D-Link NAS Device Backdoor Abused

    Published: 2024-04-29
    Last Updated: 2024-04-29 13:48:03 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    End of March, NetworkSecurityFish disclosed a vulnerability in various D-Link NAS devices [1]. The vulnerability allows access to the device using the user "messagebus" without credentials. The sample URL used by the PoC was:

    GET /cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=<BASE64_ENCODED_COMMAND_TO_BE_EXECUTED>

    In addition to not requiring a password, the URL also accepts arbitrary system commands, which must be base64 encoded. Initial exploit attempts were detected as soon as April 8th. The vulnerability is particularly dangerous as some affected devices are no longer supported by DLink, and no patch is expected to be released. DLink instead advised to replace affected devices [2]. I have not been able to find an associated CVE number.

    Graph of hits for URLs that include "user=messagebus" with two distinct peaks. One early in april and one late in april

    After the initial exploit attempts at the beginning of the month, we now see a new distinct set of exploit attempts, some of which use different URLs to attack vulnerable systems. It appears that nas_sharing.cgi is not the only endpoint that can be used to take advantage of the passwordless "messagebus" account.

    So far, we do see these three different URLs

    /.most/orospucoc.cgi
    /cgi-bin/nas_sharing.cgi
    /cgi-bin/orospucoc.cgi

    It is not clear if "orospucoc.cgi" is a distinct different vulnerability. But it appears more like another endpoint allowing for command execution, just like the original "nas_sharing.cgi" endpoint. I found no documentation mentioning the "orospucoc.cgi" endpoint. If anybody has an affected D-Link NAS device, let me know if this endpoint exists. In particular, "/.most/orospucoc.cgi" is odd. This URL starts showing up in our logs on April 17th. The term "orospucoc" in Turkish translates to the English "bitch", which could indicate that this is not an actual vulnerable URL, but maybe a backdoor left behind by earlier attacks. The use of the directory ".most" and the payload "echo most" may point to a backdoor rather than a valid binary shipped with the device's firmware.

    Any feedback from DLink NAS users is appreciated.

    The most common command executed is "uname -m" which is likely used to identify vulnerable devices. Other commands include:

    echo    @hackerlor0510
    echo    most

     

    [1] https://github.com/netsecfish/dlink
    [2] https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords: command injection dlink nas
    0 comment(s)
    ISC Stormcast For Monday, April 29th, 2024 https://isc.sans.edu/podcastdetail/8958

      Comments

      Login here to join the discussion.


      Diary Archives