Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

Perfection is achieved only on the point of collapse. -- C. N. Parkinson


rocksolid / Security / Re: if you are still using dlink router with original firmware

SubjectAuthor
* if you are still using dlink router with original firmwareanon
`- Re: if you are still using dlink router with original firmwareGuest

1
Subject: Re: if you are still using dlink router with original firmware
From: Guest
Newsgroups: rocksolid.shared.security
Organization: Dancing elephants
Date: Sat, 22 Dec 2018 00:37 UTC
References: 1
Path: i2pn2.org!news.novabbs.com!def3!.POSTED!not-for-mail
From: gue...@retrobbs.rocksolidbbs.com (Guest)
Newsgroups: rocksolid.shared.security
Subject: Re: if you are still using dlink router with original firmware
Date: Fri, 21 Dec 2018 19:37:03 -0500
Organization: Dancing elephants
Lines: 6
Message-ID: <pvihg3$cko$1@def3.retrobbs.com>
References: <1719f65b0329889ba7ff7bcb0b149967@def4.com>
Reply-To: Guest <guest@retrobbs.rocksolidbbs.com>
NNTP-Posting-Host: 10.0.2.2
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Trace: def3.retrobbs.com 1545390403 12952 10.0.2.2 (21 Dec 2018 11:06:43 GMT)
X-Complaints-To: usenet@def3.retrobbs.com
NNTP-Posting-Date: Fri, 21 Dec 2018 11:06:43 +0000 (UTC)
User-Agent: FUDforum 3.0.7
X-FUDforum: e4062714e2d275bd0cc7c3ee636428b0 <4838>
View all headers
Dlink scores again: https://github.com/RootSoull/Vuln-Poc/tree/master/D-Link/DIR-816

The next army of botnet zombies...
Posted on: def3.i2p


Subject: if you are still using dlink router with original firmware
From: anon
Newsgroups: rocksolid.shared.security
Organization: def4
Date: Fri, 19 Oct 2018 08:56 UTC
References: 1
Path: rocksolid2!def3!.POSTED.localhost!not-for-mail
From: ano...@anon.com (anon)
Newsgroups: rocksolid.shared.security
Message-ID: <1719f65b0329889ba7ff7bcb0b149967@def4.com>
Subject: if you are still using dlink router with original firmware
Date: Fri, 19 Oct 2018 08:56:43+0000
Organization: def4
In-Reply-To:
References:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
View all headers

you might want to think again:

http://sploit.tech/2018/10/12/D-Link.html

i think dlink has by now one of the worst track records in their field, both for code quality and for zero effort to fix anything. unbelievable. hey security manager at dlink, what is your day job ?

-------------------------


D-Link routers - full takeover

Oct 12, 2018

I have found multiple vulnerabilities in D-Link router httpd server. These vulnerabilities are present in multiple D-Link types of routers. All three taken together allow to take a full control over te router including code execution.
1. Directory Traversal

CVE: CVE-2018-10822

CVSS v3: 8.6
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Description: Directory traversal vulnerability in the web interface on D-Link routers:

    DWR-116 through 1.06,
    DIR-140L through 1.02,
    DIR-640L through 1.02,
    DWR-512 through 2.02,
    DWR-712 through 2.02,
    DWR-912 through 2.02,
    DWR-921 through 2.02,
    DWR-111 through 1.01,
    and probably others with the same type of firmware

allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request.

NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.

PoC:

$ curl http://routerip/uir//etc/passwd

The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824.

This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash.
2. Password stored in plaintext

CVE: CVE-2018-10824

Description:

An issue was discovered on D-Link routers:

    DWR-116 through 1.06,
    DIR-140L through 1.02,
    DIR-640L through 1.02,
    DWR-512 through 2.02,
    DWR-712 through 2.02,
    DWR-912 through 2.02,
    DWR-921 through 2.02,
    DWR-111 through 1.01,
    and probably others with the same type of firmware.

NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple

The administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.

PoC using the directory traversal vulnerability disclosed above - CVE-2018-10822

$ curl http://routerip/uir//tmp/XXX/0

This command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.
3. Shell command injection

CVE: CVE-2018-10823

CVSS v3: 9.1
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description: An issue was discovered on D-Link routers:

    DWR-116 through 1.06,
    DWR-512 through 2.02,
    DWR-712 through 2.02,
    DWR-912 through 2.02,
    DWR-921 through 2.02,
    DWR-111 through 1.01,
    and probably others with the same type of firmware.

An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.

PoC:

    Login to the router.
    Request the following URL after login:

    $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd

    See the passwd file contents in the response.

Exploiting all together

Taking all the three together it is easy to gain full router control including arbitrary code execution.

Suggested CVSS v3 for all three (1-3): 10.0
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Video:

Timeline:

    09.05.2018 - vendor notified
    06.06.2018 - asked vendor about the status because of long vendor response
    22.06.2018 - recieved a reply that a patch will be released for DWR-116 and DWR-111, for the other devices which are EOL an announcement will be released
    09.09.2018 - still no reply from vendor about the patches or announcement, I have warned the vendor that if I will not get a reply in a month I will publish the disclosure
    12.10.2018 - disclosing the vulnerabilities


Posted on def4.i2p


1
rocksolid light 0.7.2
clearneti2ptor