Details of VAR-201508-0254

ID

VAR-201508-0254

CVE

CVE-2015-5536

TITLE

Belkin N300 Dual-Band Wi-Fi Range Extender Vulnerability to execute arbitrary commands in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2015-004070

DESCRIPTION

Belkin N300 Dual-Band Wi-Fi Range Extender with firmware before 1.04.10 allows remote authenticated users to execute arbitrary commands via the (1) sub_dir parameter in a formUSBStorage request; pinCode parameter in a (2) formWpsStart or (3) formiNICWpsStart request; (4) wps_enrolee_pin parameter in a formWlanSetupWPS request; or unspecified parameters in a (5) formWlanMP, (6) formBSSetSitesurvey, (7) formHwSet, or (8) formConnectionSetting request. Authentication is required to exploit this vulnerability.The specific flaw exists within the handling of formUSBStorage requests. It is possible to inject arbitrary operating system commands when the application is handling the sub_dir parameter. A remote attacker can leverage this vulnerability to execute remote code under the context of the root user. The Belkin N300 Dual-Band Wi-Fi Range Extender is a dual-band wireless expansion router product. Failed exploit attempts may result in denial-of-service conditions

Trust: 8.19

sources: NVD: CVE-2015-5536 // JVNDB: JVNDB-2015-004070 // ZDI: ZDI-15-343 // ZDI: ZDI-15-345 // ZDI: ZDI-15-344 // ZDI: ZDI-15-351 // ZDI: ZDI-15-347 // ZDI: ZDI-15-349 // ZDI: ZDI-15-346 // ZDI: ZDI-15-348 // ZDI: ZDI-15-350 // CNVD: CNVD-2015-04993 // BID: 75978 // VULHUB: VHN-83497

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-04993

AFFECTED PRODUCTS

vendor:	belkin	model:	n300 dual-band wi-fi range extender	scope:	-	version:	-	Trust: 7.7
vendor:	belkin	model:	n300 dual-band wi-fi range extender	scope:	eq	version:	1.0.0	Trust: 1.6
vendor:	belkin	model:	n300 dual-band wi-fi range extender	scope:	lt	version:	1.04.10	Trust: 0.8

sources: ZDI: ZDI-15-343 // ZDI: ZDI-15-345 // ZDI: ZDI-15-344 // ZDI: ZDI-15-351 // ZDI: ZDI-15-347 // ZDI: ZDI-15-349 // ZDI: ZDI-15-346 // ZDI: ZDI-15-348 // ZDI: ZDI-15-350 // CNVD: CNVD-2015-04993 // JVNDB: JVNDB-2015-004070 // CNNVD: CNNVD-201507-704 // NVD: CVE-2015-5536

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2015-5536
value:	HIGH
Trust: 6.3
nvd@nist.gov:	CVE-2015-5536
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-5536
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2015-04993
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201507-704
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-83497
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-5536
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 8.1
CNVD:	CNVD-2015-04993
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-83497
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: ZDI: ZDI-15-343 // ZDI: ZDI-15-345 // ZDI: ZDI-15-344 // ZDI: ZDI-15-351 // ZDI: ZDI-15-347 // ZDI: ZDI-15-349 // ZDI: ZDI-15-346 // ZDI: ZDI-15-348 // ZDI: ZDI-15-350 // CNVD: CNVD-2015-04993 // VULHUB: VHN-83497 // JVNDB: JVNDB-2015-004070 // CNNVD: CNNVD-201507-704 // NVD: CVE-2015-5536

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-83497 // JVNDB: JVNDB-2015-004070 // NVD: CVE-2015-5536

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201507-704

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201507-704

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004070

PATCH

title:	N300 Dual-Band Wi-Fi Range Extender F9K1111 - Firmware	url:	http://www.belkin.com/us/support-article?articleNum=4975	Trust: 7.1
title:	Belkin N300 Dual-Band Wi-Fi Range Extender Remote Code Execution Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/61632	Trust: 0.6

EXTERNAL IDS

db:	NVD	id:	CVE-2015-5536	Trust: 9.7
db:	ZDI	id:	ZDI-15-348	Trust: 3.0
db:	BID	id:	75978	Trust: 2.6
db:	ZDI	id:	ZDI-15-343	Trust: 2.4
db:	ZDI	id:	ZDI-15-344	Trust: 2.4
db:	ZDI	id:	ZDI-15-351	Trust: 2.4
db:	ZDI	id:	ZDI-15-347	Trust: 2.4
db:	ZDI	id:	ZDI-15-349	Trust: 2.4
db:	ZDI	id:	ZDI-15-346	Trust: 2.4
db:	ZDI	id:	ZDI-15-350	Trust: 2.4
db:	SECTRACK	id:	1033295	Trust: 1.1
db:	JVNDB	id:	JVNDB-2015-004070	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-2642	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2634	Trust: 0.7
db:	ZDI	id:	ZDI-15-345	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2633	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2639	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2636	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2637	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2635	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2638	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2640	Trust: 0.7
db:	CNNVD	id:	CNNVD-201507-704	Trust: 0.7
db:	CNVD	id:	CNVD-2015-04993	Trust: 0.6
db:	VULHUB	id:	VHN-83497	Trust: 0.1

