[Exploitation] D-Link DAP-1860 Vulnerability

D-Link DAP-1860 Vulnerability

Introduction

In september 2019, i found 2 vulnerabilities on D-Link Access Point (DAP-1860), there are command injection lead to unauthenticated remote code execution and authentication bypass. There are critical vulnerabilities because i can attack successfully without authentication. If your access point have been bought from D-Link and it’s DAP-1860, please update firmware or contact to vendor for assistance because the vulnerability i found exist on latest version firmware of DAP-1860.

Below is Web Admin Interface of DAP-1860:

Screen Shot 2019-10-08 at 17.48.42

Vulnerability Details

CVE 2019-19597

Discoverer: chung96vn, VinCSS (Member of Vingroup)

Title: Command injection lead to unauthentication remote code execution (RCE).

When i tried to understand how authenticate on Web Admin of DAP-1860, i found an issue in uhttpd server of this device when user sends HNAP request. When user sends HNAP request, if it require authentication, uhttpd server will check value of HNAP_AUTH header. Below is code used to verify HNAP_AUTH.

Screen Shot 2019-10-08 at 17.22.49

Look into code from line 243 to 246 i will find an issue, it is command injection. User can control value of HNAP_TIME to inject command. Below is my request to run command on device.

poc

Remember that if you want to perform request without authentication, you must bypass some conditions. In this post i can’t provide it because it is dangerous with customer of D-Link.

tenor

 

CVE 2019-19598

Discoverer: chung96vn, VinCSS (Member of Vingroup)

Title: Authentication Bypass

After report vulnerability above for vendor, i also found other vulnerability on DAP-1860. When user sends HNAP request, server will split HNAP_AUTH header into 2 part are hnap_code and hnap_timestamp. Hnap_timestamp value is verified with value was stored in /var/hnap/timestamp file (current_timestamp). After that, hnap_timestamp value is stored in /var/hnap/timestamp. Look into below image, if hnap_timestamp <= current_timestamp and hnap_timestamp >= current_timestamp – 9 value of local_3c variable is set to 0.

Picture2

Look into line 241 in below image, if variable local_3c != 1, we can pass HNAP_AUTH verify function. Through that, i can bypass authentication and access all HNAP api.

Picture1

Finally, to bypass authentication, first i must send request to overwrite current_timestamp of server, after that i make request with hnap_timestamp equal current_timestamp of server, this requests will access all HNAP api without credential.

pygoukr

Disclosure Timeline

  • 30/09/2019: Reported the vulnerability in DAP-1860 to D-Link.
  • 02/10/2019: Reported again to D-Link before 2 day no response from D-Link.
  • 02/10/2019: D-Link reply email to notify that the vulnerability was sent to R&D team to verify.
  • 09/10/2019: D-Link confirm this issue and works on a patch.
  • 09/10/2019: Report other vulnerability in DAP-1860 to D-Link.
  • 11/10/2019: D-Link reply email to notify that that the vulnerability was sent to R&D team to verify.
  • 24/10/2019: D-Link confirm 2 issue and works on a patch.
  • 14/11/2019: D-Link release firmware patched and announces the issue.

Solution

  • Please update firmware of your device.
  • If firmware isn’t patched, please contact to vendor for assistance.

giphy-1

Reference

One thought on “[Exploitation] D-Link DAP-1860 Vulnerability

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s