMON",
"id": "CVE-2018-19300"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015245"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-576"
},
{
"db": "NVD",
"id": "CVE-2018-19300"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-39422"
},
{
"db": "VULHUB",
"id": "VHN-129946"
},
{
"db": "VULMON",
"id": "CVE-2018-19300"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015245"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-576"
},
{
"db": "NVD",
"id": "CVE-2018-19300"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-11-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-39422"
},
{
"date": "2019-04-11T00:00:00",
"db": "VULHUB",
"id": "VHN-129946"
},
{
"date": "2019-04-11T00:00:00",
"db": "VULMON",
"id": "CVE-2018-19300"
},
{
"date": "2019-05-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015245"
},
{
"date": "2019-04-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-576"
},
{
"date": "2019-04-11T16:29:00.620000",
"db": "NVD",
"id": "CVE-2018-19300"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-11-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-39422"
},
{
"date": "2019-04-12T00:00:00",
"db": "VULHUB",
"id": "VHN-129946"
},
{
"date": "2023-04-26T00:00:00",
"db": "VULMON",
"id": "CVE-2018-19300"
},
{
"date": "2019-05-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015245"
},
{
"date": "2019-04-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-576"
},
{
"date": "2024-11-21T03:57:42.013000",
"db": "NVD",
"id": "CVE-2018-19300"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-576"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural D-Link Vulnerability related to input validation in products",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015245"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-576"
}
],
"trust": 0.6
}
}
var-201810-0936
Vulnerability from variot
An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals. plural D-Link The product contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. DWR-116, DIR-140, DIR-640, etc. are all D-Link router products. There are shell command injection vulnerabilities in multiple series of http-servers of D-Link routers. D-Link DWR-116, etc. The following products and versions are affected: D-Link DWR-116 1.06 and earlier; DWR-512 2.02 and earlier; DWR-712 2.02 and earlier; DWR-912 2.02 and earlier; DWR-921 2.02 and earlier; DWR-111 1.01 and earlier versions. An issue exists on D-Link DWR-116 up to and including 1.06, DWR-512 up to and including 2.02, DWR-712 up to and including 2.02, DWR-912 up to and including 2.02, DWR-921 up to and including 2.02, and DWR-111 up to and including 1.01 devices. aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa MULTIPLE VULNERABILITIES IN D-LINK ROUTERS
Blazej Adamczyk (br0x)
blazej.adamczyk@gmail.com
http://sploit.tech/
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
12.10.2018
1 Directory Traversal in httpd server in several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aa
CVE: CVE-2018-10822
CVSS v3: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
Directory traversal vulnerability in the web interface on D-Link routers: aC/ DWR-116 through 1.06, aC/ DIR-140L through 1.02, aC/ DIR-640L through 1.02, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware
allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request.
NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.
PoC: aaaaa a $ curl http://routerip/uir//etc/passwd aaaaa
The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824
This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash.
2 Password stored in plaintext in several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
CVE: CVE-2018-10824
An issue was discovered on D-Link routers: aC/ DWR-116 through 1.06, aC/ DIR-140L through 1.02, aC/ DIR-640L through 1.02, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware.
NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple.
The administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.
PoC using the directory traversal vulnerability disclosed at the same time - CVE-2018-10822
aaaaa a $ curl http://routerip/uir//tmp/XXX/0 aaaaa
This command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.
3 Shell command injection in httpd server of a several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaa
CVE: CVE-2018-10823
CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
An issue was discovered on D-Link routers: aC/ DWR-116 through 1.06, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware.
PoC: 1. 2. Request the following URL after login: aaaaa a $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20 %2Fetc%2Fpasswd aaaaa 3. See the passwd file contents in the response.
4 Exploiting all together aaaaaaaaaaaaaaaaaaaaaaaaa
CVSS v3: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Taking all the three together it is easy to gain full router control including arbitrary code execution.
