[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: D-LINK Central WifiManager CWM-100 Server Side Request Forgery CVE-2018-15517
From: apparitionsec () gmail ! com
Date: 2018-11-18 4:50:13
Message-ID: 201811180450.wAI4oDQx013839 () ip-100-122-145-1 ! us-east-1 ! ec2 ! aws ! symcpe ! net
[Download RAW message or body]
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt
[+] ISR: ApparitionSec
***Greetz: indoushka | Eduardo B.***
[Vendor]
us.dlink.com
[Product]
D-LINK Central WifiManager (CWM 100)
Version 1.03 r0098
http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/
D-Link’s free Central WiFiManager is a web-based wireless Access Point management \
tool, enabling you to create and manage multi-site, multi-tenancy wireless networks.
[Vulnerability Type]
Server Side Request Forgery
[Affected Component]
MailConnect
[CVE Reference]
CVE-2018-15517
[Security Issue]
Using a web browser or script SSRF can be initiated against internal/external systems \
to conduct port scans by leveraging D-LINKs MailConnect component.
The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is \
intended to check a connection to an SMTP server but actually allows outbound TCP to \
any port on any IP address, leading to SSRF, as demonstrated by an \
index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine \
accountability of where scan or connections actually came from and or bypass the FW \
etc. This can be automated via script or using Web Browser.
[Exploit/POC]
https://VICTIM-IP/index.php/System/MailConnect/host/port/secure/
reply: OK
Scan internal port 22 SSH:
https://VICTIM-IP/index.php/System/MailConnect/host/VICTIM-IP/port/22/secure/
reply: OK
[Network Access]
Remote
[Severity]
Medium
[Disclosure Timeline]
Vendor Notification: August 8, 2018
Vendor acknowledgement: August 8, 2018
CVE assigned Mitre: August 18, 2018
Request update: August 31, 2018
No reply from vendor
Request update: September 6, 2018
Vendor: "R&D has begun this month to patch your report." : September 12, 2018
Request update: October 3, 2018
Vendor: "will release a new beta for QA verification by end of this month 10'2018."
Request update: October 16, 2018
no reply from vendor
Request update: October 23, 2018
Vendor: "It still is schedule to be released by the 31st." : October 23, 2018
Inform vendor of disclosure by November 8, 2018 : October 31, 2018
No reply from vendor
November 8, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties \
or guarantees of fitness of use or otherwise. Permission is hereby granted for the \
redistribution of this advisory, provided that it is not altered except by \
reformatting it, and that due credit is given. Permission is explicitly given for \
insertion in vulnerability databases and similar, provided that due credit is given \
to the author. The author is not responsible for any misuse of the information \
contained herein and accepts no responsibility for any damage caused by the use or \
misuse of this information. The author prohibits any malicious use of security \
related information or exploits by the author or elsewhere. All content (c).
hyp3rlinx
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic