Akamai Diversity

Akamai Security Intelligence
& Threat Research

Command Injection on a D-Link Router

Written By, Assaf Vilmovski

During the COVID-19 pandemic, I wanted to extend the local WiFi in my home to reach all the floors. The goal was to have full connectivity from every location in the house.

As excited as I was to deploy the device and extend my network, eventually we decided to keep the top floor WiFi free, and I was left with a spare router.
I decided to dive into some research on the device.

 

Starting Off:

To connect to its default access point (AP), you need to type the hardcoded token listed on the bottom of the device, as well as the user name, password, and the gateway address into the device's web interface. Once loaded, I started to browse the user interface. It looked like many other D-LINK products related to home networks, so I was in comfortable territory.

 

 

Figure 1: DAP-1360U -  taken from http://www.dlink.ru/il/products/2/2056.html

DAP-1360 - Overview

The D-Link DAP-1360, according to the company's documentation, can "provide your wired network with wireless connectivity or upgrade your existing wireless network and extend its coverage."

The vulnerability I discovered was found in H/W Ver. A1, F/W Ver. 2.5.5, within the ping functionality of the web interface. 

The Ping Utility

I ran a quick scan of the UI, looking for a weak spot that might be exploitable. I found a built-in function acting as a potential exploit vector - the ping utility. 

The ping utility lets you check the availability of a host from a local or global network. On the device, the ping utility sends echo requests to a specified host and receives echo replies.

 

What happens when I enter an IP address and hit start? The IP is inserted into a GET request query parameter, with a JSON format along with other parameters required in order for the OS (script or listener) to respect the request.

For example: 

GET

/index.cgi?v2=y&proxy=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=18&res_buf={%22host%22:%22192.168.0.5%22,%22count%22:1}&res_struct_size=0&res_pos=-1&tokenget=1268&&_=1593893639702 HTTP/1.1

Host: 192.168.0.5

I see the position of the parameter inside the payload. With that information, I turned to Burp Suite, a collection of security tools used for vulnerability assessments and penetration testing. 

Within Burp Suite, I positioned the §p1val§ around the index of the IP and loaded it with payloads. 

I used several known CMDi lists from PayloadsAllTheThings.

Fortunately, the device did not ban me after multiple attempts, so I managed to find a format that responds with a valid status and retrieves a valid payload. To do this quickly, I had set special regex to extract the data from the response so it would  appear in the main results window, instead of opening each response separately.

Another useful tip for penetration testers would be to check the size of the response, bigger size sometimes means we got a valid or different response from the server which is worth expanding if no extracts were applied.

 

Results

If you add '| ls -l'" to the hardcoded ping, encoded to %7c%20ls%20-l%22 (pipe <command>), the ping will run as expected, before my injected command. In this case, ls -l is the directory listing command.

 

Here's a snapshot of the response in Burp Suite:

 

 

How a malicious request looks:

 

GET /index.cgi?v2=y&proxy=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=18&res_buf={%22host%22:%22192.168.0.52%7c%20ls%20-l%22,%22count%22:1}&res_struct_size=0&res_pos=-1&tokenget=1268&&_=1593893639702 HTTP/1.1

Host: 192.168.0.52

Implications

Because the utility of the D-Link router will accept any command, an attacker can view, edit, or create any folder or file on the device. This opens the door to a number of attacks.

Let's say I login as "user" and the permissions on this account mean I can browse and manage the device, but I'm unable to login to the filesystem. In this example, the ping utility is in the OS and runs under a higher privileged account when compared to 'user'. This is a simple example of privilege escalation.

In the same scenario, a malicious user would be able to implement a persistent backdoor, allowing them to access the machine, with a higher privileged user on a regular basis, hidden from the conventional traffic logged by the device. 

Disclosure:

Discovering a vulnerability, requires a strict protocol of ethical disclosure. Once my findings were confirmed, I worked with the D-Link security team to address the issues by disclosing it to them directly. They were able to confirm the vulnerabilities and release a patch to fix them.

The fixes were released in Firmware update 3.0.1. 

TIMELINE

4/07/2020: Report to d-link

5/07/2020: D-link security team response - waiting for their verification

15/07/2020: D-link confirms CMDi, providing a firmware for me to test the fix

18/07/2020: Tested the latest provided firmware, the vulnerability does no longer exist.

06/10/2020: CVE-2020-26582 assigned

DLINK's Confirmation:

D-link confirmation