<<< Date Index >>>     <<< Thread Index >>>

Medium security hole affecting DSL-G624T



Hi,

I've identified a couple of security flaws affecting the DSL-G624T firmware.  
I believe the directory traversal issue has been reported in other devices / 
firmware versions supplied by D-Link but not the combination I tested and 
clearly has not been resolved.  Additionally, the Javascript injection issue 
is I believe new and has not been reported on any device.

These issues were reported by email to the vendor at the usual addresses 
(support/security/etc) without response on 13th April 2007.  I also attempted 
to log faults on the vendors support web site but sadly, it would not 
function adequately using either Firefox nor Konqueror.

Tim
-- 
Tim Brown
<mailto:timb@xxxxxxxxxxxxxxxxxxxx>
<http://www.nth-dimension.org.uk/>
Nth Dimension Security Advisory (NDSA20070412)
Date: 12th April 2007
Author: Tim Brown <mailto:timb@xxxxxxxxxxxxxxxxxxxx>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: DSL-G624T router (V3.00B01T02.UK-A.20060208)
<http://www.dlink.co.uk/?go=gNTyP9CgrdFOIC4AStFCF834mptYKO9ZTdvhLPG3yV3oVo5+hKltbNlwaaFp7DQtFzrqyCJG948BANfh>
Vendor: D-Link <http://www.dlink.co.uk/>
Risk: Medium

Summary

Following the Securiteam posting "D-Link DSL-G604T Wireless Router
Directory Traversal" which described a directory traversal in release
V1.00B02T02.EU.20040618 of the DSL-G624T router firmware, research
was carried out on the DSL-G624T router which indicated that it too
was vulnerable to this and a second vulnerability.  Nth Dimension
would also point out that the directory traversal have been reported in
other router and firmware combinations.

1) Firmware CGI is vulnerable to directory traversal and can be made
to retrieve any file to which the web server user has read access
(for example /etc/shadow).

2) Firmware CGI is vulnerable to Javascript injection within the 
requested URL.

Technical Details

1) The firmware CGI script can be made to read any arbitrary file that
the web server user has read access to, as it makes no sanity checks on
the value passed within the getpage parameter of the URL, for example:

http://192.168.1.1/cgi-bin/webcm?getpage=/etc/shadow

In the event that the user has not authenticated, then the user is prompted
for authentication credentials before the request is processed.

As noted above this vulnerability bares an uncanny resemblance to a previously
reported vulnerability with another D-Link router running a (presumably) older
version of the firmware.

2) The value of the URL requested is used in within the web pages returned
by the firmware CGI script, in its unsanitised form.  Specifically, it makes
no sanity checks on the value passed within the var:RelaodHref parameter of the
URL, for example:

http://192.168.1.1/cgi-bin/webcm?getpage=../html/home/home_RelaodHref.htm&var:RelaodHref=a"%20==%20"a";){alert("XSS")}}</script>

As with the example of Javascript injection, the user will be
prompted to authenticate if required.

Combining these vulnerabilities should allow the compromise of any router
running affected firmware versions.

Solutions

Unfortunately, Nth Dimension are unware of any fixes for these issues
at the current time.  Note that 2 years have elapsed, and 2 major releases
of the firmware have occurred since the original Securiteam advisory were
published.