Sign-up

ID

VAR-201704-1225


CVE

CVE-2017-6190


TITLE

D-Link DWR-116 Device firmware Web Directory traversal vulnerability in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2017-003082

DESCRIPTION

Directory traversal vulnerability in the web interface on the D-Link DWR-116 device with firmware before V1.05b09 allows remote attackers to read arbitrary files via a .. (dot dot) in a "GET /uir/" request. The DWR-116 is a wireless N300 multi-WAN router from D-Link. (double point) in the \"GET/uir/\" request. D-Link DWR-116 is prone to an arbitrary-file-download vulnerability. An attacker can exploit this issue to download arbitrary files from the device filesystem and obtain potentially sensitive information. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190. PoC: aaaaa a $ curl http://routerip/uir//etc/passwd aaaaa The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824 This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash. 2 Password stored in plaintext in several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa CVE: CVE-2018-10824 An issue was discovered on D-Link routers: aC/ DWR-116 through 1.06, aC/ DIR-140L through 1.02, aC/ DIR-640L through 1.02, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware. NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple. The administrative password is stored in plaintext in the /tmp/XXX/0 file. PoC using the directory traversal vulnerability disclosed at the same time - CVE-2018-10822 aaaaa a $ curl http://routerip/uir//tmp/XXX/0 aaaaa This command returns a binary config file which contains admin username and password as well as many other router configuration settings. 3 Shell command injection in httpd server of a several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaa CVE: CVE-2018-10823 CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) An issue was discovered on D-Link routers: aC/ DWR-116 through 1.06, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals. PoC: 1. 2. Request the following URL after login: aaaaa a $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20 %2Fetc%2Fpasswd aaaaa 3. See the passwd file contents in the response. 4 Exploiting all together aaaaaaaaaaaaaaaaaaaaaaaaa CVSS v3: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) Taking all the three together it is easy to gain full router control including arbitrary code execution. Description with video: [http://sploit.tech/2018/10/12/D-Link.html] 5 Timeline aaaaaaaaaa aC/ 09.05.2018 - vendor notified aC/ 06.06.2018 - asked vendor about the status because of long vendor response aC/ 22.06.2018 - received a reply that a patch will be released for DWR-116 and DWR-111, for the other devices which are EOL an announcement will be released aC/ 09.09.2018 - still no reply from vendor about the patches or announcement, I have warned the vendor that if I will not get a reply in a month I will publish the disclosure aC/ 12.10.2018 - disclosing the vulnerabilities

Trust: 2.61

sources: NVD: CVE-2017-6190 // JVNDB: JVNDB-2017-003082 // CNVD: CNVD-2017-05589 // BID: 97620 // VULHUB: VHN-114393 // PACKETSTORM: 149844

IOT TAXONOMY

category:['IoT', 'Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-05589

AFFECTED PRODUCTS

vendor:dlinkmodel:dwr-116scope:eqversion:v1.01\(eu\)

Trust: 1.6

vendor:dlinkmodel:dwr-116scope:eqversion:v1.05\(au\)

Trust: 1.6

vendor:dlinkmodel:dwr-116scope:eqversion:v1.00\(cp\)b10

Trust: 1.6

vendor:d linkmodel:dwr-116 1.05scope: - version: -

Trust: 0.9

vendor:d linkmodel:dwr-116 1.01scope: - version: -

Trust: 0.9

vendor:d linkmodel:dwr-116 1.00 b10scope: - version: -

Trust: 0.9

vendor:d linkmodel:dwr-116scope:ltversion:1.05b09

Trust: 0.8

vendor:d linkmodel:dwr-116 1.05b09scope:neversion: -

Trust: 0.3

sources: CNVD: CNVD-2017-05589 // BID: 97620 // JVNDB: JVNDB-2017-003082 // CNNVD: CNNVD-201704-490 // NVD: CVE-2017-6190

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-6190
value: HIGH

Trust: 1.0

NVD: CVE-2017-6190
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-05589
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201704-490
value: MEDIUM

Trust: 0.6

VULHUB: VHN-114393
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-6190
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-05589
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-114393
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-6190
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2017-05589 // VULHUB: VHN-114393 // JVNDB: JVNDB-2017-003082 // CNNVD: CNNVD-201704-490 // NVD: CVE-2017-6190

