¡¾·ì϶¹«¸æ¡¿D-Link VPN·ÓÉÆ÷¶à¸öºÅÁî×¢Èë·ì϶

°ä²¼¹¦·ò 2020-12-10

0x00 ·ì϶¸ÅÊö

²úÆ·Ãû³Æ

CVE ID

Àà ÐÍ

·ì϶µÈ¼¶

Ô¶³ÌÀûÓÃ

D-Link VPN·ÓÉÆ÷

CVE-2020-25757

ºÅÁî×¢Èë

¸ßΣ

ÊÇ

CVE-2020-25758

crontab×¢Èë

¸ßΣ

ÊÇ

CVE-2020-25759

ºÅÁî×¢Èë

¸ßΣ

ÊÇ

 

0x01 ·ì϶ÏêÇé

 

image.png

2020Äê12ÔÂ09ÈÕ £¬D-Link VPN·ÓÉÆ÷±»Åû¶¶à¸ö0 day·ì϶£¨CVE-2020-25757¡¢CVE-2020-25758¡¢CVE-2020-25759£© ¡ £Äܹ»½Ó¼û¡° Unified Services Router¡± Web½çÃæµÄ¹¥»÷ÕßÄܹ»ÀûÓÃÕâЩ·ì϶ÌáÒé¶ñÒâÒªÇóÀ´×¢ÈëºÅÁî £¬»òÔö³¤Cron¹¤×÷À´Ö´ÐÐËÁÒâºÅÁî £¬ÕâЩ¶ñÒâºÅÁÒÔrootȨÏÞÖ´ÐÐ £¬×îÖÕÄܹ»½ÚÔìÕû¸öÉ豸 ¡£·ì϶ϸ½ÚÈçÏ£º

D-Link VPN·ÓÉÆ÷δ¾­Éí·ÝÑéÖ¤µÄºÅÁî×¢Èë·ì϶£¨CVE-2020-25757£©

lua-cgi²Ù×÷ÎÞÐèÉí·ÝÑéÖ¤¼´¿É½Ó¼û £¬ÆäÖ´ÐÐlua¿âº¯Êýʱ £¬¸Ãº¯Êý½«Óû§ÌṩµÄÊý¾Ý´«µÝ¸ø¶Ôos.popen£¨£©µÄŲÓà £¬×÷ΪÍÆËã¹þÏ£µÄºÅÁîµÄÒ»²¿ÃÅ£º/platform.cgi?action=duaAuth £¬/platform.cgi?action=duaLogout ¡£

D-Link VPN·ÓÉÆ÷¾­¹ýÈÏÖ¤µÄCrontab×¢Èë·ì϶£¨CVE-2020-25758£©

ÓÉÓÚÔÚÉÏ´«Ê±Äܹ»ÇáËÉÈƹý¶ÔÅäÖÃÎļþ½øÐÐÉí·ÝÑéÖ¤µÄ»úÔì £¬¹¥»÷ÕßÄܹ»ÀûÓô˷ì϶´´½¨¶ñÒâÅäÖÃÎļþ £¬²¢Ôö³¤ÐµÄcron£¨´òË㹤×÷£©Ìõ¿î £¬²¢ÒÔrootÉí·ÝÖ´ÐÐËÁÒâºÅÁî ¡£

D-Link VPN·ÓÉÆ÷¾­¹ýÈÏÖ¤µÄºÅÁî×¢Èë·ì϶£¨CVE-2020-25759£©

Lua-CGI´¦ÖÃÀ´×Ô¡°Unified Services Router¡±web½çÃæÖÓ×°Package Management¡±±íµ¥µÄÒªÇóʱ £¬¶Ô´«µÝ¸øOSµÄ¶à¸ö´øPOST²ÎÊýµÄPayloadûÓÐÔÚ·þÎñÆ÷¶Ë¹ýÂË ¡£¹¥»÷ÕßÄܹ»Ê¹ÓÃexecute£¨£©º¯Êý½«ÉÏ´«µÄÎļþÒƶ¯µ½ÁíÒ»¸öĿ¼ ¡£

 

½ØֹĿǰ £¬Í¨¹ýzoomeyeËÑË÷·¢ÏÖ £¬ÖйúÓÐ5637402¸öD-Link VPNÉ豸 ¡£

image.png

 

Ó°ÏìÁìÓò£º

ÔËÐй̼þv3.17¼°Ö®Ç°°æ±¾µÄ£ºDSR-150¡¢DSR-250¡¢DSR-500¡¢DSR-1000AC

 

0x02 ´ëÖý¨Òé

Ä¿Ç°D-LinkÔÚ¿ª·¢Óйز¹¶¡·¨Ê½ £¬¹Ù·½¹Ì¼þ°æ±¾Ô¤¼ÆÔÚ12ÔÂÖÐÑ®°ä²¼ ¡£

ÏÂÔØÁ´½Ó£º

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10195

 

0x03 ²Î¿¼Á´½Ó

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10195

https://www.digitaldefense.com/resources/vulnerability-research/d-link-vpn-router/

https://threatpost.com/d-link-routers-zero-day-flaws/162064/

 

0x04 ¹¦·òÏß

2020-12-09  Digital DefenseÅû¶·ì϶

2020-12-10  VSRC°ä²¼°²È«¹«¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png