D-Link DSR-250N Denial Of Service

#148
Topic created · 1 Posts · 0 Views
  • RedTeam Pentesting discovered a denial of service vulnerability in the D-Link DSR-250N device which allows unauthenticated attackers in the same local network to execute a CGI script that reboots the device. Version 3.12 is confirmed affected.
    MD5 | a274e955321f841c08a4f5a2f4a1dca9
    Download

    Advisory: Denial of Service in D-Link DSR-250N  
    RedTeam Pentesting discovered a Denial-of-Service vulnerability in the  
    D-Link DSR-250N device which allows unauthenticated attackers in the  
    same local network to execute a CGI script which reboots the device.  
    Details  
    =======  
    Product: D-Link DSR-250N  
    Affected Versions: 3.12 and potentially later  
    Fixed Versions: 3.17B  
    Vulnerability Type: DoS  
    Security Risk: low  
    Vendor URL: https://www.dlink.com/en/products/dsr-250n-wireless-n-unified-service-router  
    Vendor Status: notified  
    Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-002  
    Advisory Status: published  
    CVE: CVE-2020-26567  
    CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26567  
    Introduction  
    ============  
    "The D-Link Wireless N Unified Service Router (DSR-250N) provides  
    enhanced security, functionality and performance over a traditional VPN  
    router without the complexity of a full firewall solution. The D-Link  
    Wireless N Unified Service Router is a cost-effective, high performance  
    solution for securing a small business network."  
    (from the vendor's homepage)  
    More Details  
    ============  
    During a penetration test, the firmware for the D-Link DSR-250N router  
    was downloaded from D-Links official website[1] and extracted for  
    further analysis. It was then confirmed that CGI scripts exist on the  
    router that can be directly accessed with a web browser, without any  
    authentication. In particular, the script "upgradeStatusReboot.cgi"  
    executes the command to reboot the device. Its contents are:  
    ------------------------------------------------------------------------  
    #!/bin/sh  
    echo Content-type: text/plain  
    echo ""  
    stat=`/sbin/reboot -d 8 &`  
    echo $stat  
    ------------------------------------------------------------------------  
    Executing this script renders the device unusable for the time of the  
    reboot. In tests, it turned out that the device needs roughly four  
    minutes to complete a reboot. As a consequence, any network using the  
    device as a switch or router is not accessible during that time, too.  
    In the penetration test, the router's web interface was available  
    directly over the Internet. According to the vendor, the web interface  
    is by default disabled for the WAN interface.  
    Proof of Concept  
    ================  
    An HTTP GET request to the CGI script "upgradeStatusReboot.cgi" will  
    reboot the device:  
    ------------------------------------------------------------------------  
    $ curl -k -s https://IP-ADDRESS/scgi-bin/upgradeStatusReboot.cgi  
    ------------------------------------------------------------------------  
    Workaround  
    ==========  
    Access to the D-Link DSR-250N's web interface should only be enabled for  
    administrators, for example by only allowing access from specific IP  
    addresses in the firewall. Access over the WAN interface should also be  
    disabled if it was enabled manually.  
    Fix  
    ===  
    A preview firmware version named 3.17B which should correct the issue  
    was received at the end of September from the vendor. RedTeam Pentesting  
    was not able to verify the fix due to lack of access to a test device.  
    However, the formerly accessible CGI script is no longer part of the  
    firmware.  
    Security Risk  
    =============  
    No authentication is needed to excute the CGI script and thereby reboot  
    the device. Attackers might abuse this behaviour for targeted  
    denial-of-service-attacks against  D-Link customers, since rebooting the  
    device interrupts access to networks relying on this device for routing  
    or switching purposes. However, the attack is only possible if the  
    attacker resides on the same network, and no further information can be  
    gathered or control over the devices be obtained. Therefore, the  
    vulnerability is rated as a low risk.  
    Timeline  
    ========  
    2020-06-29 Vulnerability identified  
    2020-07-03 Customer approved disclosure to vendor  
    2020-07-03 Requested security contact from vendor via web formular  
    2020-07-03 Vendor replied with contact information  
    2020-07-07 Advisory provided to vendor  
    2020-09-28 Vendor provided fixed version to RedTeam Pentesting  
    2020-10-05 CVE ID requested  
    2020-10-06 CVE ID assigned  
    2020-10-08 Advisory released  
    References  
    ==========  
    [1] https://support.dlink.com/ProductInfo.aspx?m=DSR-250N  
    RedTeam Pentesting GmbH  
    =======================  
    RedTeam Pentesting offers individual penetration tests performed by a  
    team of specialised IT-security experts. Hereby, security weaknesses in  
    company networks or products are uncovered and can be fixed immediately.  
    As there are only few experts in this field, RedTeam Pentesting wants to  
    share its knowledge and enhance the public knowledge with research in  
    security-related areas. The results are made available as public  
    security advisories.  
    More information about RedTeam Pentesting can be found at:  
    https://www.redteam-pentesting.de/  
    Working at RedTeam Pentesting  
    =============================  
    RedTeam Pentesting is looking for penetration testers to join our team  
    in Aachen, Germany. If you are interested please visit:  
    https://www.redteam-pentesting.de/jobs/  
    --   
    RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0  
    Dennewartstr. 25-27                       Fax : +49 241 510081-99  
    52068 Aachen                    https://www.redteam-pentesting.de  
    Germany                         Registergericht: Aachen HRB 14004  
    Geschäftsführer:                       Patrick Hof, Jens Liebchen  
    

    Source: packetstormsecurity.com

Log in to reply