Description with video: [http://sploit.tech/2018/10/12/D-Link.html]
5 Timeline aaaaaaaaaa
aC/ 09.05.2018 - vendor notified aC/ 06.06.2018 - asked vendor about the status because of long vendor response aC/ 22.06.2018 - received a reply that a patch will be released for DWR-116 and DWR-111, for the other devices which are EOL an announcement will be released aC/ 09.09.2018 - still no reply from vendor about the patches or announcement, I have warned the vendor that if I will not get a reply in a month I will publish the disclosure aC/ 12.10.2018 - disclosing the vulnerabilities
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201810-0936",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dwr-912",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "2.02"
},
{
"model": "dwr-116",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.06"
},
{
"model": "dwr-512",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "2.02"
},
{
"model": "dwr-111",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.01"
},
{
"model": "dwr-111",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "1.01"
},
{
"model": "dwr-116",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "1.06"
},
{
"model": "dwr-512",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-912",
"scope": "lte",
"trust": 0.8,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-116",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "1.06"
},
{
"model": "dir-140l",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "1.02"
},
{
"model": "dir-640l",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "1.02"
},
{
"model": "dwr-512",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-712",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-912",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-921",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "2.02"
},
{
"model": "dwr-111",
"scope": "lt",
"trust": 0.6,
"vendor": "d link",
"version": "1.01"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21067"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013710"
},
{
"db": "NVD",
"id": "CVE-2018-10823"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:d-link:dwr-111_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-116_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-512_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwr-912_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-013710"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Blazej Adamczyk",
"sources": [
{
"db": "PACKETSTORM",
"id": "149844"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10823",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "CVE-2018-10823",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-21067",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "VHN-120621",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2018-10823",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10823",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-10823",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2018-10823",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2018-21067",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201810-1015",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-120621",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-10823",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21067"
},
{
"db": "VULHUB",
"id": "VHN-120621"
},
{
"db": "VULMON",
"id": "CVE-2018-10823"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013710"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1015"
},
{
"db": "NVD",
"id": "CVE-2018-10823"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals. plural D-Link The product contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. DWR-116, DIR-140, DIR-640, etc. are all D-Link router products. There are shell command injection vulnerabilities in multiple series of http-servers of D-Link routers. D-Link DWR-116, etc. The following products and versions are affected: D-Link DWR-116 1.06 and earlier; DWR-512 2.02 and earlier; DWR-712 2.02 and earlier; DWR-912 2.02 and earlier; DWR-921 2.02 and earlier; DWR-111 1.01 and earlier versions. An issue exists on D-Link DWR-116 up to and including 1.06, DWR-512 up to and including 2.02, DWR-712 up to and including 2.02, DWR-912 up to and including 2.02, DWR-921 up to and including 2.02, and DWR-111 up to and including 1.01 devices. aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n MULTIPLE VULNERABILITIES IN D-LINK ROUTERS\n\n\n Blazej Adamczyk (br0x)\n blazej.adamczyk@gmail.com\n http://sploit.tech/\n aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n\n\n 12.10.2018\n\n\n1 Directory Traversal in httpd server in several series of