D-Link-DIR815路由器缓冲区溢出漏洞复现分析

2001-03-25

字数统计: 1.9k字 | 阅读时长≈ 9分

D-Link-DIR815路由器缓冲区是一个已经被大家多次分析复现的漏洞，相关文章也比较全面，这里感谢 xmzyshypnc大哥的文章。所以选择这个漏洞作为我 IOT漏洞分析的入门实践。作为入门学习，本文可能会包含更多IOT的基础知识。

提取固件

一般拿到路由器内部固件，都是以bin形式打包，所以需要使用 binwalk对其进行提取。使用如下命令：

1	binwalk -Me Dir.bin

这里如果报错提示 WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -le -d '%%squashfs-root%%' '%e'': [Errno 2] No such file or directory，那么就是未安装 sasquath。可以从此处下载安装，按照提示即可。
然后，就能将路由器内部的文件系统给提取出来。

漏洞分析

Buffer overflow on “hedwig.cgi”
Another buffer overflow affects the “hedwig.cgi” CGI script. Unauthenticated remote attackers can invoke this CGI with an overly-long cookie value that can overflow a program buffer and overwrite the saved program address.

官方漏洞公告如上所示，可以看到是位于 hedwig.cgi中的缓冲区溢出漏洞。所以我们现在文件系统内使用如下命令查找该程序：

1	find ./ --name="hedwig.cgi"

然后，使用如下命令查看其链接的真实程序：

1	ls -l ./htdocs/web/hedwig.cgi

最后找到 hedwgi.cgi程序，使用 Ghidra查看伪代码如下：

undefined4 main(undefined4 param_1,char **param_2,undefined4 param_3)

{
  char *pcVar1;
  int iVar2;
  undefined4 uVar3;
  char *__s;
  code *UNRECOVERED_JUMPTABLE;
  
  __s = *param_2;
  pcVar1 = strrchr(__s,0x2f);
  if (pcVar1 != (char *)0x0) {
    __s = pcVar1 + 1;
  }
  iVar2 = strcmp(__s,"phpcgi");
  if (iVar2 == 0) {
    UNRECOVERED_JUMPTABLE = phpcgi_main;
  }
  else {
    iVar2 = strcmp(__s,"dlcfg.cgi");
    if (iVar2 == 0) {
      UNRECOVERED_JUMPTABLE = dlcfg_main;
    }
    else {
      iVar2 = strcmp(__s,"seama.cgi");
      if (iVar2 == 0) {
        UNRECOVERED_JUMPTABLE = seamacgi_main;
      }
      else {
        iVar2 = strcmp(__s,"fwup.cgi");
        if (iVar2 == 0) {
          UNRECOVERED_JUMPTABLE = fwup_main;
        }
        else {
          iVar2 = strcmp(__s,"fwupdater");
          if (iVar2 == 0) {
            UNRECOVERED_JUMPTABLE = fwupdater_main;
          }
          else {
            iVar2 = strcmp(__s,"session.cgi");
            if (iVar2 == 0) {
              UNRECOVERED_JUMPTABLE = sessioncgi_main;
            }
            else {
              iVar2 = strcmp(__s,"captcha.cgi");
              if (iVar2 == 0) {
                UNRECOVERED_JUMPTABLE = captchacgi_main;
              }
              else {
                iVar2 = strcmp(__s,"hedwig.cgi");
                if (iVar2 == 0) {
                  UNRECOVERED_JUMPTABLE = hedwigcgi_main;
                }
                else {
                  iVar2 = strcmp(__s,"pigwidgeon.cgi");
                  if (iVar2 == 0) {
                    UNRECOVERED_JUMPTABLE = pigwidgeoncgi_main;
                  }
                  else {
                    iVar2 = strcmp(__s,"service.cgi");
                    if (iVar2 == 0) {
                      UNRECOVERED_JUMPTABLE = servicecgi_main;
                    }
                    else {
                      iVar2 = strcmp(__s,"ssdpcgi");
                      if (iVar2 == 0) {
                        UNRECOVERED_JUMPTABLE = ssdpcgi_main;
                      }
                      else {
                        iVar2 = strcmp(__s,"soap.cgi");
                        if (iVar2 == 0) {
                          UNRECOVERED_JUMPTABLE = soapcgi_main;
                        }
                        else {
                          iVar2 = strcmp(__s,"gena.cgi");
                          if (iVar2 == 0) {
                            UNRECOVERED_JUMPTABLE = genacgi_main;
                          }
                          else {
                            iVar2 = strcmp(__s,"conntrack.cgi");
                            if (iVar2 == 0) {
                              UNRECOVERED_JUMPTABLE = conntrackcgi_main;
                            }
                            else {
                              iVar2 = strcmp(__s,"hnap");
                              if (iVar2 != 0) {
                                printf("CGI.BIN, unknown command %s\n",__s);
                                return 1;
                              }
                              UNRECOVERED_JUMPTABLE = hnap_main;
                            }
                          }
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  }
                    /* WARNING: Could not recover jumptable at 0x004026a8. Too many branches */
                    /* WARNING: Treating indirect jump as call */
  uVar3 = (*UNRECOVERED_JUMPTABLE)(param_1,param_2,param_3);
  return uVar3;
}

