Sign-up

ID

VAR-201812-0909


CVE

CVE-2018-19242


TITLE

TRENDnet TEW-632BRP and TEW-673GRU Buffer error vulnerability in device

Trust: 0.8

sources: JVNDB: JVNDB-2018-013458

DESCRIPTION

Buffer overflow in apply.cgi on TRENDnet TEW-632BRP 1.010B32 and TEW-673GRU devices allows attackers to hijack the control flow to any attacker-specified location by crafting a POST request payload (with authentication). TRENDnet TEW-632BRP and TEW-673GRU The device contains a buffer error vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. TRENDnetTEW-632BRP is a router. The TRENDnetTEW-673GRU is a dual-band green router. A buffer overflow vulnerability exists in TRENDnetTEW-632BRP and TEW-673GRU. ########################################### Vulnerabilities found in TRENDnet devices Authors:Prashast Srivastava, Mathias Payer Howard Shrobe, Hamed Okhravi Author contact: https://github.com/prashast/ ########################################### Multiple vulnerabilties including Command Injection, Buffer Overflow and Reflective XSS vulnerabilties were found in the following TRENDnet devices: Routers: TEW-634GRU, TEW-673GRU, TEW-632BRP IP-Cameras: TV-IP110WN, TV-IP121WN These were found using our dynamic analysis tool for embedded devices. The POC's will be made available upon the public release of our tool. A more detailed breakdown is presented below on a per vulnerability basis:- Command Injection ------------------ CVE-ID: CVE-2018-19239 Product: TEW-673GRU Module affected: `start_arpping` function in `timer` binary Firmware version: v1.00b40 TRENDnet TEW-673GRU v1.00b40 devices have an OS command injection vulnerability in the `start_arpping` function of the `timer binary`, which allows remote attackers to execute arbitrary commands via three parameters (dhcpd_start, dhcpd_end, and lan_ipaddr) passed to the apply.cgi binary through a POST request. Exploiting the vulnerability requires a user to be authenticated with the router with administrative credentials. The `start_arpping` function reads the following values from the NVRAM namely: dhcpd_start, dhcpd_end, lan_ipaddr, lan_bridge and lan_eth. These values are then passed to the `arpping` utility without any sort of sanity checks. Out of these values, the outward facing configuration webserver(httpd) running at `IP:192.168.10.1 Port: 80` allows a user to modify the first three values `dhcpd_start`, `dhcpd_end`, `lan_ipaddr` via the LAN and DHCP server configuration webpage available at `http://192.168.10.1/lan.asp` by making a POST request to `apply.cgi` binary with the appropriate parameters. We have observed that the by directly making a POST request to the `apply.cgi` binary with the values of the above mentioned three parameters containing Command Injection based payloads, it is possible to execute arbitrary commands on the router with root privileges. A sub-routine respondAsp is called that copies a user-controlled parameter into a stack variable using strcpy without any bounds check. This makes the subroutine vulnerable to BoF and can be exploited without authentication x-----------x Products: - TV-IP110WN (V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64) - TV-IP121WN (V1.2.2 build 28) Module affected: `watch.cgi` A BoF vulnerability exists in the `watch.cgi` binary and how it handles the `url` parameter. Reflective XSS --------------- Products: - TEW-632BRP (1.010B32) - TEW-673GRU (v1.00b40) - TEW-634GRU (v1.01B14) Module affected: `login.cgi` `Login.cgi` in TRENDNet TEW-632BRP, TEW-673GRU and TEW-634GRU has a reflected XSS vulnerability that does not require any authentication. Vendor Disclosure ------------------ The vulnerabilities had been notified to the vendor 12/03. The vendor replied on 12/05 that since the products had reached their end-of-life no future development or firmware updates would be provided for these devices

Trust: 2.25

sources: NVD: CVE-2018-19242 // JVNDB: JVNDB-2018-013458 // CNVD: CNVD-2018-25695 // PACKETSTORM: 150693

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-25695

AFFECTED PRODUCTS

vendor:trendnetmodel:tew-632brpscope:eqversion:1.010b32

Trust: 2.4

vendor:trendnetmodel:tew-673gruscope:eqversion:1.00b40

Trust: 1.6

vendor:trendnetmodel:tew-673gruscope: - version: -

Trust: 0.8

vendor:trendnetmodel:tew-673gru v1.00b40scope: - version: -

Trust: 0.6

vendor:trendnetmodel:tew-632brp 1.010b32scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2018-25695 // JVNDB: JVNDB-2018-013458 // CNNVD: CNNVD-201812-975 // NVD: CVE-2018-19242

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-19242
value: HIGH

Trust: 1.0

NVD: CVE-2018-19242
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-25695
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201812-975
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2018-19242
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-25695
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2018-19242
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-25695 // JVNDB: JVNDB-2018-013458 // CNNVD: CNNVD-201812-975 // NVD: CVE-2018-19242

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2018-013458 // NVD: CVE-2018-19242

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201812-975

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201812-975

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-013458

PATCH
title:Top Pageurl:http://www.trendnet.com/home
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-013458

EXTERNAL IDS
db:NVDid:CVE-2018-19242
Trust: 3.1
db:PACKETSTORMid:150693
Trust: 2.5
db:JVNDBid:JVNDB-2018-013458
Trust: 0.8
db:CNVDid:CNVD-2018-25695
Trust: 0.6
db:CNNVDid:CNNVD-201812-975
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-25695 // 
            
            
            
            JVNDB: JVNDB-2018-013458 // 
            
            
            
            PACKETSTORM: 150693 // 
            
            
            
            CNNVD: CNNVD-201812-975 // 
            
            
            
            NVD: CVE-2018-19242

REFERENCES
url:http://packetstormsecurity.com/files/150693/trendnet-command-injection-buffer-overflow-cross-site-scripting.html
Trust: 2.4
url:http://seclists.org/fulldisclosure/2018/dec/21
Trust: 2.2
url:https://nvd.nist.gov/vuln/detail/cve-2018-19242
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-19242
Trust: 0.8
url:https://github.com/prashast/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-19239
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-19240
Trust: 0.1
url:http://192.168.10.1/lan.asp`
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-19241
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-25695 // 
            
            
            
            JVNDB: JVNDB-2018-013458 // 
            
            
            
            PACKETSTORM: 150693 // 
            
            
            
            CNNVD: CNNVD-201812-975 // 
            
            
            
            NVD: CVE-2018-19242

CREDITS
Mathias Payer, Hamed Okhravi, Prashast Srivastava, Howard Shrobe
Trust: 0.1
sources:
            
            
            PACKETSTORM: 150693

SOURCES
db:CNVDid:CNVD-2018-25695
db:JVNDBid:JVNDB-2018-013458
db:PACKETSTORMid:150693
db:CNNVDid:CNNVD-201812-975
db:NVDid:CVE-2018-19242

LAST UPDATE DATE
2024-11-23T21:37:54.126000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-25695date:2018-12-18T00:00:00
db:JVNDBid:JVNDB-2018-013458date:2019-02-21T00:00:00
db:CNNVDid:CNNVD-201812-975date:2018-12-21T00:00:00
db:NVDid:CVE-2018-19242date:2024-11-21T03:57:38.003

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-25695date:2018-12-18T00:00:00
db:JVNDBid:JVNDB-2018-013458date:2019-02-21T00:00:00
db:PACKETSTORMid:150693date:2018-12-09T23:22:22
db:CNNVDid:CNNVD-201812-975date:2018-12-21T00:00:00
db:NVDid:CVE-2018-19242date:2018-12-20T23:29:01.253