D-Link\nrouters\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naa\n\n CVE: CVE-2018-10822\n\n CVSS v3: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)\n\n Directory traversal vulnerability in the web interface on D-Link\n routers:\n aC/ DWR-116 through 1.06,\n aC/ DIR-140L through 1.02,\n aC/ DIR-640L through 1.02,\n aC/ DWR-512 through 2.02,\n aC/ DWR-712 through 2.02,\n aC/ DWR-912 through 2.02,\n aC/ DWR-921 through 2.02,\n aC/ DWR-111 through 1.01,\n aC/ and probably others with the same type of firmware\n\n allows remote attackers to read arbitrary files via a /.. or // after\n \"GET /uir\" in an HTTP request. \n\n NOTE: this vulnerability exists because of an incorrect fix for\n CVE-2017-6190. \n\n PoC:\n aaaaa\n a $ curl http://routerip/uir//etc/passwd\n aaaaa\n\n The vulnerability can be used retrieve administrative password using\n the other disclosed vulnerability - CVE-2018-10824\n\n This vulnerability was reported previously by Patryk Bogdan in\n CVE-2017-6190 but he reported it is fixed in certain release but\n unfortunately it is still present in even newer releases. The\n vulnerability is also present in other D-Link routers and can be\n exploited not only (as the original author stated) by double dot but\n also absolutely using double slash. \n\n\n2 Password stored in plaintext in several series of D-Link routers\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n\n CVE: CVE-2018-10824\n\n An issue was discovered on D-Link routers:\n aC/ DWR-116 through 1.06,\n aC/ DIR-140L through 1.02,\n aC/ DIR-640L through 1.02,\n aC/ DWR-512 through 2.02,\n aC/ DWR-712 through 2.02,\n aC/ DWR-912 through 2.02,\n aC/ DWR-921 through 2.02,\n aC/ DWR-111 through 1.01,\n aC/ and probably others with the same type of firmware. \n\n NOTE: I have changed the filename in description to XXX because the\n vendor leaves some EOL routers unpatched and the attack is too\nsimple. \n\n The administrative password is stored in plaintext in the /tmp/XXX/0\n file. An attacker having a directory traversal (or LFI) can easily\nget\n full router access. \n\n PoC using the directory traversal vulnerability disclosed at the same\n time - CVE-2018-10822\n\n aaaaa\n a $ curl http://routerip/uir//tmp/XXX/0\n aaaaa\n\n This command returns a binary config file which contains admin\n username and password as well as many other router configuration\n settings. By using the directory traversal vulnerability it is\n possible to read the file without authentication. \n\n\n3 Shell command injection in httpd server of a several series of D-Link \nrouters\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\naaaaaaaa\n\n CVE: CVE-2018-10823\n\n CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)\n\n An issue was discovered on D-Link routers:\n aC/ DWR-116 through 1.06,\n aC/ DWR-512 through 2.02,\n aC/ DWR-712 through 2.02,\n aC/ DWR-912 through 2.02,\n aC/ DWR-921 through 2.02,\n aC/ DWR-111 through 1.01,\n aC/ and probably others with the same type of firmware. \n\n PoC:\n 1. \n 2. Request the following URL after login:\n aaaaa\n a $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20\n%2Fetc%2Fpasswd\n aaaaa\n 3. See the passwd file contents in the response. \n\n\n4 Exploiting all together\naaaaaaaaaaaaaaaaaaaaaaaaa\n\n CVSS v3: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n Taking all the three together it is easy to gain full router control\n including arbitrary code execution. \n\n Description with video: [http://sploit.tech/2018/10/12/D-Link.html]\n\n\n5 Timeline\naaaaaaaaaa\n\n aC/ 09.05.2018 - vendor notified\n aC/ 06.06.2018 - asked vendor about the status because of long vendor\n response\n aC/ 22.06.2018 - received a reply that a patch will be released for\n DWR-116 and DWR-111, for the other devices which are EOL an\n announcement will be released\n aC/ 09.09.2018 - still no reply from vendor about the patches or\n announcement, I have warned the vendor that if I will not get a\n reply in a month I will publish the disclosure\n aC/ 12.10.2018 - disclosing the vulnerabilities\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10823"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013710"
},
{
"db": "CNVD",
"id": "CNVD-2018-21067"
},
{
"db": "VULHUB",
"id": "VHN-120621"
},
{
"db": "VULMON",
"id": "CVE-2018-10823"
},
{
"db": "PACKETSTORM",
"id": "149844"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10823",
"trust": 3.3
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013710",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1015",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2018-21067",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120621",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10823",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149844",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21067"
