lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 12 Oct 2018 16:54:08 +0200
From: Błażej Adamczyk <blazej.adamczyk@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Multiple vulnerabilities in D-Link routers

              ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
               MULTIPLE VULNERABILITIES IN D-LINK ROUTERS


                         Blazej Adamczyk (br0x)
                       blazej.adamczyk@...il.com
                          http://sploit.tech/
              ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


                               12.10.2018


1 Directory Traversal in httpd server in several series of D-Link
routers
═══════════════════════════════════════════════════════════════════════
══

  CVE: CVE-2018-10822

  CVSS v3: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

  Directory traversal vulnerability in the web interface on D-Link
  routers:
  • DWR-116 through 1.06,
  • DIR-140L through 1.02,
  • DIR-640L through 1.02,
  • DWR-512 through 2.02,
  • DWR-712 through 2.02,
  • DWR-912 through 2.02,
  • DWR-921 through 2.02,
  • DWR-111 through 1.01,
  • and probably others with the same type of firmware

  allows remote attackers to read arbitrary files via a /.. or // after
  "GET /uir" in an HTTP request.

  NOTE: this vulnerability exists because of an incorrect fix for
  CVE-2017-6190.

  PoC:
  ┌────
  │ $ curl http://routerip/uir//etc/passwd
  └────

  The vulnerability can be used retrieve administrative password using
  the other disclosed vulnerability - CVE-2018-10824

  This vulnerability was reported previously by Patryk Bogdan in
  CVE-2017-6190 but he reported it is fixed in certain release but
  unfortunately it is still present in even newer releases. The
  vulnerability is also present in other D-Link routers and can be
  exploited not only (as the original author stated) by double dot but
  also absolutely using double slash.


2 Password stored in plaintext in several series of D-Link routers
══════════════════════════════════════════════════════════════════

  CVE: CVE-2018-10824

  An issue was discovered on D-Link routers:
  • DWR-116 through 1.06,
  • DIR-140L through 1.02,
  • DIR-640L through 1.02,
  • DWR-512 through 2.02,
  • DWR-712 through 2.02,
  • DWR-912 through 2.02,
  • DWR-921 through 2.02,
  • DWR-111 through 1.01,
  • and probably others with the same type of firmware.

  NOTE: I have changed the filename in description to XXX because the
  vendor leaves some EOL routers unpatched and the attack is too
simple.

  The administrative password is stored in plaintext in the /tmp/XXX/0
  file. An attacker having a directory traversal (or LFI) can easily
get
  full router access.

  PoC using the directory traversal vulnerability disclosed at the same
  time - CVE-2018-10822

  ┌────
  │ $ curl http://routerip/uir//tmp/XXX/0
  └────

  This command returns a binary config file which contains admin
  username and password as well as many other router configuration
  settings. By using the directory traversal vulnerability it is
  possible to read the file without authentication.


3 Shell command injection in httpd server of a several series of D-Link 
routers
═══════════════════════════════════════════════════════════════════════
════════

  CVE: CVE-2018-10823

  CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

  An issue was discovered on D-Link routers:
  • DWR-116 through 1.06,
  • DWR-512 through 2.02,
  • DWR-712 through 2.02,
  • DWR-912 through 2.02,
  • DWR-921 through 2.02,
  • DWR-111 through 1.01,
  • and probably others with the same type of firmware.

  An authenticated attacker may execute arbitrary code by injecting the
  shell command into the chkisg.htm page Sip parameter. This allows for
  full control over the device internals.

  PoC:
  1. Login to the router.
  2. Request the following URL after login:
     ┌────
     │ $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20
%2Fetc%2Fpasswd
     └────
  3. See the passwd file contents in the response.


4 Exploiting all together
═════════════════════════

  CVSS v3: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

  Taking all the three together it is easy to gain full router control
  including arbitrary code execution.

  Description with video: [http://sploit.tech/2018/10/12/D-Link.html]


5 Timeline
══════════

  • 09.05.2018 - vendor notified
  • 06.06.2018 - asked vendor about the status because of long vendor
    response
  • 22.06.2018 - received a reply that a patch will be released for
    DWR-116 and DWR-111, for the other devices which are EOL an
    announcement will be released
  • 09.09.2018 - still no reply from vendor about the patches or
    announcement, I have warned the vendor that if I will not get a
    reply in a month I will publish the disclosure
  • 12.10.2018 - disclosing the vulnerabilities

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