D-LinkDSP-W215 smart plug remote command execution-vulnerability warning-the black bar safety net

ID MYHACK58:62201447335
Type myhack58
Reporter 佚名
Modified 2014-05-21T00:00:00


0x00 background

D-Link DSP-W215 smart plug is a wireless control power switch outlet. It is not from Amazon and Best Buy to buy, but the firmware from D-Link website to download the true ass to.

The DSP-W215 exists a stack overflow vulnerability through the vulnerability can control the entire socket device, can control the socket apparatus on other electrical equipment to the switch.

0x01 analysis

Analysis of the socket of the firmware:

! enter image description here

Lzma compression, linux file system, uimage of the kernel compressed image.

Unpack check the contents of the file, and found no web-based management interface, can only use it to provide the Android or IOS application management, the application uses the HNAP family management agreement.

HNAP is based on soap Protocol, which req/res are as follows:

! enter image description here

More view<http://www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf>

This smart socket with the lighttpd, lightweight server to achieve the HNAP Protocol of the transmission, from the lighttpd configuration, HNAP requests are sent to the /www/my_cgi. the cgi for processing.

... alias. url += ( "/HNAP1/" => "/www/my_cgi. cgi", "/HNAP1" => "/www/my_cgi. cgi", ...

HNAP though is the need for the authentication Protocol, but some of the behavior is not required, such as obtaining the device information set or the like.

! enter image description here

HNAP request for data is made in the my_cgi. cgi do_hnap function processing. do_hnap first processing the POST request specified in the Content-Length header.

! enter image description here

Convert the length of the str to int.

Then, it reads the length bytes of data into an allocated fixed size of the stack. (500,000 bytes

! enter image description here

[1] [2] [3] next