},
{
"db": "VULHUB",
"id": "VHN-120621"
},
{
"db": "VULMON",
"id": "CVE-2018-10823"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013710"
},
{
"db": "PACKETSTORM",
"id": "149844"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1015"
},
{
"db": "NVD",
"id": "CVE-2018-10823"
}
]
},
"id": "VAR-201810-0936",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21067"
},
{
"db": "VULHUB",
"id": "VHN-120621"
}
],
"trust": 1.3574404912499998
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21067"
}
]
},
"last_update_date": "2024-11-23T22:59:19.765000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.dlink.lt/en/"
},
{
"title": "D-Link router httpdservershell command to inject vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/142553"
},
{
"title": "Kenzer Templates [5170] [DEPRECATED]",
"trust": 0.1,
"url": "https://github.com/ARPSyndicate/kenzer-templates "
},
{
"title": "The Register",
"trust": 0.1,
"url": "https://www.theregister.co.uk/2018/10/17/dlink_security_flaws/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21067"
},
{
"db": "VULMON",
"id": "CVE-2018-10823"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013710"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.1
},
{
"problemtype": "CWE-77",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120621"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013710"
},
{
"db": "NVD",
"id": "CVE-2018-10823"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "http://sploit.tech/2018/10/12/d-link.html"
},
{
"trust": 2.5,
"url": "https://seclists.org/fulldisclosure/2018/oct/36"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10823"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10823"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/arpsyndicate/kenzer-templates"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-6190"
},
{
"trust": 0.1,
"url": "http://routerip/uir//tmp/xxx/0"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10822"
},
{
"trust": 0.1,
"url": "http://sploit.tech/"
},
{
"trust": 0.1,
"url": "http://routerip/uir//etc/passwd"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10824"
},
{
"trust": 0.1,
"url": "http://sploit.tech/2018/10/12/d-link.html]"
},
{
"trust": 0.1,
"url": "http://routerip/chkisg.htm%3fsip%3d1.1.1.1%20%7c%20cat%20"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-21067"
},
{
"db": "VULHUB",
"id": "VHN-120621"
},
{
"db": "VULMON",
"id": "CVE-2018-10823"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013710"
},
{
"db": "PACKETSTORM",
"id": "149844"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1015"
},
{
"db": "NVD",
"id": "CVE-2018-10823"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-21067"
},
{
"db": "VULHUB",
"id": "VHN-120621"
},
{
"db": "VULMON",
"id": "CVE-2018-10823"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-013710"
},
{
"db": "PACKETSTORM",
"id": "149844"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-1015"
},
{
"db": "NVD",
"id": "CVE-2018-10823"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-21067"
},
{
"date": "2018-10-17T00:00:00",
"db": "VULHUB",
"id": "VHN-120621"
},
{
"date": "2018-10-17T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10823"
},
{
"date": "2019-02-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-013710"
},
{
"date": "2018-10-18T03:47:09",
"db": "PACKETSTORM",
"id": "149844"
},
{
"date": "2018-10-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-1015"
},
{
"date": "2018-10-17T14:29:00.787000",
"db": "NVD",
"id": "CVE-2018-10823"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-21067"
},
{
"date": "2019-10-03T00:00:00",
"db": "VULHUB",
"id": "VHN-120621"
},
{
"date": "2023-11-08T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10823"
},
{
"date": "2019-02-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-013710"
},
{
"date": "2019-10-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-1015"
},
{
"date": "2024-11-21T03:42:05.663000",
"db": "NVD",
"id": "CVE-2018-10823"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-1015"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural D-Link Command injection vulnerability in the product",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-013710"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-1015"
}
],
"trust": 0.6
}
}
cve-2018-10824
Vulnerability from cvelistv5
Published
2018-10-17 14:00
Modified
2024-08-05 07:46
Severity ?
EPSS score ?
Summary
An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. The administrative password is stored in plaintext in the /tmp/csman/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.
