Hacking the D-Link DIR-890L-vulnerability warning-the black bar safety net

2015-04-13T00:00:00
ID MYHACK58:62201561129
Type myhack58
Reporter 佚名
Modified 2015-04-13T00:00:00

Description

Before 6 months and D-Link are constantly below the belt, to put my whole head spinning with. Today I want to have some fun, visit their website, the result saw the appalling scene: ! D-Link’s $3 0 0 the DIR-890L router This router runs on firmware has many bugs, and the most perverted place that it is actually with D-link over the years in a variety of on the router using the firmware exactly the same. The point I see a small video 0x01 start of the analysis In accordance with the usual practice, we first obtain the latest version of the firmware, and then use binwalk to analyze it, you can see the following information: DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 DLOB firmware header, boot partition: "dev=/dev/mtdblock/7" 1 1 6 0x74LZMA compressed data, properties: 0x5D, dictionary size: 3 3 5 5 4 4 3 2 bytes, uncompressed size: 4 9 0 5 3 7 6 bytes 1 8 3 5 1 2 4 0x1C0074PackImg section delimiter tag, little endian size: 6 3 4 5 4 7 2 bytes; big endian size: 1 3 8 5 2 6 7 2 bytes 1 8 3 5 1 5 6 0x1C0094Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1 3 8 5 2 2 6 8 bytes, 2 5 6 6 inodes, blocksize: 1 3 1 0 7 2 bytes, created: 2015-02-11 0 9:1 8:3 7 Looks like this is a very standard linux firmware image. As long as you in the past few years analysis by any one of the D-Link firmware, chances are you will know that the following directory structure: $ ls squashfs-root bin dev etc home htdocs include lib mnt mydlink proc sbin sys tmp usr var www And the HTTP/UPnP/HNAP about all the files stored in the htdocs directory. Wherein the cgibin files the most interesting, which is an ARM ELF format binary file will bethe WEB serverto perform, all of the CGI,the UPnP and HNAP function through the soft connection point to this app. $ ls-l htdocs/web/*. cgi lrwxrwxrwx 1 eve eve 1 4 Mar 3 1 2 2:4 6 htdocs/web/captcha. cgi -> /htdocs/cgibin lrwxrwxrwx 1 eve eve 1 4 Mar 3 1 2 2:4 6 htdocs/web/conntrack. cgi -> /htdocs/cgibin lrwxrwxrwx 1 eve eve 1 4 Mar 3 1 2 2:4 6 htdocs/web/dlapn. cgi -> /htdocs/cgibin lrwxrwxrwx 1 eve eve 1 4 Mar 3 1 2 2:4 6 htdocs/web/dlcfg. cgi -> /htdocs/cgibin lrwxrwxrwx 1 eve eve 1 4 Mar 3 1 2 2:4 6 htdocs/web/dldongle. cgi -> /htdocs/cgibin lrwxrwxrwx 1 eve eve 1 4 Mar 3 1 2 2:4 6 htdocs/web/fwup. cgi -> /htdocs/cgibin lrwxrwxrwx 1 eve eve 1 4 Mar 3 1 2 2:4 6 htdocs/web/fwupload. cgi -> /htdocs/cgibin lrwxrwxrwx 1 eve eve 1 4 Mar 3 1 2 2:4 6 htdocs/web/hedwig. cgi -> /htdocs/cgibin lrwxrwxrwx 1 eve eve 1 4 Mar 3 1 2 2:4 6 htdocs/web/pigwidgeon. cgi -> /htdocs/cgibin lrwxrwxrwx 1 eve eve 1 4 Mar 3 1 2 2:4 6 htdocs/web/seama. cgi -> /htdocs/cgibin lrwxrwxrwx 1 eve eve 1 4 Mar 3 1 2 2:4 6 htdocs/web/service. cgi -> /htdocs/cgibin lrwxrwxrwx 1 eve eve 1 4 Mar 3 1 2 2:4 6 htdocs/web/webfa_authentication. cgi -> /htdocs/cgibin lrwxrwxrwx 1 eve eve 1 4 Mar 3 1 2 2:4 6 htdocs/web/webfa_authentication_logout. cgi -> /htdocs/cgibin This thing is complex, but that's okay, with the string you can find each of the function corresponding to the function. The program will first put the argv[0]parameter and the soft connection of the names for comparison, to decide to perform what action. (argv[0]is made of a soft link of the name to decide, for example, WEB serverexecuting htdocs/web/captcha. cgi -> /htdocs/cgibin words, cgibin access to the argv[0]will contain the catpcha. cgi, then the program can jump to the catpcha function a function which is performed ! “Staircase” code graph, typical of if-else statements Each soft connection name through the strcmp function to compare: ! Function handlers for various symlinks As a result, we are easy to by the symbolic link name to find the corresponding function code and then give it a suitable name: ! Renamed symlink function handlers Since the discovery of these functions, then we'll start looking for bugs! Some of the other D-Link devices, also running this firmware, they the HTTP and UPnP interface has been found that the presence of vulnerability. However, the HNAP interface exist in the cgibin the hnap_main function seems to have been overlooked. HNAP(home network administration Protocol)is a SOAP-based Protocol similar to UPnP, which is widely used in the D-Link"EZ"to install the module for the router to initialize the configuration. However, UPnP is different, in addition to GetDeviceInfo(basic useless functions), all of the HNAP function, requires HTTP Basic authentication: POST /HNAP1 HTTP/1.1 Host: 192.168.0.1 Authorization: Basic YWMEHZY+ Content-Type: text/xml; charset=utf-8 Content-Length: length SOAPAction: "http://purenetworks.com/HNAP1/AddPortMapping"

"1.0" encoding="utf-8"?& gt; "http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">

[1] [2] [3] next