sources: ZDI: ZDI-15-343 // ZDI: ZDI-15-345 // ZDI: ZDI-15-344 // ZDI: ZDI-15-351 // ZDI: ZDI-15-347 // ZDI: ZDI-15-349 // ZDI: ZDI-15-346 // ZDI: ZDI-15-348 // ZDI: ZDI-15-350 // CNVD: CNVD-2015-04993 // VULHUB: VHN-83497 // BID: 75978 // JVNDB: JVNDB-2015-004070 // CNNVD: CNNVD-201507-704 // NVD: CVE-2015-5536

REFERENCES

url:	http://www.belkin.com/us/support-article?articlenum=4975	Trust: 8.0
url:	http://www.securityfocus.com/bid/75978	Trust: 1.7
url:	http://www.zerodayinitiative.com/advisories/zdi-15-343/	Trust: 1.7
url:	http://www.zerodayinitiative.com/advisories/zdi-15-344/	Trust: 1.7
url:	http://www.zerodayinitiative.com/advisories/zdi-15-346/	Trust: 1.7
url:	http://www.zerodayinitiative.com/advisories/zdi-15-347/	Trust: 1.7
url:	http://www.zerodayinitiative.com/advisories/zdi-15-348/	Trust: 1.7
url:	http://www.zerodayinitiative.com/advisories/zdi-15-349/	Trust: 1.7
url:	http://www.zerodayinitiative.com/advisories/zdi-15-350/	Trust: 1.7
url:	http://www.zerodayinitiative.com/advisories/zdi-15-351/	Trust: 1.7
url:	http://www.securitytracker.com/id/1033295	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-5536	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-5536	Trust: 0.8
url:	http://zerodayinitiative.com/advisories/zdi-15-348/	Trust: 0.6

sources: ZDI: ZDI-15-343 // ZDI: ZDI-15-345 // ZDI: ZDI-15-344 // ZDI: ZDI-15-351 // ZDI: ZDI-15-347 // ZDI: ZDI-15-349 // ZDI: ZDI-15-346 // ZDI: ZDI-15-348 // ZDI: ZDI-15-350 // CNVD: CNVD-2015-04993 // VULHUB: VHN-83497 // JVNDB: JVNDB-2015-004070 // CNNVD: CNNVD-201507-704 // NVD: CVE-2015-5536

CREDITS

Elvis Collado of HP DVLabs

Trust: 7.2

SOURCES

db:	ZDI	id:	ZDI-15-343
db:	ZDI	id:	ZDI-15-345
db:	ZDI	id:	ZDI-15-344
db:	ZDI	id:	ZDI-15-351
db:	ZDI	id:	ZDI-15-347
db:	ZDI	id:	ZDI-15-349
db:	ZDI	id:	ZDI-15-346
db:	ZDI	id:	ZDI-15-348
db:	ZDI	id:	ZDI-15-350
db:	CNVD	id:	CNVD-2015-04993
db:	VULHUB	id:	VHN-83497
db:	BID	id:	75978
db:	JVNDB	id:	JVNDB-2015-004070
db:	CNNVD	id:	CNNVD-201507-704
db:	NVD	id:	CVE-2015-5536

LAST UPDATE DATE

2025-04-13T23:41:20.314000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-15-343	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-345	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-344	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-351	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-347	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-349	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-346	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-348	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-350	date:	2015-07-20T00:00:00
db:	CNVD	id:	CNVD-2015-04993	date:	2015-07-29T00:00:00
db:	VULHUB	id:	VHN-83497	date:	2016-12-24T00:00:00
db:	BID	id:	75978	date:	2015-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2015-004070	date:	2015-08-14T00:00:00
db:	CNNVD	id:	CNNVD-201507-704	date:	2015-08-14T00:00:00
db:	NVD	id:	CVE-2015-5536	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-15-343	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-345	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-344	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-351	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-347	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-349	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-346	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-348	date:	2015-07-20T00:00:00
db:	ZDI	id:	ZDI-15-350	date:	2015-07-20T00:00:00
db:	CNVD	id:	CNVD-2015-04993	date:	2015-07-28T00:00:00
db:	VULHUB	id:	VHN-83497	date:	2015-08-13T00:00:00
db:	BID	id:	75978	date:	2015-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2015-004070	date:	2015-08-14T00:00:00
db:	CNNVD	id:	CNNVD-201507-704	date:	2015-07-22T00:00:00
db:	NVD	id:	CVE-2015-5536	date:	2015-08-13T14:59:08.750