多款D-Link产品安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1357749 漏洞类型 信息泄露
发布时间 2018-10-12 更新时间 2019-10-23
CVE编号 CVE-2018-10824 CNNVD-ID CNNVD-201810-1014
漏洞平台 Hardware CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/45677
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201810-1014
|漏洞详情
D-Link DWR-116等都是友讯(D-Link)公司的无线路由器产品。 多款D-Link产品中存在安全漏洞,该漏洞源于程序将管理密码以明文的形式存储在/tmp/csman/0文件。攻击者可利用该漏洞获取路由器全部的访问权限。以下产品和版本受到影响:D-Link DWR-116 1.06及之前版本;DIR-140L 1.02及之前版本;DIR-640L 1.02及之前版本;DWR-512 2.02及之前版本;DWR-712 2.02及之前版本;DWR-912 2.02及之前版本;DWR-921 2.02及之前版本;DWR-111 1.01及之前版本。
|漏洞EXP
## Password stored in plaintext
CVE: CVE-2018-10824

Description:

An issue was discovered on D-Link routers:

DWR-116 through 1.06,
DIR-140L through 1.02,
DIR-640L through 1.02,
DWR-512 through 2.02,
DWR-712 through 2.02,
DWR-912 through 2.02,
DWR-921 through 2.02,
DWR-111 through 1.01,
and probably others with the same type of firmware.
NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple

The administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.

PoC using the directory traversal vulnerability disclosed above - CVE-2018-10822

`$ curl http://routerip/uir//tmp/XXX/0`
This command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.
|参考资料

来源:sploit.tech

链接:http://sploit.tech/2018/10/12/D-Link.html


来源:seclists.org

链接:https://seclists.org/fulldisclosure/2018/Oct/36