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.9

sources: VULHUB: VHN-114393 // JVNDB: JVNDB-2017-003082 // NVD: CVE-2017-6190

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-490

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201704-490

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-003082

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-114393

PATCH
title:Wireless N300 Multi-WAN Router DWR-116url:http://www.dlink.com/uk/en/products/dwr-116-wireless-n300-multi-wan-router
Trust: 0.8
title:D-LinkDWR-116 patch for arbitrary file download vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/92924
Trust: 0.6
title:D-Link DWR-116 Web interface Repair measures for path traversal vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70141
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-05589 // 
            
            
            
            JVNDB: JVNDB-2017-003082 // 
            
            
            
            CNNVD: CNNVD-201704-490

EXTERNAL IDS
db:NVDid:CVE-2017-6190
Trust: 3.5
db:CXSECURITYid:WLB-2017040033
Trust: 3.1
db:BIDid:97620
Trust: 2.0
db:EXPLOIT-DBid:41840
Trust: 1.1
db:JVNDBid:JVNDB-2017-003082
Trust: 0.8
db:CNNVDid:CNNVD-201704-490
Trust: 0.7
db:CNVDid:CNVD-2017-05589
Trust: 0.6
db:PACKETSTORMid:149844
Trust: 0.2
db:PACKETSTORMid:142052
Trust: 0.1
db:VULHUBid:VHN-114393
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-05589 // 
            
            
            
            VULHUB: VHN-114393 // 
            
            
            
            BID: 97620 // 
            
            
            
            JVNDB: JVNDB-2017-003082 // 
            
            
            
            PACKETSTORM: 149844 // 
            
            
            
            CNNVD: CNNVD-201704-490 // 
            
            
            
            NVD: CVE-2017-6190

REFERENCES
url:https://cxsecurity.com/blad/wlb-2017040033
Trust: 3.1
url:http://www.securityfocus.com/bid/97620
Trust: 1.1
url:https://www.exploit-db.com/exploits/41840/
Trust: 1.1
url:http://seclists.org/bugtraq/2017/apr/28
Trust: 0.9
url:https://nvd.nist.gov/vuln/detail/cve-2017-6190
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6190
Trust: 0.8
url:http://www.d-link.com
Trust: 0.3
url:http://routerip/uir//tmp/xxx/0
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-10822
Trust: 0.1
url:http://sploit.tech/
Trust: 0.1
url:http://routerip/uir//etc/passwd
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-10824
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-10823
Trust: 0.1
url:http://sploit.tech/2018/10/12/d-link.html]
Trust: 0.1
url:http://routerip/chkisg.htm%3fsip%3d1.1.1.1%20%7c%20cat%20
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-05589 // 
            
            
            
            VULHUB: VHN-114393 // 
            
            
            
            BID: 97620 // 
            
            
            
            JVNDB: JVNDB-2017-003082 // 
            
            
            
            PACKETSTORM: 149844 // 
            
            
            
            CNNVD: CNNVD-201704-490 // 
            
            
            
            NVD: CVE-2017-6190

CREDITS
Patryk Bogdan
Trust: 0.3
sources:
            
            
            BID: 97620

SOURCES
db:CNVDid:CNVD-2017-05589
db:VULHUBid:VHN-114393
db:BIDid:97620
db:JVNDBid:JVNDB-2017-003082
db:PACKETSTORMid:149844
db:CNNVDid:CNNVD-201704-490
db:NVDid:CVE-2017-6190

LAST UPDATE DATE
2024-11-23T22:59:19.725000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-05589date:2017-04-28T00:00:00
db:VULHUBid:VHN-114393date:2017-08-16T00:00:00
db:BIDid:97620date:2017-04-18T00:06:00
db:JVNDBid:JVNDB-2017-003082date:2017-05-15T00:00:00
db:CNNVDid:CNNVD-201704-490date:2017-05-24T00:00:00
db:NVDid:CVE-2017-6190date:2024-11-21T03:29:13.253

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-05589date:2017-04-28T00:00:00
db:VULHUBid:VHN-114393date:2017-04-10T00:00:00
db:BIDid:97620date:2017-04-07T00:00:00
db:JVNDBid:JVNDB-2017-003082date:2017-05-15T00:00:00
db:PACKETSTORMid:149844date:2018-10-18T03:47:09
db:CNNVDid:CNNVD-201704-490date:2017-04-10T00:00:00
db:NVDid:CVE-2017-6190date:2017-04-10T14:59:00.263