main函数实现的功能，就是根据启动时传入的参数，去执行相应的功能的 main函数。那么 hedwigcgi_main就是漏洞存在的函数，其获取数据的方式基本是通过 getenv从环境变量中获取，比如 REQUEST_METHOD这个字段。

int hedwigcgi_main(void)

{
  char *pcVar1;
  FILE *pFVar2;
  undefined4 uVar3;
  int iVar4;
  int iVar5;
  char **ppcVar6;
  int iVar7;
  int iVar8;
  int iVar9;
  int iVar10;
  char acStack1232 [20];
  char *local_4bc [5];
  char acStack1192 [128];
  char acStack1064 [1024];
  
  memset(acStack1064,0,0x400);
  memset(acStack1192,0,0x80);
  memcpy(acStack1232,"/runtime/session",0x11);
  pcVar1 = getenv("REQUEST_METHOD");
  if (pcVar1 == (char *)0x0) {
    pcVar1 = "no REQUEST";
LAB_004095c8:
    iVar10 = 0;
    iVar8 = 0;
LAB_00409a64:
    iVar9 = -1;
  }
  else {
    iVar8 = strcasecmp(pcVar1,"POST");
    if (iVar8 != 0) {
      pcVar1 = "unsupported HTTP request";
      goto LAB_004095c8;
    }
    cgibin_parse_request(&LAB_00409a6c,0,0x20000);	//解析请求
    pFVar2 = fopen("/etc/config/image_sign","r");
    pcVar1 = fgets(acStack1192,0x80,pFVar2);
    if (pcVar1 == (char *)0x0) {
      pcVar1 = "unable to read signature!";
      goto LAB_004095c8;
    }
    fclose(pFVar2);
    cgibin_reatwhite(acStack1192);
    iVar8 = sobj_new();			//创建两个字符对象
    iVar10 = sobj_new();
    if ((iVar8 == 0) || (iVar10 == 0)) {
      pcVar1 = "unable to allocate string object";
      goto LAB_00409a64;
    }
    sess_get_uid(iVar8);			//从环境变量中获取uid到字符对象中
    uVar3 = sobj_get_string(iVar8);	//从字符对象中取出字符串
    sprintf(acStack1064,"%s/%s/postxml","/runtime/session",uVar3);	//sprintf将字符串输出到栈上
    xmldbc_del(0,0,acStack1064);
    pFVar2 = fopen("/var/tmp/temp.xml","w");	//打开文件
    if (pFVar2 == (FILE *)0x0) {
      pcVar1 = "unable to open temp file.";
      goto LAB_00409a64;
    }
    if (DAT_0042cae0 == (char *)0x0) {
      pcVar1 = "no xml data.";
      goto LAB_00409a64;
    }
    iVar9 = fileno(pFVar2);		//获取文件指针
    iVar9 = lockf(iVar9,3,0);	
    if (iVar9 < 0) {
      printf(
             "HTTP/1.1 200 OK\r\nContent-Type:text/xml\r\n\r\n<hedwig><result>BUSY</result><message>%s</message></hedwig>"
             ,0);
      iVar9 = 0;
      goto LAB_004099cc;
