D-Link DIR-615 XSS Via the UPnP Protocol
Vendor:D-Link
Product: DIR-615
Version: 20.07
Hardware Version: T1
Vendor Homepage: http://us.dlink.com/
CVE: CVE-2018-15875
NVD: CVE-2018-15875
Vulnerability detail
Verification Steps:
- Connect to the D-Link DIR-615 router.
- Run the xss_upnp.py script with the -d switch to start the UPnP "Simple Search Discovery Process". to retrieve the "upnp:rootdevice" uuid.
- Two results should be displayed to the terminal http://192.168.0.1:5431/igdevicedesc.xml and http:///192.168.0.1:54217/simplecfg.xml.
- Navigate to http:///192.168.0.1:5431/igdevicedesc.xml to retrieve the UPnP control url
- Set the 'url' variable in the xss_upnp.py script to the control-url.
- e.g. http:///192.168.0.1:5431/control/WANIPConnection
- Set the "NewPortMappingDescription" field in the "add_port_mapping" function to an HTML element where the attribute is javascript.
- e.g.
(The <script> tag caused the page to fail to load, but adding javascript to an attribute worked)<img src="" onerror=alert("XSS") />
- Run the xss_upnp.py script with the -m switch to add the port mapping.
- If successful the router should return an xml acknowledgement similar to this
<?xml version="1.0"?><br/> <s:Envelope xmlns:s="http:/<span></span>//schemas.xmlsoap.org/soap/envelope/"><br/> <s:Body><br/> <u:AddPortMappingResponse xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><br/> </u:AddPortMappingResponse><br/> </s:Body><br/> </s:Envelope>
- Navigate to the router's Advanced->UPnP page to verify the xss.