References
| ▼ | URL | Tags |
|---|---|---|
| https://seclists.org/fulldisclosure/2018/Oct/36 | mailing-list, x_refsource_FULLDISC | |
| http://sploit.tech/2018/10/12/D-Link.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:46:46.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20181012 Multiple vulnerabilities in D-Link routers",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://sploit.tech/2018/10/12/D-Link.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-10-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. The administrative password is stored in plaintext in the /tmp/csman/0 file. An attacker having a directory traversal (or LFI) can easily get full router access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-17T13:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20181012 Multiple vulnerabilities in D-Link routers",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://sploit.tech/2018/10/12/D-Link.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-10824",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. The administrative password is stored in plaintext in the /tmp/csman/0 file. An attacker having a directory traversal (or LFI) can easily get full router access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20181012 Multiple vulnerabilities in D-Link routers",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
},
{
"name": "http://sploit.tech/2018/10/12/D-Link.html",
"refsource": "MISC",
"url": "http://sploit.tech/2018/10/12/D-Link.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-10824",
"datePublished": "2018-10-17T14:00:00",
"dateReserved": "2018-05-08T00:00:00",
"dateUpdated": "2024-08-05T07:46:46.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-19300
Vulnerability from cvelistv5
Published
2019-04-11 15:22
Modified
2024-08-05 11:30
Severity ?
EPSS score ?
Summary
On D-Link DAP-1530 (A1) before firmware version 1.06b01, DAP-1610 (A1) before firmware version 1.06b01, DWR-111 (A1) before firmware version 1.02v02, DWR-116 (A1) before firmware version 1.06b03, DWR-512 (B1) before firmware version 2.02b01, DWR-711 (A1) through firmware version 1.11, DWR-712 (B1) before firmware version 2.04b01, DWR-921 (A1) before firmware version 1.02b01, and DWR-921 (B1) before firmware version 2.03b01, there exists an EXCU_SHELL file in the web directory. By sending a GET request with specially crafted headers to the /EXCU_SHELL URI, an attacker could execute arbitrary shell commands in the root context on the affected device. Other devices might be affected as well.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:30:04.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.greenbone.net/schwerwiegende-sicherheitsluecke-in-d-link-routern-entdeckt/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.greenbone.net/t/cve-2018-19300-remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers/1772"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://eu.dlink.com/de/de/support/support-news/2019/march/19/remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.greenbone.net/en/serious-vulnerability-discovered-in-d-link-routers/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-03-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "On D-Link DAP-1530 (A1) before firmware version 1.06b01, DAP-1610 (A1) before firmware version 1.06b01, DWR-111 (A1) before firmware version 1.02v02, DWR-116 (A1) before firmware version 1.06b03, DWR-512 (B1) before firmware version 2.02b01, DWR-711 (A1) through firmware version 1.11, DWR-712 (B1) before firmware version 2.04b01, DWR-921 (A1) before firmware version 1.02b01, and DWR-921 (B1) before firmware version 2.03b01, there exists an EXCU_SHELL file in the web directory. By sending a GET request with specially crafted headers to the /EXCU_SHELL URI, an attacker could execute arbitrary shell commands in the root context on the affected device. Other devices might be affected as well."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-11T19:41:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.greenbone.net/schwerwiegende-sicherheitsluecke-in-d-link-routern-entdeckt/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.greenbone.net/t/cve-2018-19300-remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers/1772"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://eu.dlink.com/de/de/support/support-news/2019/march/19/remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.greenbone.net/en/serious-vulnerability-discovered-in-d-link-routers/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-19300",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "On D-Link DAP-1530 (A1) before firmware version 1.06b01, DAP-1610 (A1) before firmware version 1.06b01, DWR-111 (A1) before firmware version 1.02v02, DWR-116 (A1) before firmware version 1.06b03, DWR-512 (B1) before firmware version 2.02b01, DWR-711 (A1) through firmware version 1.11, DWR-712 (B1) before firmware version 2.04b01, DWR-921 (A1) before firmware version 1.02b01, and DWR-921 (B1) before firmware version 2.03b01, there exists an EXCU_SHELL file in the web directory. By sending a GET request with specially crafted headers to the /EXCU_SHELL URI, an attacker could execute arbitrary shell commands in the root context on the affected device. Other devices might be affected as well."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.greenbone.net/schwerwiegende-sicherheitsluecke-in-d-link-routern-entdeckt/",
