Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to take over the D-Link router by using the loopholes found. Many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

Preface

I have found several loopholes in different models of D-Link routers. Today I would like to share three vulnerabilities of D-Link routers that I recently discovered. By making comprehensive use of these three vulnerabilities, we can gain administrative rights of D-Link routers and successfully take over them.

Directory traversal vulnerability-CVE-2018-10822

CVSS v3 score: 8.6

Vulnerability description: directory traversal vulnerability in Web interface of D-Link router

Vulnerability harm: allows attackers to use HTTP requests to add /.. after "GET / uir". Or / / read any file, which is due to CVE-2017-6190, which is not fully repaired by the D-Link router.

Affect the product:

Firmware version lower than 1.06 in DWR-116 model

Firmware version less than 1.02 in DIR-140L model

Firmware version less than 1.02 in DIR-640L model

Firmware version less than 2.02 in DWR-512 model

Firmware version less than 2.02 in DWR-712 model

Firmware version less than 2.02 in DWR-912 model

Firmware version less than 2.02 in DWR-921 model

Firmware version less than 1.01 in DWR-111 model

Vulnerability verification:

$curl http://routerip/uir//etc/passwd

Security researcher Patryk Bogdan reported this vulnerability earlier (CVE-2017-6190), but D-Link officially fixed it only in certain versions of the product, but not in some new versions.

Plaintext password Storage vulnerability-CVE-2018-10824

Vulnerability description: the D-Link router has a clear text password set by the user

Vulnerability compromise: an attacker can read a user's plaintext password that exists in the / tmp/ directory

Affect the product:

Firmware version lower than 1.06 in DWR-116 model

Firmware version less than 1.02 in DIR-140L model

Firmware version less than 1.02 in DIR-640L model

Firmware version less than 2.02 in DWR-512 model

Firmware version less than 2.02 in DWR-712 model

Firmware version less than 2.02 in DWR-912 model

Firmware version less than 2.02 in DWR-921 model

Firmware version less than 1.01 in DWR-111 model

Vulnerability verification: because there are a large number of unrepaired vulnerability-related products in D-Link, in order to avoid causing security damage to users, I hide the specific plaintext password storage directory with XXX instead, and the plaintext password is specifically stored in the / tmp/XXX/0 file, which can be easily obtained by attackers with the above directory traversal vulnerabilities, so as to increase rights.

$curl http://routerip/uir//tmp/XXX/0

This command does not require authentication to obtain a binary config configuration file that contains the administrator's username and password and other sensitive configuration information to gain control of the D-Link router.

Command injection vulnerability-CVE-2018-10823

CVSS v3 score: 9.1

Vulnerability description: an authenticated attacker can gain deep control of the device by injecting shell commands into the chkisg.htm page to execute arbitrary code.

Affect the product:

Firmware version lower than 1.06 in DWR-116 model

Firmware version less than 2.02 in DWR-512 model

Firmware version less than 2.02 in DWR-712 model

Firmware version less than 2.02 in DWR-912 model

Firmware version less than 2.02 in DWR-921 model

Firmware version less than 1.01 in DWR-111 model

Vulnerability verification:

1. Log in to the router

2. Request the following link:

$curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd

3. View the passwd file contents of the response.

Comprehensive utilization

By making comprehensive use of the above three vulnerabilities, we can easily gain code execution and complete control over the D-Link router.

After reading the above, do you have any further understanding of how to take over the D-Link router with the vulnerabilities found? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.