What the Ridiculous Fuck, D-Link?!

As mentioned in an update to my post on the HNAP bug in the DIR-890L, the same bug was reported earlier this year in the DIR-645, and a patch was released. D-Link has now released a patch for the DIR-890L as well.

The patches for both the DIR-645 and DIR-890L are identical, so I’ll only examine the DIR-890L here.

Although I focused on command injection in my previous post, this patch addresses multiple security bugs, all of which stem from the use of strstr to validate the HNAP SOAPAction header:

  1. Use of unauthenticated user data in a call to system (command injection)
  2. Use of unauthenticated user data in a call to sprintf (stack overflow)
  3. Unauthenticated users can execute privileged HNAP actions (such as changing the admin password)

Remember, D-Link has acknowledged all of the above in their security advisories, and thus were clearly aware of all these attack vectors.

So, did they remove the sprintf stack overflow?

sprintf(cmd_buf, "sh %s%s.sh > /dev/console", "/var/run", SOAPAction);

sprintf(cmd_buf, “sh %s%s.sh > /dev/console”, “/var/run”, SOAPAction);

Nope.

Did they remove the call to system?

system(cmd_buf);

system(cmd_buf);

Of course not!

Are they using strcmp instead of strstr to validate the SOAPAction header?

if(strstr(SOAPAction, "http://purenetworks.com/HNAP1/GetDeviceSettings") != NULL)

if(strstr(SOAPAction, “http://purenetworks.com/HNAP1/GetDeviceSettings”) != NULL)

Pfft, why bother?

Their fix to all these fundamental problems is to use the access function to verify that the SOAPAction is a valid, expected action by ensuring that the file /etc/templates/hnap/<SOAPAction>.php exists:

A call to sprintf(), followed by a call to access()

A call to sprintf(), followed by a call to access()

OK, that does at least prevent users from supplying arbitrary data to sprintf and system.

However, they’ve added another sprintf to the code before the call to access; their patch to prevent an unauthenticated sprintf stack overflow includes a new unauthenticated sprintf stack overflow.

But here’s the kicker: this patch does nothing to prevent unauthenticated users from executing completely valid administrative HNAP actions, because all it does is ensure that the HNAP action is valid. That’s right, their patch doesn’t even address all the bugs listed in their own security advisory!

But I guess nobody really cares that any unauthenticated user can query information about hosts on the internal network, view/change system settings, or reset the router to its factory defaults:

$ wget --header="SOAPAction: http://purenetworks.com/HNAP1/GetDeviceSettings/SetFactoryDefault" http://192.168.0.1/HNAP1

You stay classy, D-Link.

Bookmark the permalink.

35 Responses to What the Ridiculous Fuck, D-Link?!

  1. Jayms says:

    Maybe the NSA asked them not to patch it but pretend like they did?

  2. Daniel S. Wilkerson says:

    Somehow beautifully horrible.

  3. barry says:

    “Maybe the NSA asked them”

    Taiwan is dependent from the US help cause of china.

    When you search an UEFI update for your not so old MSI
    motherboard -EXPLOITABLE- you find nothing on the official MSI homepage……..

  4. Rena says:

    At this point it’s quite unclear whether they’re grossly incompetent or doing this deliberately.

  5. Sean says:

    Thus and such is why I dumped D-Link years ago. Some of the worst programming on the planet…

  6. David says:

    You don’t even have to look into the source code to realize how bad D-Links programming is. Just try to use their products and you’ll be confronted by loads of grotesque bugs.

  7. mister mint says:

    I wonder if D-Link engineers read websites like this after publishing their hard work… Ang go on…

  8. Cowicide says:

    The NSA and other criminal enterprises must really love this level of incompetence (and/or corruption).

  9. BadConspeeracySpellers says:

    Thanks Obama!

  10. Afuse says:

    Well i dont know much about this but it does look pretty fkt up 😀

    • BadConspeeracySpellers says:

      Basically, they “patched” their code to prevent vulnerability scanners from detecting the original exploit. But since it seems that they are still employing 5-year-olds to design firmware, the same flaws repeat themselves.

      The flaw is: Anything you see in the URL, insert that command directly to a command line statement. This allows the attacker to insert any additional commands like, I unnno, adduser, maybe?

