ID
VAR-E-201704-0086
CVE
| cve_id: | CVE-2018-10824 | Trust: 2.1 |
| cve_id: | CVE-2017-6190 | Trust: 1.3 |
| cve_id: | CVE-2018-10822 | Trust: 0.5 |
| cve_id: | CVE-2018-10823 | Trust: 0.5 |
EDB ID
45677
TITLE
D-Link Routers - Plaintext Password - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
D-Link Routers - Plaintext Password. CVE-2018-10824 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | d link | model: | routers | scope: | - | version: | - | Trust: 1.6 |
| vendor: | d link | model: | dwr-116 | scope: | - | version: | - | Trust: 0.5 |
| vendor: | d link | model: | plain-text password storage | scope: | - | version: | - | Trust: 0.5 |
| vendor: | d link | model: | dwr-116 1.05 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dwr-116 1.01 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dwr-116 1.00 b10 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dwr-116 1.05b09 | scope: | ne | version: | - | Trust: 0.3 |
EXPLOIT
## Password stored in plaintext
CVE: CVE-2018-10824
Description:
An issue was discovered on D-Link routers:
DWR-116 through 1.06,
DIR-140L through 1.02,
DIR-640L through 1.02,
DWR-512 through 2.02,
DWR-712 through 2.02,
DWR-912 through 2.02,
DWR-921 through 2.02,
DWR-111 through 1.01,
and probably others with the same type of firmware.
NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple
The administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.
PoC using the directory traversal vulnerability disclosed above - CVE-2018-10822
`$ curl http://routerip/uir//tmp/XXX/0`
This command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.
Trust: 1.0
EXPLOIT LANGUAGE
md
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Plaintext Password
Trust: 1.6
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | file inclusion | Trust: 1.0 |
| tag: | arbitrary | Trust: 0.5 |
| tag: | vulnerability | Trust: 0.5 |
| tag: | code execution | Trust: 0.5 |
CREDITS
Blazej Adamczyk
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2018-10824 | Trust: 2.1 |
| db: | EXPLOIT-DB | id: | 45677 | Trust: 1.6 |
| db: | NVD | id: | CVE-2017-6190 | Trust: 1.3 |
| db: | EDBNET | id: | 99966 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 142052 | Trust: 0.5 |
| db: | NVD | id: | CVE-2018-10822 | Trust: 0.5 |
| db: | NVD | id: | CVE-2018-10823 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 149844 | Trust: 0.5 |
| db: | BID | id: | 97620 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-10824 | Trust: 2.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2017-6190 | Trust: 1.0 |
| url: | http://sploit.tech/2018/10/12/d-link.html | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/45677/ | Trust: 0.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-10822 | Trust: 0.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-10823 | Trust: 0.5 |
| url: | http://seclists.org/bugtraq/2017/apr/28 | Trust: 0.3 |
| url: | http://www.d-link.com | Trust: 0.3 |
SOURCES
| db: | BID | id: | 97620 |
| db: | PACKETSTORM | id: | 142052 |
| db: | PACKETSTORM | id: | 149844 |
| db: | EXPLOIT-DB | id: | 45677 |
| db: | EDBNET | id: | 99966 |
LAST UPDATE DATE
2022-07-27T09:11:31.195000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 97620 | date: | 2017-04-18T00:06:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 97620 | date: | 2017-04-07T00:00:00 |
| db: | PACKETSTORM | id: | 142052 | date: | 2017-04-07T19:22:22 |
| db: | PACKETSTORM | id: | 149844 | date: | 2018-10-18T03:47:09 |
| db: | EXPLOIT-DB | id: | 45677 | date: | 2018-10-12T00:00:00 |
| db: | EDBNET | id: | 99966 | date: | 2018-11-04T00:00:00 |