Shulou(Shulou.com)05/31 Report--

This article is about how to dig multiple D-LINK high-risk loopholes, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Recently, security researchers from the Code Guardian team of the Enterprise Security Group discovered two high-risk security vulnerabilities (CVE-2018-20056 and CVE-2018-20057) in D-LINK 's product line DIR-619 and DIR-605 series routers, and immediately reported to D-LINK to assist them in repairing the vulnerabilities.

Picture thanks 360 Code Guardian

CVE-2018-20056 is a buffer overflow vulnerability, which will be technically analyzed below.

Vulnerability Overview CVE-2018-20056

This vulnerability is an unlicensed stack buffer overflow vulnerability that affects D-LINK DIR-605L 300m wireless cloud routing and DIR-619L 300m wireless cloud routing models. The vulnerability lies in a functional interface in the web server that can be invoked by unauthenticated users through post requests. The requested URL is: http://[target_ip]/goform/formLanguageChange, where the currtime parameter of the POST data is written to the stack without a length check by a dangerous memory copy function, resulting in a carefully constructed currtime parameter that can trigger a buffer overflow vulnerability or even directly obtain the device's rootshell.

Technical analysis

After analyzing the system file directory after unpacking the firmware by binwalk, it is found that there is a boa program in the system. The Boa program is a lightweight web server program. It is common in embedded systems. Through reverse analysis, it is found that this program has added a lot of functional interfaces on the basis of boa open source code to achieve different functions on the router.

Most of these functional interfaces need to be authenticated before they can be used, but there are still a small number of functional interfaces such as login and logout that can be used. Through the reverse analysis of the boa program to locate the process_header_end function, we can find some functions that can be used by unverified users. Some of the key codes are as follows, and the judgment process can be simply summarized as follows: if the is_valid_user function determines that the request comes from an unauthenticated user, it will again determine whether the url request is a functional interface that can be used by this user through the strstr function. Through analysis and experiments, it is found that in addition to the login function, unverified users can also use the formlanguagechange function interface to change the language displayed by the web foreground interface.

Next, find the way to enter this function by locating and analyzing the distribution function websaspinit. The key code is as follows:

Through the analysis and experiment, it is found that when post requests to access http://[target_ip]/goform/formLanguageChange, it will enter the formLanguageChange function flow, and the function will obtain the value of config.i18n_language,currtime,nextpage parameter in post request through websgetvar function.

In the websgetvar function, the parameter values are saved to the applied memory space by strlen, malloc and memcpy functions, but the parameter length is not judged or limited. This way of obtaining parameters can easily cause problems in the case of dangerous memory copy functions, which is the root cause of later vulnerabilities.

Graph websgetvar function

Continue to analyze the formLanguageChange function, the program will obtain the value of the currtime parameter directly through the dangerous function sprintf to write the location of the 0x110-0xf8 on the stack, resulting in a buffer overflow.

Through analysis, the function return address is saved in the 0x110-0x4 location, that is, when the parameter length is greater than 0xf4, the function return address will be directly overwritten, resulting in the program control flow being hijacked.

Graph formLanguageChange function

Combined with the deficiency of the protection mechanism of the router environment itself, after the attacker controls the program flow, arbitrary code execution can be realized through rop technology.

The Rop process is: 1. Assign the a0 parameter.

two。 Call the sleep function.

3. Assign a register to the address on the stack.

4. Jump into the position of shellcode in the stack by the way of register jump to complete utilization.

Graph utilization result

The above is how to dig multiple D-LINK high-risk loopholes, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.