Vulnerability Title: Path Traversal Vulnerabilities in Music File Upload Service of D-Link DCS700l v1.03.09
Discovered by: tzh00203
Contact Information: [email protected]
Affected Version: DCS700l v1.03.09 (and possibly earlier versions)
Component: Music File Upload Service (/setUploadMusic)
A Path Traversal Vulnerability has been discovered in the Music File Upload Service of D-Link DCS-700L v1.03.09. The vulnerability arises from improper handling of user-controlled input during the music file upload process. The service uses the open() system call with the user-supplied file path without proper sanitization, allowing attackers to exploit path traversal sequences (e.g., ../../) to access files outside the intended directory. This can expose sensitive system files, such as configuration files, user credentials, or other critical system files, leading to potential information disclosure.
By exploiting this vulnerability, attackers could gain access to files that should be restricted, facilitating further attacks or even complete device compromise.
The issue arises from improper handling of the user-supplied file path during the upload process. Specifically, the open() function is used with the user-controlled file path (a1[42]) without sanitization, allowing attackers to exploit path traversal sequences (e.g., ../) to access files outside the intended directory.
The attack chain begins when an attacker uploads a firmware or music file with a malicious filename containing path traversal sequences. During processing in uploadmusic(), the file path is extracted and stored in variable v7. This path is then passed to the open() function, which attempts to open the file without checking for path traversal sequences.
For example, if an attacker provides a filename like ../../../etc/passwd, the open() function will attempt to open the system file /etc/passwd instead of the intended music file.
This vulnerability can lead to the exposure of sensitive system files, potentially allowing attackers to gain unauthorized access to critical information on the device.
The uploaded file path (UploadMusic parameter) is passed directly to the open() system call without validation, allowing attackers to inject path traversal sequences (e.g., ../../../etc/passwd). This can lead to unauthorized access to sensitive system files. Proper input validation and sanitization of the file path are required to prevent this vulnerability.