    }
    iVar4 = fileno(pFVar2);
    lockf(iVar4,1,0);
    local_4bc[1] = (char *)0x0;
    local_4bc[2] = (char *)0x0;
    local_4bc[3] = (char *)0x0;
    local_4bc[4] = (char *)0x0;
    local_4bc[0] = acStack1192;
    local_4bc[1] = strtok(acStack1232,"/");
    ppcVar6 = local_4bc + 2;
    iVar4 = 2;
    do {
      iVar7 = iVar4;
      pcVar1 = strtok((char *)0x0,"/");
      *ppcVar6 = pcVar1;
      ppcVar6 = ppcVar6 + 1;
      iVar4 = iVar7 + 1;
    } while (pcVar1 != (char *)0x0);
    pcVar1 = (char *)sobj_get_string(iVar8);
    local_4bc[iVar7] = pcVar1;
    fputs("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n",pFVar2);
    ppcVar6 = local_4bc;
    iVar5 = 0;
    do {
      iVar5 = iVar5 + 1;
      fprintf(pFVar2,"<%s>\n",*ppcVar6);
      ppcVar6 = ppcVar6 + 1;
    } while (iVar5 < iVar4);
    pcVar1 = strstr(DAT_0042cae0,"<postxml>");
    fprintf(pFVar2,"%s\n",pcVar1);
    ppcVar6 = local_4bc + iVar7;
    do {
      iVar4 = iVar4 + -1;
      fprintf(pFVar2,"</%s>\n",*ppcVar6);
      ppcVar6 = ppcVar6 + -1;
    } while (0 < iVar4);
    fflush(pFVar2);
    xmldbc_read(0,2,"/var/tmp/temp.xml");
    iVar4 = fileno(pFVar2);
    lockf(iVar4,0,0);
    fclose(pFVar2);
    remove("/var/tmp/temp.xml");
    uVar3 = sobj_get_string(iVar8);
    sprintf(acStack1064,"/htdocs/webinc/fatlady.php\nprefix=%s/%s","/runtime/session",uVar3);			//第二处漏洞
    xmldbc_ephp(0,0,acStack1064,stdout);
    if (iVar9 == 0) goto LAB_004099cc;
    pcVar1 = (char *)0x0;
  }
  printf(
         "HTTP/1.1 200 OK\r\nContent-Type:text/xml\r\n\r\n<hedwig><result>FAILED</result><message>%s</message></hedwig>"
         ,pcVar1);
LAB_004099cc:
  if (DAT_0042cae0 != (char *)0x0) {
    free(DAT_0042cae0);
  }
  if (iVar10 != 0) {
    sobj_del(iVar10);
  }
  if (iVar8 != 0) {
    sobj_del(iVar8);
  }
  return iVar9;
}

这段代码的总体逻辑如下：

从环境变量中获取 REQUEST_METHOD的值，若为空则退出；若不为空，则比较是否有 POST字段，若无该字段则清空参数退出；
若有该字段，则解析请求；然后创建了两个字符对象，调用 sess_get_uid函数获取环境变量中的uid，到字符对象中。sess_get_uid函数实现的功能是从环境变量中获取 HTTP_COOKIE和 REMOTE_ADDR字段的内容，将两个字段拼接，随后返回


void sess_get_uid(undefined4 param_1)

