Details of VAR-201812-0906

ID

VAR-201812-0906

CVE

CVE-2018-19239

TITLE

TRENDnet TEW-673GRU In the device OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-013455

DESCRIPTION

TRENDnet TEW-673GRU v1.00b40 devices have an OS command injection vulnerability in the start_arpping function of the timer binary, which allows remote attackers to execute arbitrary commands via three parameters (dhcpd_start, dhcpd_end, and lan_ipaddr) passed to the apply.cgi binary through a POST request. TRENDnet TEW-673GRU The device includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The TRENDnetTEW-673GRU is a dual-band green router. There is a command injection vulnerability in TRENDnetTEW-673GRU. ########################################### Vulnerabilities found in TRENDnet devices Authors:Prashast Srivastava, Mathias Payer Howard Shrobe, Hamed Okhravi Author contact: https://github.com/prashast/ ########################################### Multiple vulnerabilties including Command Injection, Buffer Overflow and Reflective XSS vulnerabilties were found in the following TRENDnet devices: Routers: TEW-634GRU, TEW-673GRU, TEW-632BRP IP-Cameras: TV-IP110WN, TV-IP121WN These were found using our dynamic analysis tool for embedded devices. The POC's will be made available upon the public release of our tool. Exploiting the vulnerability requires a user to be authenticated with the router with administrative credentials. The `start_arpping` function reads the following values from the NVRAM namely: dhcpd_start, dhcpd_end, lan_ipaddr, lan_bridge and lan_eth. These values are then passed to the `arpping` utility without any sort of sanity checks. Out of these values, the outward facing configuration webserver(httpd) running at `IP:192.168.10.1 Port: 80` allows a user to modify the first three values `dhcpd_start`, `dhcpd_end`, `lan_ipaddr` via the LAN and DHCP server configuration webpage available at `http://192.168.10.1/lan.asp` by making a POST request to `apply.cgi` binary with the appropriate parameters. Buffer Overflows ------------------ CVE-ID: CVE-2018-19240 Products: - TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64) - TV-IP121WN (V1.2.2 build 28) Module affected: `network.cgi` Buffer overflow can be exploited by using the `iptype` parameter in network.cgi on TRENDnet TV-IP110WN V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64 and TV-IP121WN V1.2.2 build 28 devices allows attackers to hijack the control flow to any attacker-specified location by crafting a POST request payload (without authentication) x-----------x CVE-ID: CVE-2018-19241 Products: - TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64) - TV-IP121WN (V1.2.2 build 28) Module affected: `video.cgi` A BoF vulnerability exists in the CGI binary which can modify the quality of the video recorded on the camera. A sub-routine respondAsp is called that copies a user-controlled parameter into a stack variable using strcpy without any bounds check. This makes the subroutine vulnerable to BoF and can be exploited without authentication x-----------x Products: - TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64) - TV-IP121WN (V1.2.2 build 28) Module affected: `watch.cgi` A BoF vulnerability exists in the `watch.cgi` binary and how it handles the `url` parameter. An attacker can deliver its payload using a POST request in the `url` parameter to trigger the BoF vulnerability without authentication. x-----------x CVE-ID: CVE-2018-19242 Products: - TEW-632BRP (1.010B32) - TEW-673GRU (v1.00b40) Module affected: `apply.cgi` Buffer overflow in apply.cgi on TRENDnet TEW-632BRP 1.010B32 and TEW-673GRU devices allows attackers to hijack the control flow to any attacker-specified location by crafting a POST request payload(with authentication). Reflective XSS --------------- Products: - TEW-632BRP (1.010B32) - TEW-673GRU (v1.00b40) - TEW-634GRU (v1.01B14) Module affected: `login.cgi` `Login.cgi` in TRENDNet TEW-632BRP, TEW-673GRU and TEW-634GRU has a reflected XSS vulnerability that does not require any authentication. Vendor Disclosure ------------------ The vulnerabilities had been notified to the vendor 12/03. The vendor replied on 12/05 that since the products had reached their end-of-life no future development or firmware updates would be provided for these devices

Trust: 2.34

sources: NVD: CVE-2018-19239 // JVNDB: JVNDB-2018-013455 // CNVD: CNVD-2018-25691 // VULMON: CVE-2018-19239 // PACKETSTORM: 150693