  11. Pingback: D-Link is dishonest again and again | Jordan's Tech Blog

  12. Pingback: D-Link’s Router Security May Be Horribly Flawed | Lifehacker Australia

  13. Bill says:

    Is the sprintf() issue technically a stack overflow? Isn’t it actually a potential buffer overflow, since they use sprintf() instead of snprintf()? I believe a stack overflow would be if they used user-supplied data in the format string.

    • Craig says:

      They do pass user supplied data to the format string (SOAPAction)

      • Bill says:

        SOAPAction is supplied as a variable, not as the format string.

        • Craig says:

          I think you are confusing buffer overflows and format string vulnerabilities. Supplying SOAPAction as a variable for the %s in the format string as they have done in this case causes a stack based buffer overflow.

  14. Pingback: #secuthursday WK 16: Lücken in OS X, TP-Link Routern, X.org

  15. TonyQ says:

    The post is now spreading on Taiwan’s IT social network quickly.

  16. Pingback: The Security Times

  17. Pingback: Forvirringen er total: Firmware-opdatering har ikke lukket huller i routere | Computer Viden information

  18. I don’t believe engineers have the capability to be this negligent or incompetent .. this clearly looks deliberate.

  19. SadButTruth says:

    Taiwan is ally of US and will keep licking their a** as long as the world spinning. So expect stuff like that on daily basis =)

  20. AnonymousDIY says:

    Also, check DNS-313. One of it’s problems is… full logging of all operations (copy/move/delete) of files/folders into a file on the linux partition (Scanlog) as if it was to send to some entity to check every I/O operation done on the NAS.

  21. Pingback: Les liens de la semaine – Édition #128 | French Coding

  22. Pingback: Backdoor i parę “ciekawostek” w serii routerów D-Link DWR | Kamil Frankowicz

  23. NSAyoudishonorallwhodiedforfreedom says:

    THIS ^^^^
    They say “Never attribute to malice, what one can attribute to incompetence.”
    Yet that’s merely a form of psy-op to get you to think what they WANT YOU to think. Or at best, a form of guarding one’s own mental health by choosing to see the world differently to how it actually is.
    Thus, a full-of-shit way to view things if one wishes things (on whatever scale) to turn-out for the best (‘plan for the worst, expect the best’ principle).
    The NSA ‘has form’ as we say in British slang (past reputation and proven actions) for this kind of thing.
    A router is a single-point of attack and always-on device, likely a priority target on the chart of different devices.
    The more powerful routers get, the more powerful the yield from attacking them.

    The NSA has computing power measured in the SQUARE KILOMETERS of space it occupies, not measured by mere mortals’ normal measurements…

    It’s basically an infection spreading into every vulnerable part of the internet; with a huge reservoir of ‘pathogen’. People need to realise (not us, the COMMON man, needs-to). Humanity will be defined by this in the future, and the future’s here.

  24. Quan says:

    How can u build a openwrt firmware for D link DIR-600L ver A1 ?. I can not find any firmware for RTL8196C Processor.

  25. nick says:

    dlink staff are FUCKING MORONS

  26. Pingback: D-Link DAP-1520 hacking: Part 1 | «WatchMySys» Blog

  27. Djfe says:

    Lol, my D-Link 845L is still vulnerable to the original bug.
    The last firmware update (1.02b7) is from 2013.
    As if it’s so much work to port this fix (even if the fix is bad)

    Atleast I only use it as an access point and switch behind my real router.
    And I can get telnet on it whenever I want xD.

    The real issue are probably viruses or bad applications in your network.

    One thing: Is it possible to execute this with XSS, so it would be enough to open a webpage?
    Can you define headers with JS?

  28. Herp Derpsson says:

    This has nothing to do with the NSA putting backdoors in the code, as was suggested earlier in a comment.

    I am quite fresh out of the university, a newly hired programmer at a small company that make software for trucks and cars.

    Some of my co-workers are simply put quite bad programmers. Its exactly like the quota at the university of bad vs decent programmers. Some people never ‘gets it’.

    I could totally see a few of my co-workers get the assignment to fix the code botched up by just adding another bug. And no control from the team leader.

Leave a Reply

Your email address will not be published. Required fields are marked *