{
  int iVar1;
  char *pcVar2;
  char *pcVar3;
  undefined4 uVar4;
  int iVar5;
  uint uVar6;
  code *pcVar7;
  
  iVar1 = sobj_new();
  pcVar2 = (char *)sobj_new();
  pcVar3 = getenv("HTTP_COOKIE");
  if (((iVar1 != 0) && (pcVar2 != (char *)0x0)) && (pcVar3 != (char *)0x0)) {
    uVar6 = 0;
LAB_00407e28:
    iVar5 = (int)*pcVar3;
    if (iVar5 == 0) goto LAB_00407ec4;
    if (uVar6 == 1) {
LAB_00407db0:
      if (iVar5 == 0x3b) {
        uVar6 = 0;
      }
      else {
        uVar6 = 2;
        if (iVar5 != 0x3d) {
          sobj_add_char(iVar1,iVar5);
          uVar6 = 1;
        }
      }
    }
    else {
      if (uVar6 < 2) {
        if (uVar6 == 0) {
          if (iVar5 != 0x20) {
            sobj_free(iVar1);
            sobj_free(pcVar2);
            goto LAB_00407db0;
          }
          goto LAB_00407e24;
        }
        pcVar3 = pcVar3 + 1;
        goto LAB_00407e28;
      }
      if (uVar6 == 2) {
        if (iVar5 == 0x3b) {
          uVar6 = 3;
          goto LAB_00407e24;
        }
        sobj_add_char(pcVar2,iVar5);
        pcVar3 = pcVar3 + 1;
        goto LAB_00407e28;
      }
      if (uVar6 == 3) {
        iVar5 = sobj_strcmp(iVar1,&DAT_0041a5d8);
        uVar6 = 0;
        if (iVar5 != 0) goto LAB_00407e24;
        goto LAB_00407e40;
      }
    }
LAB_00407e24:
    pcVar3 = pcVar3 + 1;
    goto LAB_00407e28;
  }
LAB_00407ee0:
  pcVar7 = getenv;
  pcVar3 = "REMOTE_ADDR";
LAB_00407e48:
  uVar4 = (*pcVar7)(pcVar3);
  sobj_add_string(param_1,uVar4);
  if (iVar1 != 0) {
    sobj_del(iVar1);
  }
  if (pcVar2 != (char *)0x0) {
                    /* WARNING: Could not recover jumptable at 0x00407ebc. Too many branches */
                    /* WARNING: Treating indirect jump as call */
    sobj_del(pcVar2);
    return;
  }
  return;
LAB_00407ec4:
  iVar5 = sobj_strcmp(iVar1,&DAT_0041a5d8);
  if (iVar5 == 0) {
LAB_00407e40:
    pcVar7 = sobj_get_string;
    pcVar3 = pcVar2;
    goto LAB_00407e48;
  }
  goto LAB_00407ee0;
}

将 sess_get_uid返回的字符串通过 sptintf输出到栈上，这里没有限制输出的长度，所以其存在缓冲区溢出漏洞；
随后打开了 /var/tmp/temp.xml文件，并赋予写权限。
在下面还有一处调用了 sprintf函数，也存在栈溢出漏洞。

漏洞利用

本以为只是一个简单的IOT漏洞入门，可是却活生生把我心态搞崩了。碰到各种问题，一路踩过来。

环境搭建

由于没有真机，所以这里采用 qemu进行模拟调试，启动脚本如下：

#!/bin/sh
INPUT="uid=1234"
TEST="uid=1234`cat content`"
LEN=$(echo -n "INPUT" |wc -c)
PORT="1234"
cp $(which qemu-mipsel-static) ./qemu
echo $INPUT | chroot . ./qemu -E CONTENT_LENGTH=$LEN -E CONTENT_TYPE="application/x-www-form-urlencoded" -E REQUEST_METHOD="POST" -E HTTP_COOKIE=$TEST -E REQUEST_URI="/hedwig.cgi" -g $PORT /htdocs/web/hedwig.cgi
rm -f ./qemu

解释一下该脚本，主要是 qemu的启动参数，其中 -E是用来添加环境变量的，因为在上面固件分析中可以看到都是利用 getenv来获得参数的，所以这里需要添加环境变量。

漏洞调试

首先既然是缓冲区溢出漏洞，需要先确定一下溢出偏移量

本文作者： A1ex
本文链接： http://yoursite.com/2001/03/25/D-Link-DIR815路由器缓冲区溢出漏洞复现分析/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！