Overview

D-Link has received a report that a unreferenced webpage on the DCS-931L allows an authenticated attacker to upload arbitrary files. By allowing the attacker to specify the file location to write on the device, the attacker has the ability to upload new functionality to the camera.


References

Allen Harper - Tangible Security - disclosures@TangibleSecurity.com - Link

CERT Vulnerability :: CERT VU#377348

NIST Vulnerability ID :: CVE-2015-2049

Details

The DCS-931L has a hidden webpage at http://<device IP>/uploadfile.htm which allows a user to upload an arbitrary file, to a location of their choosing on the DCS-931L.  By overwriting system files an attacker could dramatically change the functionality of the camera, up to and including running arbitrary binaries provided by an attacker.

This is an authenticated attack, however the DCS-931L does not have a password in it's default state.  The DCS-931L will require you to configure a device password if you register it for use with the mydlink service.

This attack is normally a local attack, however it could be used as part of a CSRF attack against an authorized and authenticated user to upload a file of an attacker's choice.

Affected Products

 
Security patch for your D-Link Devices
 
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.