Pulse Security Ltd - Security Advisory PSA-2020-003 D-Link DSL-2640B - CGI Authentication bypass Advisory Information -------------------- Published: 2020-03-28 Version: 1.0 Manufacturer: D-Link Affected Model: DSL-2640B Hardware version: B2 Firmware version: ver.4.01 (Europe) Potentially affected: - DSL-2640B, HW version B3 - DSL-2641B Discovered by: Cristofaro Mune - Pulse Security Ltd Vulnerability Details --------------------- Class: CWE-306: Missing Authentication for Critical Function Public References: CVE-2020-9277 Platform: Successfully tested on D-Link DSL-2640B, HW version: B2, with the latest available firmware: EU_4.01B. Other models and/or firmware versions may be also affected. Background Information: D-Link DSL-2640B is an ADSL2/2+ router gateway that provides DSL, wireless, wired connectivity to local networks. The product has reached End-of-Life. No security patches or upgrades are currently provided by D-Link. Summary: An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. The device can be reset to its default configuration by accessing an unauthenticated URL. Details: The cfm process running on the device implements the main web interface tasks, such as URL parsing and authentication enforcement during login. The relevant URL parsing process for a cgi module is outlined below. 1) First, the proper URL handling function is identified by checking the file extension being requested. The function handling the authentication, if any, is also identified. The authentication is not performed immediately, but at a later point in time, before accessing the requested resource. Requests for cgi modules, ending in .cgi, are handled by the do_cgi function and authentication is required for accessing the modules. 2) The URL parsing process, then identifies a set of resources which do not require authentication. For such resources the authentication is entirely skipped, regardless whether an authentication function has been selected in 1) The identification is performed by checking whether the requested URL path starts with any of the following strings: - images/ - stylemain - util.js - logout.html - multilang.html 3) After the authentication is performed, control is passed to the URL handling function: do_cgi for cgi modules. The function then identifies the proper module to be executed by searching a matching module name in the URL, with the strstr() function. Combining 1), 2) and 3) shows it is possible to bypass the authentication for cgi modules by pre-pending a "images/" string" to the module name. Example (password modification): - Original URL: http://192.168.1.1/redpass.cgi?sysPassword=newpass - Attack URL: http://192.168.1.1/images/redpass.cgi?sysPassword=newpass After sending a GET request with the Attack URL above, the device password is changed without authentication and knowledge of the previous password. Given that all the major configuration tasks are performed via cgi modules, an attacker exploiting this vulnerability can achieve full device control. Proof-of-concept curl http://192.168.1.1/images/redpass.cgi?sysPassword=newpass The device password is changed to 'newpass' Exploitability: The vulnerability is directly exploitable from any host connected to the LAN or WiFi interface. The vulnerabilty may be also exploited from an attacker on the Internet, by pivoting on a browser of a user connected to the LAN/WiFi interface. Impacts: Full device control can be obtained by a remote attacker. Malicious firmware upload or changing security sensitive settings (e.g. DNS servers) can be achieved. Solutions & Workaround: Not available Additional Information ---------------------- Timeline (dd/mm/yy): 05/02/2020: Contacted D-Link 05/02/2020: Provided vulnerability details 05/02/2020: D-Link acknowledged receipt of the report 06/02/2020: D-Link "elevated the issues to R&D for investigation" 07/02/2020: Informed D-Link of planned disclosure at 30 days from initial contact, unless more time was required for a fix. 14/02/2020: Requested CVE to Mitre Root CNA 19/02/2020: Received assigned CVE from Mitre 22/02/2020: Communicated CVE number to D-Link. Status Update requested to D-Link. No response received 06/03/2020: Vulnerability publicly discussed at Nullcon 2020. 28/03/2020: This advisory.