Vulnerability Title: Path Traversal and Command Injection Vulnerabilities in Firmware Upload Service of D-Link DCS-850L v1.02.09
Discovered by: tzh00203
Contact Information: [email protected]
Affected Version: DCS-850L firmware version v1.02.09 (and possibly earlier versions)
Component: Firmware Upload Service (/setFirmwareUpgrade)
A Path Traversal Vulnerability has been discovered in the Firmware Update Service of D-Link DCS-850L v1.02.09. The vulnerability exists in the firmware file validation process, where user-controlled input (the firmware file path) is improperly handled. During firmware validation, the service uses the open() system call with the user-supplied file path without proper sanitization. This allows an attacker to include path traversal sequences (../) in the filename parameter, causing the system to attempt to open arbitrary files outside the intended upload directory. When the firmware upgrade process attempts to validate the uploaded file, it will open and process any file specified by the attacker's crafted path, potentially exposing sensitive system files such as configuration files, password files, or other critical system data. This could lead to information disclosure of sensitive device configuration and potentially facilitate further attacks.
The Path Traversal Vulnerability in D-Link DCS-850L v1.02.09 exists in the Firmware Update Service, specifically in the handling of user-uploaded firmware file paths during the validation process. The vulnerability arises from improper validation of the file path input, which allows arbitrary file access when the firmware validation process attempts to open the specified file.
Vulnerability Context
The core issue lies in the sub_42B634() function and the way it handles the firmware file path during validation:
The vulnerability occurs in the code where the open() function is used to access files with user-controlled file paths without proper validation. Specifically, in the uploadfirmware() function, the file path parameter extracted from the HTTP form data is passed directly to the sub_42B634() validation function, which then calls open(a5, 0) without checking for path traversal sequences.
The attack chain begins when an attacker uploads a firmware file with a malicious filename containing path traversal sequences. During processing in uploadfirmware(), the file path is extracted and stored in variable v9. This path is then passed as parameter a5 to sub_42B634(). When sub_42B634() attempts to validate the firmware by opening the file, it executes open(a5, 0) with the attacker-controlled path.
For example, if an attacker provides a filename like ../../../etc/passwd, the validation function will attempt to open /etc/passwd instead of the intended firmware file.
The back-end code lacks proper input validation and sanitization for the firmware file path (DownloadFile parameter). The value of the file path is directly used in the open() system call without checking for path traversal sequences, making it vulnerable to directory traversal attacks. An attacker could manipulate the DownloadFile parameter to inject path traversal sequences (../), potentially allowing access to arbitrary files on the system. Proper validation and sanitization of file paths are needed to prevent such vulnerabilities.
