Hi, I've identified a couple of security flaws affecting the DSL-G624T firmware. I believe the directory traversal issue has been reported in other devices / firmware versions supplied by D-Link but not the combination I tested and clearly has not been resolved. Additionally, the Javascript injection issue is I believe new and has not been reported on any device. These issues were reported by email to the vendor at the usual addresses (support/security/etc) without response on 13th April 2007. I also attempted to log faults on the vendors support web site but sadly, it would not function adequately using either Firefox nor Konqueror. Tim -- Tim Brown <mailto:timb@xxxxxxxxxxxxxxxxxxxx> <http://www.nth-dimension.org.uk/>
Nth Dimension Security Advisory (NDSA20070412) Date: 12th April 2007 Author: Tim Brown <mailto:timb@xxxxxxxxxxxxxxxxxxxx> URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/> Product: DSL-G624T router (V3.00B01T02.UK-A.20060208) <http://www.dlink.co.uk/?go=gNTyP9CgrdFOIC4AStFCF834mptYKO9ZTdvhLPG3yV3oVo5+hKltbNlwaaFp7DQtFzrqyCJG948BANfh> Vendor: D-Link <http://www.dlink.co.uk/> Risk: Medium Summary Following the Securiteam posting "D-Link DSL-G604T Wireless Router Directory Traversal" which described a directory traversal in release V1.00B02T02.EU.20040618 of the DSL-G624T router firmware, research was carried out on the DSL-G624T router which indicated that it too was vulnerable to this and a second vulnerability. Nth Dimension would also point out that the directory traversal have been reported in other router and firmware combinations. 1) Firmware CGI is vulnerable to directory traversal and can be made to retrieve any file to which the web server user has read access (for example /etc/shadow). 2) Firmware CGI is vulnerable to Javascript injection within the requested URL. Technical Details 1) The firmware CGI script can be made to read any arbitrary file that the web server user has read access to, as it makes no sanity checks on the value passed within the getpage parameter of the URL, for example: http://192.168.1.1/cgi-bin/webcm?getpage=/etc/shadow In the event that the user has not authenticated, then the user is prompted for authentication credentials before the request is processed. As noted above this vulnerability bares an uncanny resemblance to a previously reported vulnerability with another D-Link router running a (presumably) older version of the firmware. 2) The value of the URL requested is used in within the web pages returned by the firmware CGI script, in its unsanitised form. Specifically, it makes no sanity checks on the value passed within the var:RelaodHref parameter of the URL, for example: http://192.168.1.1/cgi-bin/webcm?getpage=../html/home/home_RelaodHref.htm&var:RelaodHref=a"%20==%20"a";){alert("XSS")}}</script> As with the example of Javascript injection, the user will be prompted to authenticate if required. Combining these vulnerabilities should allow the compromise of any router running affected firmware versions. Solutions Unfortunately, Nth Dimension are unware of any fixes for these issues at the current time. Note that 2 years have elapsed, and 2 major releases of the firmware have occurred since the original Securiteam advisory were published.
