0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
D-Link DSL-320B-D1 Pre-Authentication Buffer Overflow Vulnerability
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Multiple Pre-Auth Stack Buffer Overflow in D-Link DSL-320B-D1 ADSL Modem
======== < Table of Contents > =========================================
0. Overview
1. Details
2. Solution
3. Disclosure Timeline
4. Thanks & Acknowledgements
5. References
6. Credits
7. Legal Notices
======== < 0. Overview > ===============================================
Release Date: 7 March 2021
Revision: 1.0
Impact:
The ADSL modem DSL-320B-D1, version EU_1.25 and lower, is affected to
multiple Stack Buffer Overflows that allow unauthenticated remote
attackers to takeover the device.
Severity: Critical
CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-ID: CVE-2021-26709
Vendor: D-Link
Affected Products: DSL-320B-D1
Affected Versions: EU_1.25 and lower
======== < 1. Details > ================================================
During a Penetration Test it was possible to identify and exploit
multiple Stack Buffer Overflows (1) in the D-Link DSL-320B-D1 ADSL modem
,a now legacy model, which is distributed in the past by Telecom Italia
on loan for use together with the residential ADSL line.
The vulnerabilities are present in the login functionality, exposed by
"login.xgi" with "user" and "pass" parameters.
[[
GET /login.xgi?user=" + payload + "&pass=abcde HTTP/1.1\nHost: " +
host + "\n\n"
]]
To exploit the vulnerability using "user" parameter, you need
construct the payload like the following:
[[
OFFSET = 652
ADDR = 0x7ffe8ab0
payload = "A"*OFFSET
payload += pack(">I", ADDR)
payload += shellcode
]]
While the "pass" parameter uses 641 as offset.
The payload must be passed as parameter value in a GET request.
You can found a working shellcode here:
https://www.exploit-db.com/shellcodes/45541
You will have to change the ip/port to match your network configuration.
Using ROP is possible to avoid to use the hardcoded addresses.
======== < 2. Solution > ===============================================
Refer to D-Link Support Announcements "SAP10216" for details (2).
======== < 3. Disclosure Timeline > ====================================
09/01/2021 : Discovery of the vulnerability
23/01/2021 : Vulnerability submitted to vendor
25/01/2021 : Vendor request more info about exploit the vulnerabilities
27/01/2021 : Sent details to vendor
01/02/2021 : Request status update to the vendor
13/02/2021 : Sent CVE assigned by mitre to vendor
13/02/2021 : Vendor response, analysis in progress
30/03/2021 : Request status update to the vendor
30/03/2021 : Vendor confirm the vulnerabilities
07/04/2021 : Public disclosure
======== < 4. Thanks & Acknowledgements > ==============================
D-Link US SIRT
======== < 5. References > =============================================
(1) https://cwe.mitre.org/data/definitions/121.html
(2) https://supportannouncement.us.dlink.com/announcement/publication.as
px?name=SAP10216
(3) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26709
# 0day.today [2024-11-14] #