ID
VAR-E-201704-0089
CVE
| cve_id: | CVE-2018-10822 | Trust: 2.1 |
| cve_id: | CVE-2017-6190 | Trust: 1.3 |
| cve_id: | CVE-2018-10823 | Trust: 0.5 |
| cve_id: | CVE-2018-10824 | Trust: 0.5 |
EDB ID
45678
TITLE
D-Link Routers - Directory Traversal - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
D-Link Routers - Directory Traversal. CVE-2018-10822 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | d link | model: | routers | scope: | - | version: | - | Trust: 1.6 |
| vendor: | d link | model: | dwr-116 | scope: | - | version: | - | Trust: 0.5 |
| vendor: | d link | model: | plain-text password storage | scope: | - | version: | - | Trust: 0.5 |
| vendor: | d link | model: | dwr-116 1.05 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dwr-116 1.01 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dwr-116 1.00 b10 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dwr-116 1.05b09 | scope: | ne | version: | - | Trust: 0.3 |
EXPLOIT
Directory Traversal
CVE: CVE-2018-10822
CVSS v3: 8.6
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Description: Directory traversal vulnerability in the web interface on D-Link routers:
DWR-116 through 1.06,
DIR-140L through 1.02,
DIR-640L through 1.02,
DWR-512 through 2.02,
DWR-712 through 2.02,
DWR-912 through 2.02,
DWR-921 through 2.02,
DWR-111 through 1.01,
and probably others with the same type of firmware
allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request.
NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.
PoC:
`$ curl http://routerip/uir//etc/passwd`
The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824.
This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash.
Trust: 1.0
EXPLOIT LANGUAGE
md
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Directory Traversal
Trust: 1.6
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | file inclusion | Trust: 1.0 |
| tag: | arbitrary | Trust: 0.5 |
| tag: | vulnerability | Trust: 0.5 |
| tag: | code execution | Trust: 0.5 |
CREDITS
Blazej Adamczyk
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2018-10822 | Trust: 2.1 |
| db: | EXPLOIT-DB | id: | 45678 | Trust: 1.6 |
| db: | NVD | id: | CVE-2017-6190 | Trust: 1.3 |
| db: | EDBNET | id: | 99967 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 142052 | Trust: 0.5 |
| db: | NVD | id: | CVE-2018-10824 | Trust: 0.5 |
| db: | NVD | id: | CVE-2018-10823 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 149844 | Trust: 0.5 |
| db: | BID | id: | 97620 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-10822 | Trust: 2.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2017-6190 | Trust: 1.0 |
| url: | http://sploit.tech/2018/10/12/d-link.html | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/45678/ | Trust: 0.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-10824 | Trust: 0.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-10823 | Trust: 0.5 |
| url: | http://seclists.org/bugtraq/2017/apr/28 | Trust: 0.3 |
| url: | http://www.d-link.com | Trust: 0.3 |
SOURCES
| db: | BID | id: | 97620 |
| db: | PACKETSTORM | id: | 142052 |
| db: | PACKETSTORM | id: | 149844 |
| db: | EXPLOIT-DB | id: | 45678 |
| db: | EDBNET | id: | 99967 |
LAST UPDATE DATE
2022-07-27T09:11:31.228000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 97620 | date: | 2017-04-18T00:06:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 97620 | date: | 2017-04-07T00:00:00 |
| db: | PACKETSTORM | id: | 142052 | date: | 2017-04-07T19:22:22 |
| db: | PACKETSTORM | id: | 149844 | date: | 2018-10-18T03:47:09 |
| db: | EXPLOIT-DB | id: | 45678 | date: | 2018-10-12T00:00:00 |
| db: | EDBNET | id: | 99967 | date: | 2018-11-04T00:00:00 |