Pr0V3Rbs

**Nome do software vulnerável e versões afetadas** ASUS RT-N53 versão 3.0.0.4.376.3754 **Descrição** O problema consiste em um estouro de buffer que pode ser desencadeado por um parâmetro `lan dns1 x` ou `lan dns2 x` muito longo enviado ao endpoint “Advanced LAN Content.asp”. **Recomendações** Para o ASUS RT-N53 versão 3.0.0.4.376.3754, como solução temporária, considere restringir o acesso ao endpoint “Advanced LAN Content.asp” para minimizar o risco de exploração. Evite usar os parâmetros `lan dns1 x` e `lan dns2 x` neste endpoint até que o problema seja resolvido. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-822 versions Rev.B 202KRb06 through Rev.C 3.10B06 **Description** The issue is related to insufficient regular expression checking in the SetQoSSettings.php script of D-Link DIR-822 routers when handling the `uplink` parameter. This can be exploited by a remote attacker to execute arbitrary commands. The vulnerability affects the /HNAP1/SetQoSSettings message, where the `uplink` parameter is saved in internal configuration memory without regex checking. The data is then used with the `tc` command in the `bwc tc spq start`, `bwc tc wfq start`, and `bwc tc adb start` functions of the bwcsvcs.php source code, allowing for potential command execution. A vulnerable /HNAP1/SetQoSSettings XML message could contain shell metacharacters in the `uplink` element. **Recommendations** For D-Link DIR-822 Rev.B 202KRb06 and Rev.C 3.10B06 devices, consider disabling the `SetQoSSettings.php` script until a patch is available to prevent exploitation of the `uplink` parameter. Restrict access to the `/HNAP1/SetQoSSettings` API endpoint to minimize the risk of exploitation. Avoid using the `uplink` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-822 B1 version 202KRb06 **Description** The issue is related to insufficient checking of arguments passed to a command when handling the `WPSPIN` parameter in the SetWiFiVerifyAlpha.php script. This could allow a remote attacker to impact the integrity, availability, and confidentiality of protected information. The vulnerability is exploited through the `/HNAP1/SetWiFiVerifyAlpha` message, where the `WPSPIN` parameter can contain shell metacharacters, such as the `telnetd` string. In the affected devices, the `WPSPIN` parameter is saved in internal configuration memory without regex checking and is later used with the wpatalk command, also without any regex checking. **Recommendations** For D-Link DIR-822 B1 version 202KRb06, as a temporary workaround, consider disabling the `do wps` function in the wps.php source code until a patch is available. Restrict access to the `/HNAP1/SetWiFiVerifyAlpha` API endpoint to minimize the risk of exploitation. Avoid using the `WPSPIN` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-822 versions Rev.B 202KRb06 through Rev.C 3.10B06 D-Link DIR-860L version Rev.B 2.03.B03 D-Link DIR-868L version Rev.B 2.05B02 D-Link DIR-880L version Rev.A 1.20B01 01 i3se BETA D-Link DIR-890L version Rev.A 1.21B02 BETA **Description** The issue arises from the mishandling of the IsAccessPoint parameter in the /HNAP1/SetAccessPointMode endpoint. Specifically, the SetAccessPointMode.php source code saves this parameter in the ShellPath script file without any regex checking, leading to command injection when the script file is executed. An attacker could exploit this by sending a vulnerable /HNAP1/SetAccessPointMode XML message containing shell metacharacters in the IsAccessPoint element, such as the `telnetd` string. **Recommendations** For D-Link DIR-822 Rev.B 202KRb06 through Rev.C 3.10B06, consider disabling the SetAccessPointMode.php function until a patch is available. For D-Link DIR-860L Rev.B 2.03.B03, restrict access to the /HNAP1/SetAccessPointMode endpoint to minimize the risk of exploitation. For D-Link DIR-868L Rev.B 2.05B02, avoid using the IsAccessPoint parameter in the /HNAP1/SetAccessPointMode endpoint until the issue is resolved. For D-Link DIR-880L Rev.A 1.20B01 01 i3se BETA and D-Link DIR-890L Rev.A 1.21B02 BETA, as a temporary workaround, consider disabling the `telnetd` string execution in the ShellPath script file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-868L Rev.B version 2.05B02 **Description** The issue arises from the lack of proper sanitization of special elements in the `AudioMute` and `AudioEnable` parameters within the `/HNAP1/SetClientInfoDemo` message. This allows for command injection when the `SetClientInfoDemo.php` script saves these parameters to the `ShellPath` script file without proper regex checking. An attacker can exploit this by crafting an XML message with single quotes and backquotes in the `AudioMute` or `AudioEnable` elements, such as the '`telnetd`' string, to bypass the `wget` command option. This could enable a remote attacker to execute arbitrary commands. **Recommendations** For D-Link DIR-868L Rev.B version 2.05B02, as a temporary workaround, consider disabling the `SetClientInfoDemo.php` script until a patch is available. Restrict access to the `/HNAP1/SetClientInfoDemo` API endpoint to minimize the risk of exploitation. Avoid using the `AudioMute` and `AudioEnable` parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-818LW Rev.A version 2.05.B03 D-Link DIR-822 B1 version 202KRb06 **Description** The issue affects the /HNAP1/SetRouterSettings message, where the `RemotePort` parameter is vulnerable. This vulnerability can be exploited by sending a specially crafted XML message with shell metacharacters in the `RemotePort` element, such as the `telnetd` string. The lack of regex checking in the SetRouterSettings.php source code and the IPTWAN build command function of the iptwan.php source code allows the exploitation of this issue. Successful exploitation can allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For D-Link DIR-818LW Rev.A version 2.05.B03, consider disabling the `RemotePort` parameter in the /HNAP1/SetRouterSettings message until a patch is available. For D-Link DIR-822 B1 version 202KRb06, restrict access to the IPTWAN build command function in the iptwan.php source code to minimize the risk of exploitation. Avoid using the `RemotePort` parameter in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: D-Link DIR-818LW Rev.A version 2.05.B03 D-Link DIR-860L Rev.B version 2.03.B03 Description: The issue allows for unauthenticated remote OS command execution in the soap.cgi service of the cgibin binary. This can be achieved via an "&&" substring in the `service` parameter. The problem arises due to incomplete privilege management in the soapcgi main function of the soap.cgi script, located at /htdocs/cgibin/soap.cgi, which can enable a remote attacker to execute arbitrary OS commands. Recommendations: For D-Link DIR-818LW Rev.A version 2.05.B03, consider disabling the soap.cgi service until a patch is available. For D-Link DIR-860L Rev.B version 2.03.B03, restrict access to the cgibin binary to minimize the risk of exploitation. Avoid using the `service` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.