
Full Disclosure mailing list archives
Re: Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol
From: Pierre Kim <pierre.kim.sec () gmail com>
Date: Thu, 21 Sep 2017 01:25:17 +0200
Hello, Following the advisory posted to FD and Buqtraq about "Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol" the HTML version on analyzing the security on the corrected firmware for Dlink 850L routers is posted here: https://pierrekim.github.io/blog/2017-09-21-update-dlink-850l-mydlink-cloud-0days-vulnerabilities.html Please find a text-only version below sent to security mailing lists. === text-version === An update on the post "Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol (https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html)": MITRE was very effective and provided several CVEs for these vulnerabilities: CVE-2017-14413, CVE-2017-14414, CVE-2017-14415, CVE-2017-14416, CVE-2017-14417, CVE-2017-14418, CVE-2017-14419, CVE-2017-14420, CVE-2017-14421, CVE-2017-14422, CVE-2017-14423, CVE-2017-14424, CVE-2017-14425, CVE-2017-14426, CVE-2017-14427, CVE-2017-14428, CVE-2017-14429, CVE-2017-14430. D-Link provided firmware updates at: http://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10074 . Full-Disclosure seems to work! It forced D-Link to provide working security patches to the public in a timely manner. Only 14 CVEs (of 18 CVEs) are recognized in the list from the Security Announcement from D-Link. I verified myself that the vulnerabilities have been indeed patched or not - for all 18 CVEs - as shown below on a real router with the latest firmware. This work was possible thanks to another pre-auth 0day exploit that I have not yet released and which still works against the latest revB firmware (`DIR850LB1_FW220WWb03.bin`). user@kali:~/petage-dlink$ ./pwn-dlink-850-003 192.168.0.1 [...] # uname -ap Linux dlinkrouter 2.6.30.9 #1 Mon Sep 18 10:27:42 CST 2017 rlx GNU/Linux # busybox BusyBox v1.14.1 (2017-09-18 20:18:33 CST) multi-call binary Copyright (C) 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko and others. Licensed under GPLv2. [...] # ## Firmware "protection" The algorithm seems to have been updated. The previous program doesn't work anymore. Luckily, having a root shell on the device gives me some hints about how to decipher firmware images. ## WAN && LAN - revA - XSS - CVE-2017-14413, CVE-2017-14414, CVE-2017-14415, CVE-2017-14416 Corrected - the vulnerable files have been removed, as shown below: # cd /htdocs/web # ls -la *php -rw-r--r-- 1 root root 143 Sep 18 2017 wiz_mydlink.php -rw-r--r-- 1 root root 3768 Sep 18 2017 vpnconfig.php -rw-r--r-- 1 root root 204 Sep 18 2017 version.php -rw-r--r-- 1 root root 1074 Sep 18 2017 getcfg.php -rw-r--r-- 1 root root 2661 Sep 18 2017 dnslog.php -rw-r--r-- 1 root root 149 Sep 18 2017 bsc_mydlink.php # ## WAN && LAN - revB - Retrieving admin password, gaining full access using the custom mydlink Cloud protocol - CVE-2017-14417, CVE-2017-14418 Corrected - the vulnerable file has been removed. # ls /htdocs/web/register_send.php ls: /htdocs/web/register_send.php: No such file or directory # Note that the device still sends clear-text passwords to the Cloud protocol (www.mydlink.com). ## WAN - revA and revB - Weak Cloud protocol - CVE-2017-14419, CVE-2017-14420 Not checked as this is going to be taking to much time. ## LAN - revB - Backdoor access - CVE-2017-14421 Corrected. ## WAN && LAN - revA and revB - Stunnel private keys - CVE-2017-14422 Corrected - as shown below: # ls -la /etc/stunnel.key ls: /etc/stunnel.key: No such file or directory # The new certificate (`/tmp/server.key` and `/tmp/server.crt`) is generated on-the-fly during the boot process by the `scripts/updatessl.sh` script. It's a self-signed certificate: # cat scripts/updatessl.sh [...] openssl req -new -newkey rsa:2048 -days $SSLDAYS -sha256 -nodes -x509 -subj "/C=TW/ST=Taiwan/L=Taipei/O=D-Link Corporation/OU=D-Link WRPD/CN=General Root CA/emailAddress=webmaster@localhost" -extensions usr_cert -keyout $TMPKEY -out $TMPPEM -config /etc/openssl.cnf -rand $TMPRAND [...] This opens question about the security of the Cloud protocol. ## WAN && LAN - revA - Nonce bruteforcing for DNS configuration - CVE-2017-14423 Corrected - this file has been removed from the firmware image. # Local - revA and revB - Weak files permission and credentials stored in cleartext - CVE-2017-14424, CVE-2017-14425, CVE-2017-14426, CVE-2017-14427, CVE-2017-14428 Corrected - the passwords are replaced by 'x' everywhere: # cat /var/passwd "Admin" "x" "0" # cat /var/etc/hnapasswd Admin:x # ls -la /var/passwd -rw-rw-rw- 1 root root 16 Jan 1 00:00 /var/passwd # cat /var/passwd "Admin" "x" "0" # ls -la /var/etc/hnapasswd -rw-rw-rw- 1 root root 8 Jan 1 00:00 /var/etc/hnapasswd # cat /var/etc/hnapasswd Admin:x # cat /var/etc/hnapasswd Admin:x # ls -la /var/etc/hnapasswd -rw-rw-rw- 1 root root 8 Jan 1 00:00 /var/etc/hnapasswd # ls -la /var/etc/passwd -rw-r--r-- 1 root root 146 Jan 1 00:00 /var/etc/passwd # cat /var/etc/passwd root:x:0:0:Linux User,,,:/home/root:/bin/sh nobody:x:1000:500:Linux User,,,:/home/nobody:/bin/sh Admin:x:1001:0:Linux User,,,:/home/Admin:/bin/sh # cat /var/etc/shadow root:!:10956:0:99999:7::: nobody:!:10956:0:99999:7::: Admin:!:10956:0:99999:7::: # ls -la /var/run/storage_account_root -rw-rw-rw- 1 root root 12 Jan 1 00:00 /var/run/storage_account_root # cat /var/run/storage_account_root admin:x,::: # ls -la /var/run/hostapd*conf -rw-rw-rw- 1 root root 1160 Jan 1 00:00 /var/run/hostapd-wlan1.conf -rw-rw-rw- 1 root root 1170 Jan 1 00:00 /var/run/hostapd-wlan0.conf ## WAN - revB - Pre-Auth RCEs as root (L2) - CVE-2017-14429 Corrected - the variables are sanitized. ## LAN - revA and revB - DoS against some daemons - CVE-2017-14430 Corrected? I don't think so. ## Conclusion I'm happily surprised by the results of dropping 0days without coordinated disclosure when it is about D-Link products. Should this be the only method with D-Link to get working security patches in a timely manner? Hopefully one day a coordinated disclosure could work in the same way. ## Disclaimer This research is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: [http://creativecommons.org/licenses/by-nc-sa/3.0/](http://creativecommons.org/licenses/by-nc-sa/3.0/) -- Pierre Kim pierre.kim.sec () gmail com @PierreKimSec https://pierrekim.github.io/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol Pierre Kim (Sep 07)
- Re: Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol Pierre Kim (Sep 21)