Nth Dimension Security Advisory (NDSA20070412) Date: 12th April 2007 Author: Tim Brown URL: / Product: DSL-G624T router (V3.00B01T02.UK-A.20060208) Vendor: D-Link Risk: Medium Summary Following the Securiteam posting "D-Link DSL-G604T Wireless Router Directory Traversal" which described a directory traversal in release V1.00B02T02.EU.20040618 of the DSL-G624T router firmware, research was carried out on the DSL-G624T router which indicated that it too was vulnerable to this and a second vulnerability. Nth Dimension would also point out that the directory traversal have been reported in other router and firmware combinations. 1) Firmware CGI is vulnerable to directory traversal and can be made to retrieve any file to which the web server user has read access (for example /etc/shadow). 2) Firmware CGI is vulnerable to Javascript injection within the requested URL. Technical Details 1) The firmware CGI script can be made to read any arbitrary file that the web server user has read access to, as it makes no sanity checks on the value passed within the getpage parameter of the URL, for example: http://192.168.1.1/cgi-bin/webcm?getpage=/etc/shadow In the event that the user has not authenticated, then the user is prompted for authentication credentials before the request is processed. As noted above this vulnerability bares an uncanny resemblance to a previously reported vulnerability with another D-Link router running a (presumably) older version of the firmware. 2) The value of the URL requested is used in within the web pages returned by the firmware CGI script, in its unsanitised form. Specifically, it makes no sanity checks on the value passed within the var:RelaodHref parameter of the URL, for example: http://192.168.1.1/cgi-bin/webcm?getpage=../html/home/home_RelaodHref.htm&var:RelaodHref=a"%20==%20"a"){alert("XSS")}} As with the example of Javascript injection, the user will be prompted to authenticate if required. Combining these vulnerabilities should allow the compromise of any router running affected firmware versions. Solutions Unfortunately, Nth Dimension are unware of any fixes for these issues at the current time. Note that 2 years have elapsed, and 2 major releases of the firmware have occurred since the original Securiteam advisory were published.