Details of VAR-201810-0835

ID

VAR-201810-0835

CVE

CVE-2018-17337

TITLE

Intelbras NPLUG Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2018-20758 // CNNVD: CNNVD-201810-550

DESCRIPTION

Intelbras NPLUG 1.0.0.14 devices have XSS via a crafted SSID that is received via a network broadcast. Intelbras NPLUG Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. IntelbrasNPLUG is a wireless relay device from Intelbras, Poland. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML with a specially crafted SSID. =====[ Tempest Security Intelligence ]===================================== Multiple vulnerabilities in NPLUG wireless repeater CVE-2018-12455: Authentication bypass CVE-2018-12456: Multiple CSRF CVE-2018-17337: XSS via SSID ------------------------------------------------------- Author: - Patrick Costa < @patrickrbc > Tempest Security Intelligence - Recife, PE - Brazil =====[ Table of Contents ]================================================= 1. Overview 2. Detailed description 3. Affected versions & Solutions 4. Timeline of disclosure 5. Thanks & Acknowledgements 6. References =====[ Overview ]========================================================== * System affected : NPLUG wireless repeater [1] * Version : 1.0.0.14 * Impact : An attacker can get root access on the device. =====[ Detailed description ]============================================== DISCLAIMER: This device uses a modified Tenda firmware [2]. Most of the vulnerabilities disclosed here were previously published regarding other similar device, besides that this device is pretty old. NPLUG wireless repeater has multiple vulnerabilities that can be combined to get a root access on the device. The first thing you can do to obtain access to the device is to exploit a XSS in the web interface (CVE-2018-17337). This can be exercised by placing an access point in an appropriate range from the device with a malicious SSID, e.g.: <script src="[pwned]"></script> If the user tries to scan for wireless networks using the web interface the XSS will pop and you're done. You can do all the stuff that will be described here. But, what if the user never uses this feature? Well, NPLUG's web interface has no CSRF (CVE-2018-12456) protection, so you can try to force a connected user to activate WAN access or change wireless security settings. Once you're inside NPLUG's network things became really easy. You can bypass the authentication just by setting a cookie named "admin:" (CVE-2018-12455). Example: curl -I http://10.0.0.1/ HTTP/1.0 302 Redirect ... curl -I http://10.0.0.1/ -H "Cookie: admin:=" HTTP/1.0 200 OK ... Now you have access to all the web interface features and you can download the config at http://10.0.0.1/DownloadCfg/RouterCfm.cfg containig passwords in plain text. If that is not enough for you, you can activate telnet daemon by making a simple GET request to /goform/telnetd and guess what! Root access with no password. Lately, I found out that this firmware had a binary that would work as the same backdoor previously reported for Tenda routers [3]. However, the service is not started by default and even when manually starting it, I couldn't exploit it for some reason. But there is not much need to do so. =====[ Affected versions & Solutions ]===================================== This test was performed against version 1.0.0.14 but previous versions are probably vulnerable. =====[ Timeline of disclosure ]============================================ 15/06/2018 - Vendor contacted. 04/07/2018 - Vendor requested time to verify. 22/08/2018 - Vendor replied they won't patch it. =====[ Thanks & Acknowledgements ]========================================= - Felipe Xavier < filipe.xavier () tempest.com.br > - Gustavo Pimentel < gustavo.pimentel () tempest.com.br> - Tempest Security Intelligence [4] =====[ References ]======================================================== [1] http://www.intelbras.com.br/empresarial/wi-fi/para-sua-casa/repetidor-de-sinal/nplug [2] http://www.tendacn.com/en/default.html [3] http://www.devttys0.com/2013/10/from-china-with-love/ [4] http://www.tempest.com.br/

Trust: 2.43

sources: NVD: CVE-2018-17337 // JVNDB: JVNDB-2018-010953 // CNVD: CNVD-2018-20758 // VULHUB: VHN-127786 // VULMON: CVE-2018-17337 // PACKETSTORM: 149730

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-20758

AFFECTED PRODUCTS

vendor:

intelbras

model:

nplug

scope:

version:

