Share
## https://sploitus.com/exploit?id=78CF33E0-A934-5F06-94FA-151F67295B1E
# Dinkleberry ๐Ÿซ

Are you one of the 92,000+ people<sup>1</sup> stuck with a D-Link NAS vulnerable to CVE-2024-3272, and no patch in sight?

This tool uses the exploit itself to patch a vulnerable device.

<sup>1</sup>: See original disclosure in refs

## What it does

Dinkleberry will execute a command to swap out the vulnerable `nas_sharing.cgi` file with a patched version - overwriting the `system()` call with [NOP](https://en.wikipedia.org/wiki/NOP_(code))s.

The `/usr/local/modules` folder (where the file lives) is read-only, so instead a copy is created in `/usr/local/config`, and the symlink in `/var/www/cgi-bin` is updated to point to the safe(r) version.

I have chosen to only NOP the system call so that the command still responds as usual, just without actually executing anything.

>[!NOTE]
> The filesystem is re-loaded from flash on boot. Applying this patch will only work until you reboot the device.
> If you want a more permanent fix, you'll have to re-flash the firmware.
>
> I leave this as an exercise for the reader ;)

## Usage

```console
aliask:~/git/dinkleberry$ python3 ./src/main.py -h                                                                                                                   10:01:02
usage: dinkleberry [-h] [--telnet] [--kill-telnet] [--test] [--verbose] target

positional arguments:
  target         Target NAS to patch

options:
  -h, --help     show this help message and exit
  --telnet       Start telnet server
  --kill-telnet  Stop telnet server
  --test         Test if device is vulnerable
  --verbose, -v  Set this to print debug messages
```

If no optional flags are applied, the script performs the patching.

### Telnet

If you just want to poke around on the device, use the `--telnet` command, which starts a telnet session on port 23.

This is hilariously insecure, but your device is already hilariously insecure so may as well take the convenient shell.

## Disclaimer

>[!CAUTION]
> Use this tool at your own peril. It's modifying the actual device software. 
> 
> I am not responsible for:
> - Your device stopping working
> - Losing data stored on the NAS
> - Starting a fire
> - The TA who was happily exploiting this your device being upset

## Final Words

During [analysis](./docs/decompiled-funcs.md) of the `nas_sharing.cgi` and `libsmbif.so` binaries, it quickly became clear that the software on this device is _extremely_ vulnerable. Unmaintainable-rewrite-from-scratch vulnerable.

There are like 80 calls to `system()` in `nas_sharing.cgi` alone - many of these have a pathway for user input. I haven't bothered analysing them all to look for more holes to patch, but here's one S-tier example:

```c
/*  Why use system() instead of libc fopen/fwrite?
    What if you want to write a long string or your filename is long?
    Painfully obvious command injection playground ๐Ÿคฆ */
void append_to_file(const char* string, const char* file) {
  char s_cmd[1024];
  sprintf(s_cmd, "echo %s >> %s", string, file);
  system(s_cmd);
  return;
}
```

Besides all these _insane_ `system` calls, there are more buffer overflows than you can poke a stick at - and I can poke a lot of sticks.

This CVE is on CISA's [KEV list](https://cisa.gov/known-exploited-vulnerabilities-catalog) - **If you have one of these things on the internet, take it offline. Like now.**

Maybe even take D-Link's advice and replace the EOL device. But I wouldn't buy a D-Link product that's for sure.

## References

- Original disclosure: https://github.com/netsecfish/dlink
- NVD page: https://nvd.nist.gov/vuln/detail/CVE-2024-3272