CVE-2019-9974: diag_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 allows spawning ping processes without any authorization leading to information disclosure and DoS attacks

Remote attacker could enumerate hosts on LAN interface sending requests to /cgi-bin/diag_tool.cgi with ip parameter set to target IP address. Lack of authorization in /cgi-bin/diag_get_result.cgi allow retrieval of results. Each call to diag_get_result.cgi retrieves one line of ping (or traceroute) output.

Same CGI script has another weakness, CWE-400: Uncontrolled Resource Consumption, which allows memory memory exhaustion Denial of Service (DoS) attack against device. Around 170 spawned ping processes is enough to cause crash and reboot of router. PoC exploit available.

More: https://blog.burghardt.pl/2019/03/diag_tool-cgi-on-dasan-h660rm-devices-with-firmware-1-03-0022-allows-spawning-ping-processes-without-any-authorization-leading-to-information-disclosure-and-dos-attacks/

----------
CVE-2019-9975: syslog_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 uses a hard-coded key for logs encryption

DASAN uses a hard-coded key “dasanektks123” for logs encryption. Data stored using this key can be decrypted by anyone able to access this key.

More: https://blog.burghardt.pl/2019/03/syslog_tool-cgi-on-dasan-h660rm-devices-with-firmware-1-03-0022-uses-a-hard-coded-key-for-logs-encryption/

----------
CVE-2019-9976: Boa Webserver on DASAN H660RM devices with firmware 1.03-0022 saves post data, including credentials, to /tmp/boa-temp

Exploitation is possible for users logged in over telnet of SSH. If user logged though Web UI and until he make any other POST request, his credentials can be retrieved with:

$ cat /tmp/boa-temp

StatusActionFlag=-1&Username=admin&Password=vertex25

More: https://blog.burghardt.pl/2019/03/boa-webserver-on-dasan-h660rm-devices-with-firmware-1-03-0022-saves-post-data-including-credentials-to-tmp-boa-temp/

Multiple vulnerabilities in DASAN H660RM GPON router firmware的更多相关文章

  1. DVRF:路由器漏洞练习靶机 Damn Vulnerable Router Firmware

    0×01 概述 这个项目的目的是来帮助人们学习X86_64之外其他架构环境,同时还帮助人们探索路由器固件里面的奥秘. 目前为止,该项目是基于Linksys E1550 为基础进行安装. 0×02 安装 ...

  2. article2pdf (Wordpress plug-in) Multiple vulnerabilities(CVE-2019-1000031, CVE-2019-1010257)

    Product: article2pdf (Wordpress plug-in)Product Website: https://wordpress.org/plugins/article2pdf/A ...

  3. Install LEDE on a BT Home Hub 5 / Plusnet One Router

    Overview / Purpose of this guide These instructions are for aimed at users of Windows but a lot of t ...

  4. BlackArch-Tools

    BlackArch-Tools 简介 安装在ArchLinux之上添加存储库从blackarch存储库安装工具替代安装方法BlackArch Linux Complete Tools List 简介 ...

  5. Linaro/Yocto/Openwrt

    http://en.wikipedia.org/wiki/Linaro Linaro From Wikipedia, the free encyclopedia     This article ap ...

  6. QT 4.87 changes

    http://blog.qt.io/blog/2015/05/26/qt-4-8-7-released/ Qt 4.8.7 is a bug-fix release. It maintains bot ...

  7. 谷歌将一些弱小的库从安卓代码移除Google Removes Vulnerable Library from Android

    Google this week released the November 2018 set of security patches for its Android platform, which ...

  8. Debian Security Advisory(Debian安全报告) DSA-4405-1 openjpeg2

    package :openjpeg2 相关CVE ID: CVE-2017-17480 CVE-2018-5785 CVE-2018-6616 CVE-2018-14423 CVE-2018-1808 ...

  9. D-Link DIR-600 - Authentication Bypass

    #Exploit Title: D-Link DIR-600 - Authentication Bypass (Absolute Path Traversal Attack) # CVE - http ...

随机推荐

  1. SQL查询语句的进阶使用

    MySQL的进阶使用 sql语句一些功能的使用 导入现有大量数据文件步骤 1) 把*.sql文件拷贝到Linux某一位置(例如Desktop) 2) Linux命令行进入该位置 cd ~/Deskto ...

  2. 【UOJ 351】新年的叶子

    http://uoj.ac/problem/351 其实原来看到这题是真的不想做的 毕竟真的特别怕期望题 后来莫名发现自己打了正解 也是很震惊的2333 Description   对于一棵树,每次随 ...

  3. Django(三)框架之第二篇

    https://www.cnblogs.com/haiyan123/p/7717788.html 一.知识点回顾 1.MTV模型 model:模型,和数据库相关的 template:模板,存放html ...

  4. JavaScript(JS)之Javascript对象DOM(五)

    https://www.cnblogs.com/haiyan123/p/7653032.html 一.JS中for循环遍历测试 for循环遍历有两种 第一种:是有条件的那种,例如    for(var ...

  5. anaconda的安装教程和使用方法

    一.anaconda安装方法: 1.下载: anaconda官方下载地址:https://www.anaconda.com/download/ 2.安装: 可以自己指定路劲,也可以选择默认安装,最后记 ...

  6. 2018-2019 ACM-ICPC, Asia Nanjing Regional Contest

    https://codeforces.com/gym/101981 Problem A. Adrien and Austin 贪心,注意细节 f[x]=1:先手必赢. f[x]: 分成两部分(或一部分 ...

  7. alias命令使用

    alias 别名 增加别名 alias vi=vim alias api='sudo apt-get install' alias apr='sudo apt-get remove' alias tz ...

  8. poj 2566"Bound Found"(尺取法)

    传送门 参考资料: [1]:http://www.voidcn.com/article/p-huucvank-dv.html 题意: 题意就是找一个连续的子区间,使它的和的绝对值最接近target. ...

  9. 计算机基础:计算机网络-chapter3

    数据链路层,给两个相邻节点传输数据. 数据链路:物理链路+通信协议. 数据链路层使用的信道主要有点对点信道和广播信道两种. 一.点对点信道的PPP协议: 用三层模型来研究数据链路层,不管在哪一链路上的 ...

  10. 字节输入流 FileInputStream

    字节输入流 InputStream : 方法介绍: read(); 读取下一个字节 返回-1读取文件结束 close(); 复制文件 将数据aaa.txt复制到d盘 字节输入流读---->字节输 ...