-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 D-Link NAS, DNS Series: Stored XSS via Unauthenticated SMB 1. Affected Models/Versions 2. Summary 3. Technical Summary 4. Vulnerability Details 5. Exploitation / Proof of Concept 6. Timeline 7. See Also ########## 1. Affected Models/Versions ########## The vulnerability was initially discovered on a **D-Link DNS-320 rev A** device running **firmware version 2.05b8** (also known as: "2.13.0507.2014"). The remainder of this advisory describes and demonstrates the vulnerability based on this exact model and version. However, according to D-Link **the following models are also vulnerable**. The version numbers and dates listed below indicate the firmware version current at the time D-Link confirmed these devices to be vulnerable. | Device / Model | FW Version | FW Date | | ---------------- | :---------: | ---------: | | DNS-320 rev A | 2.05b8 | 28/07/2014 | | DNS-320 rev B | 1.02 | 02/07/2014 | | DNS-320L | 1.06b03 | 28/07/2015 | | DNS-325 | 1.05b3 | 02/07/2014 | | DNS-327L | 1.06b02 | 02/09/2014 | | DNS-340L | 1.04b01 | 11/02/2016 | | DNS-345 | 1.04b2 | 17/12/2014 | Both earlier and later versions may be affected as well. ########## 2. Summary ########## The D-Link DNS-320 is a Network Storage Enclosure ( / ). The device allows users to access stored data via SMB and it can be configured through a web interface. This web interface is vulnerable to Stored Cross-Site Scripting, with the injection point being the username of an **unsuccessful** SMB login attempt. The vulnerability can be used to read and write settings accessible through the web interface. Ultimately, an attacker may gain full read and write access to the data stored on the device. ########## 3. Technical Summary ########## The device's administrative web interface contains a **Stored Cross-Site Scripting vulnerability, exploitable through an unauthenticated SMB login attempt (445/tcp)**. The injected code is executed when the victim logs into the administrative web interface. Unlike reflected XSS vulnerabilities, it does not require the victim to open an attacker-supplied link or to visit a malicious web page. This is one of the relatively few XSS vulnerabilities where malicious code can be injected despite having neither direct nor indirect access to the vulnerable web application. As such, it can be exploited even when access to ports 80/tcp (HTTP) and 443/tcp (HTTPS) is denied. ########## 4. Vulnerability Details ########## The device keeps a record of unsuccessful SMB login attempts in a log file. For login attempts with a non-existing username, this username will be stored and later displayed without being sanitized. The contents of the log file can be viewed from within the device's web interface; either on a dedicated page (Management -> System Management -> Logs; ```/web/management.html?id=log>```) or on the home page ```/web/home.html>```. Both pages suffer from the same vulnerability, but because the home page is automatically loaded after a successful login, injected code will be run immediately afterwards and without further user interaction. ########## 5. Exploitation / Proof of Concept ########## The following two ```smbclient``` commands serve as a proof of concept. Their purpose is to inject code that will create a new user with a password chosen by the attacker. In addition, it supplies this user with read/write permissions on the device's default share ("Volume_1"); which, by default, results in full read and write access to the data stored on the primary HDD. smbclient -U '' -N '\\x\Volume_1' -I smbclient -U '' -N '\\x\Volume_1' -I Once an administrator logs into the device's web interface, the code will be executed: a new user with an attacker-specified password will be created and granted read/write permissions to the "Volume_1" share. To confirm whether a device is one of the vulnerable models, ```rpcclient``` can be used. After issuing the ```querydominfo``` command, the model name can be found next to ```Comment```: [~] $ rpcclient -U "" -N rpcclient $> querydominfo Domain: WORKGROUP Server: DLINK-EXXXXX Comment: DNS-320 <===== Model Total Users: 3 [...] ### Alternative, less intrusive PoC Some readers may want to verify whether the vulnerability exists on their device, but without making configuration changes, such as the ones caused by the previously mentioned commands. In these cases, the following command may be used: smbclient -U 'ab' -N '\\x\Volume' -I If the device is indeed vulnerable, the user will be greeted with an "XSS" popup window the next time s/he logs into the device's web interface: ########## 6. Timeline ########## 2016-01-11: Attempted to report vulnerability to D-Link via web form <. 2016-01-21: (Ten days later: still no response.) 2016-01-21: Contacted (following SecurityA Event Response Policy ). 2016-01-21: D-Link responds within a few minutes. **2016-01-22: Vulnerability report sent.** 2016-01-26: D-Link confirms vulnerability. 2016-02-11: CVE-ID requested from MITRE via . 2016-02-12: MITRE rejects request. **2016-02-27: D-Link provides preview of updated firmware to verify fix.** **2016-03-01: Firmware reviewed, confirmation sent to D-Link.** 2016-06-08: Asked D-Link for status update. 2016-07-08: (One month later: still no response.) 2016-07-08: Asked D-Link for status update. 2016-07-13: D-Link states some firmware updates have been posted in "forums", remaining updates to be released "by the end of this week. 7/15". 2016-07-19: Asked D-Link for direct links to said updates. 2016-08-02: (Two weeks later: still no response.) **2016-08-02: Advisory published.** ########## 7. See Also ########## D-Link UK product pages of the affected devices: * DNS-320 rev A * DNS-320 rev B * DNS-320L * DNS-325 * DNS-327L * DNS-340L * DNS-345 Product pages for other regions may contain different firmware versions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXoMJzAAoJEAg0a3ng3v4fDHQQAI8LcvUan2ItQHkha8uUmiwW 1niFKy0qeqhPORowLYC8e0Ek1Pd315BnkJIFaECXxIW4PIBeEUMv/xogucUvEL6R MmxXTTGXHS4R96PbuRuf0ZWTGbFGc6VzWTiBRvFDNkjiRAccORbGUBnayoKGE0So EG9vzXnao/SQTwLvO6BoIFk+KEMdKhO6uQdMpobV95wb7SwZSg0+abEEZnVyY4BY BjSnghQfL9KDAoMtEaDx0fPk9KWnBgreOHUW4gPN+LjzBfvjIwFgkIJod84k0ThR daxv6Zi5xWubztvnIBtF5iZ7j7IVYTIiQcrGts3cJq3acCVdeJy+3YcOOHNkELbM qQOQmW/AdNDO9gl8l372ZWrQ/xXflQBZk4OIkiySlVqEA0TqfAe4w/f1E51E0OkL FVc8BkQrSrx+RjvVM3Zf9KQzYio4deh9SGNl3WXHMI7JTaOA+20BG8oDEGZS1OIF CDKe8VrM+MUfiLau/ZVmVRmT8ieOqYGU7OyEFB+nToKhA3c05r15GgBi50nUYUsm eKNMBJPfCTn0h8KA9WZM7ZGFRD1PVqTCAuIjt1ei+VdU7M/PacgMzITpqqQ80BJO aTJK+/70YaRt0A3BxcqaTbuZ/PaZ2SupQcgwnauJa/vJzawuxAu7qtY2oJX02pNo vYMdp+jbizlBkEyCIvld =lfyi -----END PGP SIGNATURE-----