I. Introduction
D-Link recently released an announcement[1]It is said that its product DAP-2020 has an arbitrary file reading vulnerability. The CVE number is CVE-2021-27250. The PoC has been tested on hardware version: A1 and firmware version: 1.01. Since the vulnerability affects core components, other versions may also be affected by this vulnerability.
2. Vulnerability impact distribution
There are currently approximately 1,882,813 potentially vulnerable hosts exposed online. Among them, the largest number of machines are distributed in Colombia.View local internet user statistics[2], it can be noted that 65% of the population uses the Internet in this area. Based on 65% of Colombia’s total population of 49.65 million, it can be estimated that there are approximately 32 million Internet users.
Data source: NSFOCUS Threat Intelligence Center
3. Architecture and Firmware Extraction
Since the manufacturer’s official “firmware update” image is not encrypted, it can be used without flash dumping the firmware via UART or SPI.
Firmware download address:
ftp://ftp.dlink.de/dap/dap-2020/driver_software/DAP-2020_fw_reva_102rc002_ALL_en_20200322.zip
After downloading the firmware from D-Link’s FTP server, the filesystem can be extracted using binwalk.
binwalk -e DAP-2020_RevA_Firmware_102rc002.bin
Important files are stored in webroot, the path is usrwww, including some html files used by the web server and a cgi-bin directory. The binary files for function implementation are as follows:
Webproc: Main Binary for handling the web interface.
Webupg: For file uploads, firmware upgrades, configuration changes.
The relevant system protection measures can be detected using the checksec program, and the results are as follows:
Through the detection results, it can be found that the security features are not enabled at compile time.
4. Vulnerability Analysis
When logging in, there are many optional tags in the POST request. The errorpage tag is used to jump to the page to Display the information when the login fails. Since the program does not sufficiently filter the user’s input, when the user fails to log in, the attacker can redirect to any file by modifying the value of the errorpage tag to realize the reading of any file.
HTTP POST request at login
Since there is no necessary filtering of the user input path before the file operation, the file content specified by the errorpage tag will be displayed in the Response, so the attacker can use this tag to read the sensitive files of the target system.
read log file
Modify the errorpage tag and read the /var/log/sysevent.txt log file:
POST request
/var/log/sysevent.txt log content returned in Response
Read sensitive files such as passwd
V. Summary
Due to the lack of reasonable filtering of errorpage paths, users can arbitrarily modify the content of the label, trigger file operations, and cause information leakage. It is recommended to fully consider the security usage scenarios of files and perform security checks on parameter paths during program development to avoid further network attacks caused by sensitive data leakage.
The Links: LTM190M2-L31 MCC26-14IO1B
