Security Advisories
Security Advisories > SAP10027
DSP-W215 - Rev. A1 - Stack Overflow - Command Bypass - Information Disclosure- (FW 1.02 and Older)
Publication ID: SAP10027
Resolved Status: Yes
Published on: 15 May 2014 10:04 GMT
Last updated on: 11 August 2014 10:22 GMT

Overview

 

The DSP-W215 Rev. A1 contains a flaw that allows a malicious user to cause an overflow (halt in executing application) in the device software that allows access to it's operating system and allows unauthenticated commands to be executied.

 

References

 

Craig @ /dev/ttyS0 - Link 

 

Description

 

In order to maintain author's intent and accuracy of the disclosure please read at: 

 

This product was released in May 2014. The mobile application required to install and use the device, wll notify the user to upgrade immediately upon patches being available.

 

The author discovered the exploits by inspecting the firmware and recognizing how the mobile applications utilizes the Home Network Administration Protocol (HNAP) to configure the smart plug.

 

By accessing the device application for the plug through the HNAP protocol, a malicious user can access device infomation unauthenticated. Once this information is disclosed an exploit can be pushed to the device crashing the application and providing the malicious user access to the core operating system to perform further exploits.  This can lead to the device being reconfigured and/or unstable.

 

Since the product is an application on the LAN-side of your Home network, the malicious user would have to have exploted the home network or have direct access to the network the device is located.

 

This device does not utilize a web-base configuration interface, it is dependent on the mobile applications which we encourage you use for updates. In the event you would like to manually update the product, a link below is available with the new firmware. To upgrade manually, does require significant technical skill using the provided instructions.  Our technical support call centers will not be able to help you with manual upgrades, only with mobile applicaton upgrades should you need help.

 

Due to the nature of the attack(s) described by the author and the rootkit provided by the disclosure. As the author had commented the vulnerabilities would require access to the LAN till the most recent disclosure taking advantage of a CSRF vulnerability. 

 

D-Link will require an extended period of time to develop the necessary counter-measures for these vulnerabilities. We have beta firmware under certification tests, but will not offer it through the mobile application till it has passed completely.

 

Recommendation is only to utilize the device remotely throught the mobile application and mydlink.  Do not allow remote access to the device through your firewall for any reaason or allow PC browsers to access the device directly if browswer requests.

 

The D-Link Smartplug mobilie application will notify users when fix/upgrade is available. The user will be able to upgrade by simply confirming to upgrade device.

 

 

Affected Product

   

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DSP-W215

A1

v. 1.09 and older

FW: 1.10 (Use Mobile Application to Update)

iOS: iTunes

Android: Google Play

 

Security patch for your D-Link Devices

 

These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.