Details of VAR-201810-0934

ID

VAR-201810-0934

CVE

CVE-2018-10822

TITLE

plural D-Link Product vulnerable to path traversal

Trust: 0.8

sources: JVNDB: JVNDB-2018-013709

DESCRIPTION

Directory traversal vulnerability in the web interface on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190. plural D-Link The product contains a path traversal vulnerability. DWR-116, DIR-140, DIR-640, etc. are all D-Link router products. D-Link DWR-116, etc. The following products and versions are affected: D-Link DWR-116 1.06 and earlier; DIR-140L 1.02 and earlier; DIR-640L 1.02 and earlier; DWR-512 2.02 and earlier; DWR-712 2.02 and earlier; DWR-912 2.02 and earlier; DWR-921 2.02 and earlier; DWR-111 1.01 and earlier. PoC: aaaaa a $ curl http://routerip/uir//etc/passwd aaaaa The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824 This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash. 2 Password stored in plaintext in several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa CVE: CVE-2018-10824 An issue was discovered on D-Link routers: aC/ DWR-116 through 1.06, aC/ DIR-140L through 1.02, aC/ DIR-640L through 1.02, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware. NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple. The administrative password is stored in plaintext in the /tmp/XXX/0 file. PoC using the directory traversal vulnerability disclosed at the same time - CVE-2018-10822 aaaaa a $ curl http://routerip/uir//tmp/XXX/0 aaaaa This command returns a binary config file which contains admin username and password as well as many other router configuration settings. 3 Shell command injection in httpd server of a several series of D-Link routers aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaa CVE: CVE-2018-10823 CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) An issue was discovered on D-Link routers: aC/ DWR-116 through 1.06, aC/ DWR-512 through 2.02, aC/ DWR-712 through 2.02, aC/ DWR-912 through 2.02, aC/ DWR-921 through 2.02, aC/ DWR-111 through 1.01, aC/ and probably others with the same type of firmware. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals. PoC: 1. 2. Request the following URL after login: aaaaa a $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20 %2Fetc%2Fpasswd aaaaa 3. See the passwd file contents in the response. 4 Exploiting all together aaaaaaaaaaaaaaaaaaaaaaaaa CVSS v3: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) Taking all the three together it is easy to gain full router control including arbitrary code execution. Description with video: [http://sploit.tech/2018/10/12/D-Link.html] 5 Timeline aaaaaaaaaa aC/ 09.05.2018 - vendor notified aC/ 06.06.2018 - asked vendor about the status because of long vendor response aC/ 22.06.2018 - received a reply that a patch will be released for DWR-116 and DWR-111, for the other devices which are EOL an announcement will be released aC/ 09.09.2018 - still no reply from vendor about the patches or announcement, I have warned the vendor that if I will not get a reply in a month I will publish the disclosure aC/ 12.10.2018 - disclosing the vulnerabilities

Trust: 2.43

sources: NVD: CVE-2018-10822 // JVNDB: JVNDB-2018-013709 // CNVD: CNVD-2018-21069 // VULHUB: VHN-120620 // VULMON: CVE-2018-10822 // PACKETSTORM: 149844

IOT TAXONOMY

category:

['ICS', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-21069

AFFECTED PRODUCTS

vendor:	dlink	model:	dir-640l	scope:	lte	version:	1.02	Trust: 1.0
vendor:	dlink	model:	dir-140l	scope:	lte	version:	1.02	Trust: 1.0
vendor:	dlink	model:	dwr-921	scope:	lte	version:	2.02	Trust: 1.0
vendor:	dlink	model:	dwr-111	scope:	lte	version:	1.01	Trust: 1.0
vendor:	dlink	model:	dwr-912	scope:	lte	version:	2.02	Trust: 1.0
vendor:	dlink	model:	dwr-116	scope:	lte	version:	1.06	Trust: 1.0
vendor:	dlink	model:	dwr-512	scope:	lte	version:	2.02	Trust: 1.0
vendor:	dlink	model:	dwr-712	scope:	lte	version:	2.02	Trust: 1.0
vendor:	d link	model:	dir-140l	scope:	lte	version:	1.02	Trust: 0.8
vendor:	d link	model:	dir-640l	scope:	lte	version:	1.02	Trust: 0.8
vendor:	d link	model:	dwr-111	scope:	lte	version:	1.01	Trust: 0.8
vendor:	d link	model:	dwr-116	scope:	lte	version:	1.06	Trust: 0.8
vendor:	d link	model:	dwr-512	scope:	lte	version:	2.02	Trust: 0.8
vendor:	d link	model:	dwr-712	scope:	lte	version:	2.02	Trust: 0.8
vendor:	d link	model:	dwr-912	scope:	lte	version:	2.02	Trust: 0.8
vendor:	d link	model:	dwr-921	scope:	lte	version:	2.02	Trust: 0.8
vendor:	d link	model:	dwr-116	scope:	lt	version:	1.06	Trust: 0.6
vendor:	d link	model:	dir-140l	scope:	lt	version:	1.02	Trust: 0.6
vendor:	d link	model:	dir-640l	scope:	lt	version:	1.02	Trust: 0.6
vendor:	d link	model:	dwr-512	scope:	lt	version:	2.02	Trust: 0.6
vendor:	d link	model:	dwr-712	scope:	lt	version:	2.02	Trust: 0.6
vendor:	d link	model:	dwr-912	scope:	lt	version:	2.02	Trust: 0.6
vendor:	d link	model:	dwr-921	scope:	lt	version:	2.02	Trust: 0.6
vendor:	d link	model:	dwr-111	scope:	lt	version:	1.01	Trust: 0.6

sources: CNVD: CNVD-2018-21069 // JVNDB: JVNDB-2018-013709 // NVD: CVE-2018-10822