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-25691

AFFECTED PRODUCTS

vendor:	trendnet	model:	tew-673gru	scope:	eq	version:	1.00b40	Trust: 2.4
vendor:	trendnet	model:	tew-673gru v1.00b40	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2018-25691 // JVNDB: JVNDB-2018-013455 // CNNVD: CNNVD-201812-972 // NVD: CVE-2018-19239

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-19239
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-19239
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-25691
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201812-972
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2018-19239
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-19239
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2018-25691
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2018-19239
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-25691 // VULMON: CVE-2018-19239 // JVNDB: JVNDB-2018-013455 // CNNVD: CNNVD-201812-972 // NVD: CVE-2018-19239

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2018-013455 // NVD: CVE-2018-19239

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201812-972

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201812-972

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-013455

PATCH

title:	Top Page	url:	http://www.trendnet.com/home	Trust: 0.8
title:	EQUAFL_setup USAGE EQUAFL++ AFLPlusplus Server COMMAND INJECTION INFO root cause analysis	url:	https://github.com/zyw-200/EQUAFL_setup	Trust: 0.1

sources: VULMON: CVE-2018-19239 // JVNDB: JVNDB-2018-013455

EXTERNAL IDS

db:	NVD	id:	CVE-2018-19239	Trust: 3.2
db:	PACKETSTORM	id:	150693	Trust: 2.6
db:	JVNDB	id:	JVNDB-2018-013455	Trust: 0.8
db:	CNVD	id:	CNVD-2018-25691	Trust: 0.6
db:	CNNVD	id:	CNNVD-201812-972	Trust: 0.6
db:	VULMON	id:	CVE-2018-19239	Trust: 0.1

sources: CNVD: CNVD-2018-25691 // VULMON: CVE-2018-19239 // JVNDB: JVNDB-2018-013455 // PACKETSTORM: 150693 // CNNVD: CNNVD-201812-972 // NVD: CVE-2018-19239

REFERENCES

url:	http://packetstormsecurity.com/files/150693/trendnet-command-injection-buffer-overflow-cross-site-scripting.html	Trust: 2.5
url:	http://seclists.org/fulldisclosure/2018/dec/21	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2018-19239	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-19239	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/zyw-200/equafl_setup	Trust: 0.1
url:	https://github.com/prashast/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-19242	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-19240	Trust: 0.1
url:	http://192.168.10.1/lan.asp`	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-19241	Trust: 0.1

sources: CNVD: CNVD-2018-25691 // VULMON: CVE-2018-19239 // JVNDB: JVNDB-2018-013455 // PACKETSTORM: 150693 // CNNVD: CNNVD-201812-972 // NVD: CVE-2018-19239

CREDITS

Mathias Payer, Hamed Okhravi, Prashast Srivastava, Howard Shrobe

Trust: 0.1

sources: PACKETSTORM: 150693

SOURCES

db:	CNVD	id:	CNVD-2018-25691
db:	VULMON	id:	CVE-2018-19239
db:	JVNDB	id:	JVNDB-2018-013455
db:	PACKETSTORM	id:	150693
db:	CNNVD	id:	CNNVD-201812-972
db:	NVD	id:	CVE-2018-19239

LAST UPDATE DATE

2024-11-23T21:37:54.156000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-25691	date:	2018-12-18T00:00:00
db:	VULMON	id:	CVE-2018-19239	date:	2019-01-14T00:00:00
db:	JVNDB	id:	JVNDB-2018-013455	date:	2019-02-21T00:00:00
db:	CNNVD	id:	CNNVD-201812-972	date:	2018-12-21T00:00:00
db:	NVD	id:	CVE-2018-19239	date:	2024-11-21T03:57:37.523

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-25691	date:	2018-12-18T00:00:00
db:	VULMON	id:	CVE-2018-19239	date:	2018-12-20T00:00:00
db:	JVNDB	id:	JVNDB-2018-013455	date:	2019-02-21T00:00:00
db:	PACKETSTORM	id:	150693	date:	2018-12-09T23:22:22
db:	CNNVD	id:	CNNVD-201812-972	date:	2018-12-21T00:00:00
db:	NVD	id:	CVE-2018-19239	date:	2018-12-20T23:29:01.067