"refsource": "MISC",
"url": "https://www.greenbone.net/schwerwiegende-sicherheitsluecke-in-d-link-routern-entdeckt/"
},
{
"name": "https://community.greenbone.net/t/cve-2018-19300-remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers/1772",
"refsource": "MISC",
"url": "https://community.greenbone.net/t/cve-2018-19300-remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers/1772"
},
{
"name": "https://eu.dlink.com/de/de/support/support-news/2019/march/19/remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers",
"refsource": "CONFIRM",
"url": "https://eu.dlink.com/de/de/support/support-news/2019/march/19/remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers"
},
{
"name": "https://www.greenbone.net/en/serious-vulnerability-discovered-in-d-link-routers/",
"refsource": "MISC",
"url": "https://www.greenbone.net/en/serious-vulnerability-discovered-in-d-link-routers/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-19300",
"datePublished": "2019-04-11T15:22:44",
"dateReserved": "2018-11-15T00:00:00",
"dateUpdated": "2024-08-05T11:30:04.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-10823
Vulnerability from cvelistv5
Published
2018-10-17 14:00
Modified
2024-08-05 07:46
Severity ?
EPSS score ?
Summary
An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.
References
| ▼ | URL | Tags |
|---|---|---|
| https://seclists.org/fulldisclosure/2018/Oct/36 | mailing-list, x_refsource_FULLDISC | |
| http://sploit.tech/2018/10/12/D-Link.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:46:47.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20181012 Multiple vulnerabilities in D-Link routers",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://sploit.tech/2018/10/12/D-Link.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-10-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-17T13:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20181012 Multiple vulnerabilities in D-Link routers",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://sploit.tech/2018/10/12/D-Link.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-10823",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20181012 Multiple vulnerabilities in D-Link routers",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
},
{
"name": "http://sploit.tech/2018/10/12/D-Link.html",
"refsource": "MISC",
"url": "http://sploit.tech/2018/10/12/D-Link.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-10823",
"datePublished": "2018-10-17T14:00:00",
"dateReserved": "2018-05-08T00:00:00",
"dateUpdated": "2024-08-05T07:46:47.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-10822
Vulnerability from cvelistv5
Published
2018-10-17 14:00
Modified
2024-08-05 07:46
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in the web interface on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.
References
| ▼ | URL | Tags |
|---|---|---|
| https://seclists.org/fulldisclosure/2018/Oct/36 | mailing-list, x_refsource_FULLDISC | |
| http://sploit.tech/2018/10/12/D-Link.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:46:47.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20181012 Multiple vulnerabilities in D-Link routers",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://sploit.tech/2018/10/12/D-Link.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-10-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the web interface on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices allows remote attackers to read arbitrary files via a /.. or // after \"GET /uir\" in an HTTP request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-17T13:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20181012 Multiple vulnerabilities in D-Link routers",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://sploit.tech/2018/10/12/D-Link.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-10822",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in the web interface on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices allows remote attackers to read arbitrary files via a /.. or // after \"GET /uir\" in an HTTP request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20181012 Multiple vulnerabilities in D-Link routers",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2018/Oct/36"
},
{
"name": "http://sploit.tech/2018/10/12/D-Link.html",
"refsource": "MISC",
"url": "http://sploit.tech/2018/10/12/D-Link.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-10822",
"datePublished": "2018-10-17T14:00:00",
"dateReserved": "2018-05-08T00:00:00",
"dateUpdated": "2024-08-05T07:46:47.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}