1.0.0.14

Trust: 3.0

sources: CNVD: CNVD-2018-20758 // JVNDB: JVNDB-2018-010953 // CNNVD: CNNVD-201810-550 // NVD: CVE-2018-17337

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-17337
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-17337
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2018-20758
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201810-550
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-127786
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2018-17337
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-17337
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2018-20758
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-127786
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-17337
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-20758 // VULHUB: VHN-127786 // VULMON: CVE-2018-17337 // JVNDB: JVNDB-2018-010953 // CNNVD: CNNVD-201810-550 // NVD: CVE-2018-17337

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-127786 // JVNDB: JVNDB-2018-010953 // NVD: CVE-2018-17337

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-550

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201810-550

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-010953

PATCH

title:

NPLUG

url:

http://www.intelbras.com.br/empresarial/wi-fi/para-sua-casa/repetidor-de-sinal/nplug

Trust: 0.8

sources: JVNDB: JVNDB-2018-010953

EXTERNAL IDS

db:	NVD	id:	CVE-2018-17337	Trust: 3.3
db:	JVNDB	id:	JVNDB-2018-010953	Trust: 0.8
db:	CNVD	id:	CNVD-2018-20758	Trust: 0.6
db:	CNNVD	id:	CNNVD-201810-550	Trust: 0.6
db:	VULHUB	id:	VHN-127786	Trust: 0.1
db:	VULMON	id:	CVE-2018-17337	Trust: 0.1
db:	PACKETSTORM	id:	149730	Trust: 0.1

sources: CNVD: CNVD-2018-20758 // VULHUB: VHN-127786 // VULMON: CVE-2018-17337 // JVNDB: JVNDB-2018-010953 // PACKETSTORM: 149730 // CNNVD: CNNVD-201810-550 // NVD: CVE-2018-17337

REFERENCES

url:	http://seclists.org/fulldisclosure/2018/oct/18	Trust: 3.3
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17337	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17337	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	http://10.0.0.1/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12456	Trust: 0.1
url:	http://www.tendacn.com/en/default.html	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12455	Trust: 0.1
url:	http://www.intelbras.com.br/empresarial/wi-fi/para-sua-casa/repetidor-de-sinal/nplug	Trust: 0.1
url:	http://www.devttys0.com/2013/10/from-china-with-love/	Trust: 0.1
url:	http://www.tempest.com.br/	Trust: 0.1
url:	http://10.0.0.1/downloadcfg/routercfm.cfg	Trust: 0.1

CREDITS

Patrick Costa

Trust: 0.1

sources: PACKETSTORM: 149730

SOURCES

db:	CNVD	id:	CNVD-2018-20758
db:	VULHUB	id:	VHN-127786
db:	VULMON	id:	CVE-2018-17337
db:	JVNDB	id:	JVNDB-2018-010953
db:	PACKETSTORM	id:	149730
db:	CNNVD	id:	CNNVD-201810-550
db:	NVD	id:	CVE-2018-17337

LAST UPDATE DATE

2024-11-23T21:52:46.554000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-20758	date:	2018-10-12T00:00:00
db:	VULHUB	id:	VHN-127786	date:	2018-11-28T00:00:00
db:	VULMON	id:	CVE-2018-17337	date:	2018-11-28T00:00:00
db:	JVNDB	id:	JVNDB-2018-010953	date:	2018-12-27T00:00:00
db:	CNNVD	id:	CNNVD-201810-550	date:	2018-10-11T00:00:00
db:	NVD	id:	CVE-2018-17337	date:	2024-11-21T03:54:14.960

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-20758	date:	2018-10-12T00:00:00
db:	VULHUB	id:	VHN-127786	date:	2018-10-10T00:00:00
db:	VULMON	id:	CVE-2018-17337	date:	2018-10-10T00:00:00
db:	JVNDB	id:	JVNDB-2018-010953	date:	2018-12-27T00:00:00
db:	PACKETSTORM	id:	149730	date:	2018-10-09T20:32:22
db:	CNNVD	id:	CNNVD-201810-550	date:	2018-10-11T00:00:00
db:	NVD	id:	CVE-2018-17337	date:	2018-10-10T21:29:02.320