CVE-2017-8406

Dlink DCS-1130 Command Injection / CSRF / Stack Overflow

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the device's webserver and pull any information that is stored on the device. In this case, user's credentials are stored in clear text on the device and can be pulled easily. It also seems that the device does not implement any cross-site scripting forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site flashing attack on the user's browser and execute any action on the device provided by the web management interface which steals the credentials from tools_admin.cgi file's response and displays it inside a Textfield.

Se detectó un problema en los dispositivos DCS-1130 de D-Link. El dispositivo provee un archivo crossdomain.xml sin restricciones sobre quién puede acceder al servidor web. Esto permite que un archivo flash alojado en cualquier dominio realice llamadas al servidor web del dispositivo y extraiga cualquier información almacenada en el mismo. En este caso, las credenciales del usuario son almacenadas en texto sin cifrar en el dispositivo y pueden ser extraídas fácilmente. También parece que el dispositivo no implementa ningún mecanismo de protección contra un problema de tipo cross-site scripting forgery, que permite a un atacante engañar a un usuario que ha iniciado sesión en la interfaz de administración web para ejecutar un ataque de tipo cross-site flashing en el navegador del usuario y ejecutar cualquier acción sobre el dispositivo provisto mediante la interfaz de administración web que roba las credenciales de la respuesta del archivo tools_admin.cgi y las muestra dentro de un campo de texto.

Dlink DCS-1130 suffers from command injection, cross site request forgery, stack overflow, and various other vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-05-02 CVE Reserved
2019-06-07 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2024-11-22 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-352: Cross-Site Request Forgery (CSRF)

CAPEC

References (3)

URL	Tag	Source
http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html	Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/8	Mailing List

URL	Date	SRC
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dlink Search vendor "Dlink"	Dcs-1130 Firmware Search vendor "Dlink" for product "Dcs-1130 Firmware"	-	-	Affected	in	Dlink Search vendor "Dlink"	Dcs-1130 Search vendor "Dlink" for product "Dcs-1130"	-	-	Safe