Vulnerability information

Vulnerability Number: CVE-2020-26567 There is a upgradeStatusReboot. Cgi file in the firmware version before 3.17 of router DSR-250N and Router DSR-500N. Unauthorized access to this file can cause device denial of service, but this vulnerability is fixed in 3.17B.

Next, I will analyze the causes and vulnerability points of this vulnerability from the two firmware, and in the analysis process, explain some points that should be paid attention to in the analysis firmware.

Dsr-250n firmware analysis

First of all, we will obtain the dSR-250N firmware for analysis. It is very simple for us to download the firmware we want from D-Link Support.

Manual extraction of firmware

The first step in getting the firmware, in most cases, is to use Binwalk to view the information contained in the firmware. Accustomed to automatically extracting the firmware, this time, we’ll manually analyze the firmware and extract the file system we need. To directly open the firmware, we start with the squashfs file system, which is the most common file system in the firmware. Taking squashFS file system as an example, we first need to determine the magic signature header of the firmware. Common squashFS header features include SQSH, HSQS, QSHS, SHSQ, HSQT, TQSH, SQLZ. The “HSQS” of the firmware are identified here, and two are found, so it is possible that the firmware has two squashFS file systems.

Now that we know the file’s Magic signature header, how do we determine the size of the Squashfs file system? Dump a piece of data using the offset address of the MAGIC signature header of “HSQS” (generally, the header check of squashFS file system does not exceed 100 bytes). Then use the file command to view the size of the Squashfs file.

 

We then dump the first part of the squashfs file from the firmware and unpack it later using unsquashfs.

Successfully unlock the contents of the file system, the first part of the firmware solution, the second part of the extraction method is the same, here will not do redundant.

The firmware analysis

UpgradeStatusReboot. Cgi file is located in/WWW /. Cgi files are stored together with the HTML interface, so you can go to /var/www/ to find the file.

 

When you look at the contents of the file, it is clear that the file contains the command to restart reboot

/ SSLVPN /bin/ HTTPD/SSLVPN /bin/ HTTPD/SSLVPN /bin/ HTTPD/SSLVPN /bin/ This is a framework for the most common Web services found on embedded devices. SslvpnInit: sslvpnInit: sslvpnInit: sslvpnInit: sslvpnInit: sslvpnInit: sslvpnInit: sslvpnInit: sslvpnInit: sslvpnInit: sslvpnInit: sslvpnInit

SslvpnInit can be located in /etc/platforminit, which is executed in the system boot file (/etc/init.d/rcs).

/var/ WWW/upgradeStatusReboot. /var/ WWW/upgradeStatusReboot. /var/ WWW/upgradeStatusReboot. /var/ WWW/upgradeStatusReboot. /var/ WWW/upgradeStatusReboot. Thus the command for this file can be triggered. So why is there a scgi-bin path? Here we save it for re-analysis in the DSR-500N firmware.

 

Dsr-500 firmware analysis

The dSR-500 file system is extracted in the same way as the DSR-250 file system, where we also quickly locate the vulnerability files

 

So let’s look for this file and see where it might be called, and here we see kepler.config and httpdkeepalive. sh. At the same time, I also saw the THTTPD file, which, according to previous firmware analysis, is most likely a component of the DSR-500 device that provides device Web services.

This file should be the initial file of THTTPD. The main content of the file is as follows: This file starts the THTTPD component. And based on kepler.config and httpdkeepalive. sh above, you can pretty much confirm that Cgi, dbGlog. Cgi, Quickvpn. cgi, upgradeStatusReboot. Cgi, upgradeStatusReboot.

I set the security level based on Country in a file called userInit that I care about, but I don’t see any effect from this setting.

On the contrary, different trigger points of the vulnerability were found. Combined with the above Settings, the firmware in Russia can trigger the vulnerability through /scgi-bin/, while the firmware in other regions can trigger the vulnerability through /cgi-bin/.

Vulnerability emersion

 

conclusion

This section describes how to manually extract file systems from firmware and analyze vulnerabilities without using Binwalk. And according to a search engine search, what is SCGI? In fact, these are to better replace the CGI function, SCGI stands for Simple Common Gateway Interface. As the name suggests, this is simple. Scgi is also client/server, where the client sends the request, processes it, and the server responds to the request. In short, SCGI defines the protocol for sending or responding to messages.

 

Benefits!!

Share the network security learning materials I organized call me

[Free access to information]