Linksys and D-Link Vulnerabilities (Belkin NOT on the List! Yay!)

Started by deanwebb, February 25, 2016, 11:40:12 AM

Previous topic - Next topic

deanwebb

From the full-disclosure mailing list:

Hello,

We'd like to report several vulnerabilities in embedded devices developed by D-Link and Netgear, which were discovered using our FIRMADYNE framework for emulation and dynamic analysis of Linux-based embedded devices. For more information, refer to our academic paper and open-source release at https://github.com/firmadyne/firmadyne.

Several Netgear devices include unauthenticated webpages that pass form input directly to the command-line, allowing for a command injection attack in `boardData102.php`, `boardData103.php`, `boardDataJP.php`, `boardDataNA.php`, and `boardDataWW.php`. This has been assigned CVE-2016-1555. Affected devices include:

Netgear WN604
Netgear WN802Tv2
Netgear WNAP210
Netgear WNAP320
Netgear WNDAP350
Netgear WNDAP360

Several D-Link devices include a web server that is vulnerable to a buffer overflow while parsing the 'dlink_uid' cookie. The length of the value set in the cookie is obtained using strlen(), which is then passed to memcpy(), and the value is copied into a fixed-size buffer. This has been assigned CVE-2016-1558. Affected devices include:

D-Link DAP-2310
D-Link DAP-2330
D-Link DAP-2360
D-Link DAP-2553
D-Link DAP-2660
D-Link DAP-2690
D-Link DAP-2695

Several Netgear devices include unauthenticated webpages that disclose the wireless WPS PIN, allowing for information disclosure. This has been assigned CVE-2016-1556. Affected devices include:

Netgear WN604
Netgear WNAP210
Netgear WNAP320
Netgear WND930
Netgear WNDAP350
Netgear WNDAP360

Several devices by both D-Link and Netgear disclose wireless passwords and administrative usernames/passwords over SNMP, including OID's iso.3.6.1.4.1.171.10.37.35.2.1.3.3.2.1.1.4, iso.3.6.1.4.1.171.10.37.38.2.1.3.3.2.1.1.4, iso.3.6.1.4.1.171.10.37.35.4.1.1.1, iso.3.6.1.4.1.171.10.37.37.4.1.1.1, iso.3.6.1.4.1.171.10.37.38.4.1.1.1, iso.3.6.1.4.1.4526.100.7.8.1.5, iso.3.6.1.4.1.4526.100.7.9.1.5, iso.3.6.1.4.1.4526.100.7.9.1.7, and iso.3.6.1.4.1.4526.100.7.10.1.7. This has been assigned CVE-2016-1557 for Netgear devices, and CVE-2016-1559 for D-Link devices. Affected devices include:

D-Link DAP-1353
D-Link DAP-2553
D-Link DAP-3520
Netgear WNAP320
Netgear WNDAP350
Netgear WNDAP360

We have not heard back from D-Link after contacting the vendor. Netgear will fix WN604 with firmware 3.3.3 by late February, but the tentative ETA for the remaining devices is mid-March.

Thanks,

Dominic


As stated in the title, Belkin baffles the experts once again by not being affected!
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.