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-10822
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-10822
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-21069
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201810-1016
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-120620
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2018-10822
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-10822
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2018-21069
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-120620
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-10822
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2018-10822
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2018-21069 // VULHUB: VHN-120620 // VULMON: CVE-2018-10822 // JVNDB: JVNDB-2018-013709 // CNNVD: CNNVD-201810-1016 // NVD: CVE-2018-10822

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-120620 // JVNDB: JVNDB-2018-013709 // NVD: CVE-2018-10822

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-1016

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201810-1016

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-013709

PATCH

title:	Top Page	url:	http://www.dlink.lt/en/	Trust: 0.8
title:	D-Link router httpdserver directory traversal vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/142543	Trust: 0.6
title:	Kenzer Templates [5170] [DEPRECATED]	url:	https://github.com/ARPSyndicate/kenzer-templates	Trust: 0.1
title:	The Register	url:	https://www.theregister.co.uk/2018/10/17/dlink_security_flaws/	Trust: 0.1

sources: CNVD: CNVD-2018-21069 // VULMON: CVE-2018-10822 // JVNDB: JVNDB-2018-013709

EXTERNAL IDS

db:	NVD	id:	CVE-2018-10822	Trust: 3.3
db:	JVNDB	id:	JVNDB-2018-013709	Trust: 0.8
db:	CNNVD	id:	CNNVD-201810-1016	Trust: 0.7
db:	CNVD	id:	CNVD-2018-21069	Trust: 0.6
db:	VULHUB	id:	VHN-120620	Trust: 0.1
db:	VULMON	id:	CVE-2018-10822	Trust: 0.1
db:	PACKETSTORM	id:	149844	Trust: 0.1

sources: CNVD: CNVD-2018-21069 // VULHUB: VHN-120620 // VULMON: CVE-2018-10822 // JVNDB: JVNDB-2018-013709 // PACKETSTORM: 149844 // CNNVD: CNNVD-201810-1016 // NVD: CVE-2018-10822

REFERENCES

url:	http://sploit.tech/2018/10/12/d-link.html	Trust: 2.6
url:	https://seclists.org/fulldisclosure/2018/oct/36	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2018-10822	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10822	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/22.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/arpsyndicate/kenzer-templates	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6190	Trust: 0.1
url:	http://routerip/uir//tmp/xxx/0	Trust: 0.1
url:	http://sploit.tech/	Trust: 0.1
url:	http://routerip/uir//etc/passwd	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-10824	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-10823	Trust: 0.1
url:	http://sploit.tech/2018/10/12/d-link.html]	Trust: 0.1
url:	http://routerip/chkisg.htm%3fsip%3d1.1.1.1%20%7c%20cat%20	Trust: 0.1

CREDITS

Blazej Adamczyk

Trust: 0.1

sources: PACKETSTORM: 149844

SOURCES

db:	CNVD	id:	CNVD-2018-21069
db:	VULHUB	id:	VHN-120620
db:	VULMON	id:	CVE-2018-10822
db:	JVNDB	id:	JVNDB-2018-013709
db:	PACKETSTORM	id:	149844
db:	CNNVD	id:	CNNVD-201810-1016
db:	NVD	id:	CVE-2018-10822

LAST UPDATE DATE

2024-11-23T22:59:19.845000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-21069	date:	2018-10-17T00:00:00
db:	VULHUB	id:	VHN-120620	date:	2019-01-23T00:00:00
db:	VULMON	id:	CVE-2018-10822	date:	2023-11-08T00:00:00
db:	JVNDB	id:	JVNDB-2018-013709	date:	2019-02-28T00:00:00
db:	CNNVD	id:	CNNVD-201810-1016	date:	2019-02-11T00:00:00
db:	NVD	id:	CVE-2018-10822	date:	2024-11-21T03:42:05.497

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-21069	date:	2018-10-17T00:00:00
db:	VULHUB	id:	VHN-120620	date:	2018-10-17T00:00:00
db:	VULMON	id:	CVE-2018-10822	date:	2018-10-17T00:00:00
db:	JVNDB	id:	JVNDB-2018-013709	date:	2019-02-28T00:00:00
db:	PACKETSTORM	id:	149844	date:	2018-10-18T03:47:09
db:	CNNVD	id:	CNNVD-201810-1016	date:	2018-10-18T00:00:00
db:	NVD	id:	CVE-2018-10822	date:	2018-10-17T14:29:00.663