exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

D-Link Plain-Text Password Storage / Code Execution / Directory Traversal

D-Link Plain-Text Password Storage / Code Execution / Directory Traversal
Posted Oct 18, 2018
Authored by Blazej Adamczyk

Multiple D-Link router models suffer from code execution, plain-text password storage, and directory traversal vulnerabilities.

tags | exploit, vulnerability, code execution, file inclusion
advisories | CVE-2017-6190, CVE-2018-10822, CVE-2018-10823, CVE-2018-10824
SHA-256 | 9541adf37d2c85c0b0f169e169c1066383eece8ec4a5884e9d841c8dbcc16ca5

D-Link Plain-Text Password Storage / Code Execution / Directory Traversal

Change Mirror Download
              aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
MULTIPLE VULNERABILITIES IN D-LINK ROUTERS


Blazej Adamczyk (br0x)
blazej.adamczyk@gmail.com
http://sploit.tech/
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


12.10.2018


1 Directory Traversal in httpd server in several series of D-Link
routers
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aa

CVE: CVE-2018-10822

CVSS v3: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Directory traversal vulnerability in the web interface on D-Link
routers:
aC/ DWR-116 through 1.06,
aC/ DIR-140L through 1.02,
aC/ DIR-640L through 1.02,
aC/ DWR-512 through 2.02,
aC/ DWR-712 through 2.02,
aC/ DWR-912 through 2.02,
aC/ DWR-921 through 2.02,
aC/ DWR-111 through 1.01,
aC/ and probably others with the same type of firmware

allows remote attackers to read arbitrary files via a /.. or // after
"GET /uir" in an HTTP request.

NOTE: this vulnerability exists because of an incorrect fix for
CVE-2017-6190.

PoC:
aaaaa
a $ curl http://routerip/uir//etc/passwd
aaaaa

The vulnerability can be used retrieve administrative password using
the other disclosed vulnerability - CVE-2018-10824

This vulnerability was reported previously by Patryk Bogdan in
CVE-2017-6190 but he reported it is fixed in certain release but
unfortunately it is still present in even newer releases. The
vulnerability is also present in other D-Link routers and can be
exploited not only (as the original author stated) by double dot but
also absolutely using double slash.


2 Password stored in plaintext in several series of D-Link routers
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

CVE: CVE-2018-10824

An issue was discovered on D-Link routers:
aC/ DWR-116 through 1.06,
aC/ DIR-140L through 1.02,
aC/ DIR-640L through 1.02,
aC/ DWR-512 through 2.02,
aC/ DWR-712 through 2.02,
aC/ DWR-912 through 2.02,
aC/ DWR-921 through 2.02,
aC/ DWR-111 through 1.01,
aC/ and probably others with the same type of firmware.

NOTE: I have changed the filename in description to XXX because the
vendor leaves some EOL routers unpatched and the attack is too
simple.

The administrative password is stored in plaintext in the /tmp/XXX/0
file. An attacker having a directory traversal (or LFI) can easily
get
full router access.

PoC using the directory traversal vulnerability disclosed at the same
time - CVE-2018-10822

aaaaa
a $ curl http://routerip/uir//tmp/XXX/0
aaaaa

This command returns a binary config file which contains admin
username and password as well as many other router configuration
settings. By using the directory traversal vulnerability it is
possible to read the file without authentication.


3 Shell command injection in httpd server of a several series of D-Link
routers
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaa

CVE: CVE-2018-10823

CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

An issue was discovered on D-Link routers:
aC/ DWR-116 through 1.06,
aC/ DWR-512 through 2.02,
aC/ DWR-712 through 2.02,
aC/ DWR-912 through 2.02,
aC/ DWR-921 through 2.02,
aC/ DWR-111 through 1.01,
aC/ and probably others with the same type of firmware.

An authenticated attacker may execute arbitrary code by injecting the
shell command into the chkisg.htm page Sip parameter. This allows for
full control over the device internals.

PoC:
1. Login to the router.
2. Request the following URL after login:
aaaaa
a $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20
%2Fetc%2Fpasswd
aaaaa
3. See the passwd file contents in the response.


4 Exploiting all together
aaaaaaaaaaaaaaaaaaaaaaaaa

CVSS v3: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Taking all the three together it is easy to gain full router control
including arbitrary code execution.

Description with video: [http://sploit.tech/2018/10/12/D-Link.html]


5 Timeline
aaaaaaaaaa

aC/ 09.05.2018 - vendor notified
aC/ 06.06.2018 - asked vendor about the status because of long vendor
response
aC/ 22.06.2018 - received a reply that a patch will be released for
DWR-116 and DWR-111, for the other devices which are EOL an
announcement will be released
aC/ 09.09.2018 - still no reply from vendor about the patches or
announcement, I have warned the vendor that if I will not get a
reply in a month I will publish the disclosure
aC/ 12.10.2018 - disclosing the vulnerabilities
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close