Vulnérabilité dans les routeurs D-Link

Toutes les mises à jour de sécurités publiées et les failles annoncées
Reprise notamment des publications du CERT-FR (ANSSI)
Répondre
Avatar du membre
charles
Administrateur du site
Messages : 3313
Enregistré le : 06 avr. 2015 09:02
Etablissement : CH Saint-Flour
Fonction : RSSI
CIL / DPO / DPD : Non
Site Internet de l'établissement : http://www.ch-stflour.fr
Site Internet personnel ou blog : http://www.forum-sih.fr
Contact :

Vulnérabilité dans les routeurs D-Link

Message par charles » 19 oct. 2018 07:15

Quelques jolies vulnérabilités dans les routeurs D-Link ont été enregistrées comme CVE le 17/10/2018 :

1. Directory Traversal

CVE: CVE-2018-10822

CVSS v3: 8.6
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Description: Directory traversal vulnerability in the web interface on D-Link routers:

DWR-116 through 1.06,
DIR-140L through 1.02,
DIR-640L through 1.02,
DWR-512 through 2.02,
DWR-712 through 2.02,
DWR-912 through 2.02,
DWR-921 through 2.02,
DWR-111 through 1.01,
and probably others with the same type of firmware

allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request.

NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.

PoC:

Code : Tout sélectionner

$ curl http://routerip/uir//etc/passwd
The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824.

This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash.
2. Password stored in plaintext

CVE: CVE-2018-10824

Description:

An issue was discovered on D-Link routers:

DWR-116 through 1.06,
DIR-140L through 1.02,
DIR-640L through 1.02,
DWR-512 through 2.02,
DWR-712 through 2.02,
DWR-912 through 2.02,
DWR-921 through 2.02,
DWR-111 through 1.01,
and probably others with the same type of firmware.

NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple

The administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.

PoC using the directory traversal vulnerability disclosed above - CVE-2018-10822

Code : Tout sélectionner

$ curl http://routerip/uir//tmp/XXX/0
This command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.
3. Shell command injection

CVE: CVE-2018-10823

CVSS v3: 9.1
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description: An issue was discovered on D-Link routers:

DWR-116 through 1.06,
DWR-512 through 2.02,
DWR-712 through 2.02,
DWR-912 through 2.02,
DWR-921 through 2.02,
DWR-111 through 1.01,
and probably others with the same type of firmware.

An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.

PoC:

Login to the router.
Request the following URL after login:

Code : Tout sélectionner

    $ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd
See the passwd file contents in the response.

L'exploit en vidéo :

Source : http://sploit.tech/2018/10/12/D-Link.html
Voir aussi : https://seclists.org/fulldisclosure/2018/Oct/36

Répondre

Retourner vers « Alertes de sécurité - Mises à jour et failles »