CVE-2017-8404

Dlink DCS-1130 Command Injection / CSRF / Stack Overflow

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. It seems that the POST parameters passed in this request (to test if email credentials and hostname sent to the device work properly) result in being passed as commands to a "system" API in the function and thus result in command injection on the device. If the firmware version is dissected using binwalk tool, we obtain a cramfs-root archive which contains the filesystem set up on the device that contains all the binaries. The library "libmailutils.so" is the one that has the vulnerable function "sub_1FC4" that receives the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows an ARM little endian format. The function sub_1FC4 in IDA pro is identified to be receiving the values sent in the POST request and the value set in POST parameter "receiver1" is extracted in function "sub_15AC" which is then passed to the vulnerable system API call. The vulnerable library function is accessed in "cgibox" binary at address 0x0008F598 which calls the "mailLoginTest" function in "libmailutils.so" binary as shown below which results in the vulnerable POST parameter being passed to the library which results in the command injection issue.

Se detectó un problema en los dispositivos DCS-1130 de D-Link. El dispositivo provee al usuario la capacidad de configurar una carpeta SMB para los recortes de video grabados por el dispositivo. Al parecer los parámetros POST pasados ??en esta petición (para probar si las credenciales de correo electrónico y el nombre de host enviados al dispositivo funcionan apropiadamente) dan como resultado que sean pasadas como comandos a una API de "system" en la función y, por lo tanto, resulten en una inyección de comandos en el dispositivo. Si la versión del firmware se disecciona con la herramienta binwalk, obtenemos un archivo cramfs-root que contiene el sistema de archivos configurado en el dispositivo que comprende todos los archivos binarios. La biblioteca "libmailutils.so" es la que tiene la función vulnerable "sub_1FC4" que recibe los valores enviados por la petición POST. Si abrimos este binario en IDA-pro, notaremos que este sigue un formato ARM en little endian. La función sub_1FC4 en IDA pro está identificada para recibir los valores enviados en la petición POST y el valor establecido en el parámetro POST "receiver1" se extrae en la función "sub_15AC" que luego se pasa hacia la llamada API del sistema vulnerable. Se accede a la función de la biblioteca vulnerable en el binario "cgibox" en la dirección 0x0008F598 que llama a la función "mailLoginTest" en el binario "libmailutils.so" como se muestra a continuación, lo que resulta en el parámetro POST vulnerable siendo pasado hacia la biblioteca, lo que ocasiona el problema de inyección de comandos .

Dlink DCS-1130 suffers from command injection, cross site request forgery, stack overflow, and various other vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-05-02 CVE Reserved
2019-06-07 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2024-11-22 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CAPEC

References (3)

URL	Tag	Source
http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html	Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/8	Mailing List

URL	Date	SRC
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dlink Search vendor "Dlink"	Dcs-1130 Firmware Search vendor "Dlink" for product "Dcs-1130 Firmware"	-	-	Affected	in	Dlink Search vendor "Dlink"	Dcs-1130 Search vendor "Dlink" for product "Dcs-1130"	-	-	Safe