CVE-2018-19988
https://notcve.org/view.php?id=CVE-2018-19988
In the /HNAP1/SetClientInfoDemo message, the AudioMute and AudioEnable parameters are vulnerable, and the vulnerabilities affect D-Link DIR-868L Rev.B 2.05B02 devices. In the SetClientInfoDemo.php source code, the AudioMute and AudioEnble parameters are saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. It needs to bypass the wget command option with a single quote. A vulnerable /HNAP1/SetClientInfoDemo XML message could have single quotes and backquotes in the AudioMute or AudioEnable element, such as the '`telnetd`' string. • https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2018-19987
https://notcve.org/view.php?id=CVE-2018-19987
D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code, the IsAccessPoint parameter is saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. A vulnerable /HNAP1/SetAccessPointMode XML message could have shell metacharacters in the IsAccessPoint element such as the `telnetd` string. Se descubrió un problema en los dispositivos de D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA, manejan incorrectamente el parámetro IsAccessPoint en el archivo /HNAP1/SetAccessPointMode. • https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2018-19986
https://notcve.org/view.php?id=CVE-2018-19986
In the /HNAP1/SetRouterSettings message, the RemotePort parameter is vulnerable, and the vulnerability affects D-Link DIR-818LW Rev.A 2.05.B03 and DIR-822 B1 202KRb06 devices. In the SetRouterSettings.php source code, the RemotePort parameter is saved in the $path_inf_wan1."/web" internal configuration memory without any regex checking. And in the IPTWAN_build_command function of the iptwan.php source code, the data in $path_inf_wan1."/web" is used with the iptables command without any regex checking. • https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2018-19300
https://notcve.org/view.php?id=CVE-2018-19300
On D-Link DAP-1530 (A1) before firmware version 1.06b01, DAP-1610 (A1) before firmware version 1.06b01, DWR-111 (A1) before firmware version 1.02v02, DWR-116 (A1) before firmware version 1.06b03, DWR-512 (B1) before firmware version 2.02b01, DWR-711 (A1) through firmware version 1.11, DWR-712 (B1) before firmware version 2.04b01, DWR-921 (A1) before firmware version 1.02b01, and DWR-921 (B1) before firmware version 2.03b01, there exists an EXCU_SHELL file in the web directory. By sending a GET request with specially crafted headers to the /EXCU_SHELL URI, an attacker could execute arbitrary shell commands in the root context on the affected device. Other devices might be affected as well. En D-Link DAP-1530 (A1) anterior a la versión de firmware 1.06b01, DAP-1610 (A1) anterior a la versión de firmware 1.06b01, DWR-111 (A1) anterior a la versión de firmware 1.02v02, DWR-116 (A1) anterior a la versión de firmware 1.06b03, DWR-512 (B1) anterior a la versión de firmware 2.02b01, DWR-711 (A1) hasta la versión de firmware 1.11, DWR-712 (B1) anterior a la versión de firmware 2.04b01, DWR-921 (A1) anterior a la versión de firmware 1.02b01, y DWR-921 (B1) anterior a la versión de firmware 2.03b01, existe un archivo EXCU_SHELL en el directorio web. Al enviar una petición GET con cabeceras especialmente diseñadas a la URI /EXCU_SHELL, un atacante podría ejecutar comandos shell arbitrarios en el contexto raíz del dispositivo afectado. • https://community.greenbone.net/t/cve-2018-19300-remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers/1772 https://eu.dlink.com/de/de/support/support-news/2019/march/19/remote-command-execution-vulnerability-in-d-link-dwr-and-dap-routers https://www.greenbone.net/en/serious-vulnerability-discovered-in-d-link-routers https://www.greenbone.net/schwerwiegende-sicherheitsluecke-in-d-link-routern-entdeckt • CWE-20: Improper Input Validation •
CVE-2019-9125
https://notcve.org/view.php?id=CVE-2019-9125
An issue was discovered on D-Link DIR-878 1.12B01 devices. Because strncpy is misused, there is a stack-based buffer overflow vulnerability that does not require authentication via the HNAP_AUTH HTTP header. Se ha descubierto un problema en dispositivos D-Link DIR-878 1.12B01. Debido a que strncpy se emplea de manera incorrecta, hay una vulnerabilidad de desbordamiento de búfer basada en pila que no requiere autenticación mediante la cabecera HNAP_AUTH HTTP. • https://github.com/WhooAmii/whooamii.github.io/blob/master/2018/DIR-878/overflow1.md https://github.com/WhooAmii/whooamii.github.io/blob/master/2018/DIR-878/overflow2.md • CWE-306: Missing Authentication for Critical Function CWE-787: Out-of-bounds Write •