CVE-2017-8413
CVSS V2 High 8.3
CVSS V3 High 8.8
Description
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device runs a custom daemon on UDP port 5978 which is called "dldps2121" and listens for broadcast packets sent on 255.255.255.255. This daemon handles custom D-Link UDP based protocol that allows D-Link mobile applications and desktop applications to discover D-Link devices on the local network. The binary processes the received UDP packets sent from any device in "main" function. One path in the function traverses towards a block of code that handles commands to be executed on the device. The custom protocol created by D-Link follows the following pattern: Packetlen, Type of packet; M=MAC address of device or broadcast; D=Device Type;C=base64 encoded command string;test=1111. If a packet is received with the packet type being "S" or 0x53 then the string passed in the "C" parameter is base64 decoded and then executed by passing into a System API. We can see at address 0x00009B44 that the string received in packet type subtracts 0x31 or "1" from the packet type and is compared against 0x22 or "double quotes". If that is the case, then the packet is sent towards the block of code that executes a command. Then the value stored in "C" parameter is extracted at address 0x0000A1B0. Finally, the string received is base 64 decoded and passed on to the system API at address 0x0000A2A8 as shown below. The same form of communication can be initiated by any process including an attacker process on the mobile phone or the desktop and this allows a third-party application on the device to execute commands on the device without any authentication by sending just 1 UDP packet with custom base64 encoding.
Overview
- CVE ID
- CVE-2017-8413
- Assigner
- cve@mitre.org
- Vulnerability Status
- Analyzed
- Published Version
- 2019-07-02T21:15:10
- Last Modified Date
- 2021-04-23T16:47:27
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| AND | ||||
| cpe:2.3:o:dlink:dcs-1130_firmware:-:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:h:dlink:dcs-1130:-:*:*:*:*:*:*:* | 0 | OR | ||
| AND | ||||
| cpe:2.3:o:dlink:dcs-1100_firmware:-:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:h:dlink:dcs-1100:-:*:*:*:*:*:*:* | 0 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:A/AC:L/Au:N/C:C/I:C/A:C
- Access Vector
- ADJACENT_NETWORK
- Access Compatibility
- LOW
- Authentication
- NONE
- Confidentiality Impact
- COMPLETE
- Integrity Impact
- COMPLETE
- Availability Impact
- COMPLETE
- Base Score
- 8.3
- Severity
- HIGH
- Exploitability Score
- 6.5
- Impact Score
- 10
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Attack Vector
- ADJACENT_NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- HIGH
- Base Score
- 8.8
- Base Severity
- HIGH
- Exploitability Score
- 2.8
- Impact Score
- 5.9
References
| Reference URL | Reference Tags |
|---|---|
| http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html | Third Party Advisory VDB Entry |
| https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf | Not Applicable Third Party Advisory |
| https://seclists.org/bugtraq/2019/Jun/8 | Mailing List Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2017-8413 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8413 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 07:14:31 | Added to TrackCVE | |||
| 2022-12-03 22:46:24 | 2019-07-02T21:15Z | 2019-07-02T21:15:10 | CVE Published Date | updated |
| 2022-12-03 22:46:24 | 2021-04-23T16:47:27 | CVE Modified Date | updated | |
| 2022-12-03 22:46:24 | Analyzed | Vulnerability Status | updated |