Overview
D-Link has received a report that a unreferenced webpage on the DCS-931L allows an authenticated attacker to upload arbitrary files. By allowing the attacker to specify the file location to write on the device, the attacker has the ability to upload new functionality to the camera.
References
Allen Harper - Tangible Security - disclosures@TangibleSecurity.com - Link
CERT Vulnerability :: CERT VU#377348
NIST Vulnerability ID :: CVE-2015-2049
Details
The DCS-931L has a hidden webpage at http://<device IP>/uploadfile.htm which allows a user to upload an arbitrary file, to a location of their choosing on the DCS-931L. By overwriting system files an attacker could dramatically change the functionality of the camera, up to and including running arbitrary binaries provided by an attacker.
This is an authenticated attack, however the DCS-931L does not have a password in it's default state. The DCS-931L will require you to configure a device password if you register it for use with the mydlink service.
This attack is normally a local attack, however it could be used as part of a CSRF attack against an authorized and authenticated user to upload a file of an attacker's choice.
Affected Products
Model Name
|
HW Version
|
Vulnerable FW Versions
|
Current FW Versions (include fixes)
|
DCS-930L |
A1 |
Rev. A1 :: 1.11 and before |
Current Release :: 1.12 (as of publishing)
Use Mobile Application to Update Device ::
iOS: iTunes
Android: Google Play
|
DCS-931L |
A1
|
Rev. A1 :: 1.05b04 and before
|
Current Release :: 1.07 (as of publishing)
Patch Release :: V1.05_b5
Use Mobile Application to Update Device ::
iOS: iTunes
Android: Google Play
|
DCS-932L |
A1 |
Rev. A1 :: 1.09 and before |
Current Release :: 1.10 (as of publishing)
Use Mobile Application to Update Device ::
iOS: iTunes
Android: Google Play
|
DCS-933L |
A1 |
Rev. A1 :: 1.05b04 and before |
Current Release :: 1.07 (as of publishing)
Use Mobile Application to Update Device ::
iOS: iTunes
Android: Google Play
|
Security patch for your D-Link Devices
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.