September 26, 2024

Episode 15

CVE-2024-45623: Unauthenticated RCE in D-Link DAP-2310 

Authors: Hahna Kane Latonick and Jonathan Waterman

Dark Wolf Solutions recently disclosed a vulnerability to D-Link that results in unauthenticated remote code execution (RCE) in their DAP-2310 REV-A Wireless Access Point (AP) product running the latest firmware version 1.16RC028. D-Link wireless products are based on industry standards to provide high-speed wireless connectivity that is easy to use within your home, business or public access wireless networks. Shown in Figure 1, the DAP-2310 enables network administrators to easily deploy robust 802.11n wireless networks with multiple operation modes (e.g., access point, wireless distribution system, AP repeater), high performance connectivity and security (e.g., WPA2 encryption), and easy management. 

Target Analysis

The DAP-2310 runs on the MIPS architecture, which is a type of reduced instruction set computer (RISC) architecture. MIPS stands for Microprocessor without Interlocked Pipelined Stages. The DAP-2310 is also a big-endian device, storing the most significant byte of a word at the smallest memory address and the least significant byte at the largest. A little-endian system, in contrast, stores the least significant byte at the smallest address. Of the two, big-endian resembles the way we write left-to-right in English.

The DAP-2310 uses the Apache HTTP server (“httpd”) to handle incoming requests from web browsers, process those requests, and send the appropriate files back to the browser, allowing users to view the website’s content. In addition, the device uses the binary, atp, to handle PHP HTTP requests for the Apache HTTP Server. We will focus on the atp binary for the remainder of the blog article, describing the vulnerability that exists within it and how we successfully exploited it to achieve remote code execution without the need for authentication on the DAP-2310.

CVE-2024-45623 Vulnerability

Dark Wolf Solutions identified a stack-based buffer overflow vulnerability in the atp binary which can be triggered by sending a crafted curl command ending with a PHP extension. This vulnerability was assigned CVE-2024-45623 by MITRE with a 9.8 critical severity score on September 2, 2024. To evaluate and verify this vulnerability, we used the Firmware Analysis Toolkit to emulate the DAP-2310 device on an Ubuntu 22.04 LTS virtual machine (Figure 2). We also used the GNU Project Debugger (GDB) and GDB server to dynamically analyze the target. 

Through our analysis, we determined a few limitations. First, there is a limit to the buffer overflow where an excessively long URL will result in httpd blocking the request. Second, NULL characters cannot exist in the URL, especially in our shellcode for exploitation. Third, we initially control only a subset of registers, including $s0-$s5 (saved registers), $epc (exception program counter), and $ra (return address). Lastly, address space layout randomization (ASLR) is enabled by default, making it harder to exploit memory corruption vulnerabilities by randomizing the location of the heap, stack, and libraries in a process address space. All of these constraints needed to be accounted for during the exploitation process.

Exploiting CVE-2024-45623

The ultimate goal of our exploit is for the atp binary to execute a call to the system function with an attacker-controlled argument when processing our PHP request. The exploit we submitted to D-Link takes the form of a crafted curl command that sends a HTTP GET request to the device and triggers the buffer overflow. Given that the DAP-2310 has ASLR turned on by default, we needed to bypass this exploit mitigation in order to determine the runtime address of the system function call, which is defined in the standard C library, libc. While brute-forcing can be slow and inefficient at times, our exploit used this approach to effectively defeat ASLR since there was a limited range where libc could be located on the MIPS32 system.

In overwriting the return address with our buffer overflow, we control the code execution of the program, so our exploit proceeds to execute a return-oriented programming (ROP) chain that grooms the stack accordingly, preserves the necessary register states, and ultimately calls the system function to execute arbitrary shell commands. For example, our exploit runs the telnet daemon on a custom port (Figure 3) that allows us to then connect to the device and execute arbitrary commands remotely (Figure 4). Again, this remote code execution is achieved without requiring authentication.

Conclusion

After disclosing this vulnerability to D-Link, they released a security bulletin strongly recommending that the DAP-2310 product be retired and replaced since the DAP-2310 and its hardware revisions have reached their end-of-life ("EOL") / End-of-Service ("EOS") life cycle. As a result, D-Link cannot resolve device or firmware issues for these products since all development and customer support have ceased. In their security bulletin, D-Link also advises, “If US consumers continue to use these devices against D-Link's recommendation, please ensure the device has the most recent firmware, frequently updates its unique password to access its web configuration, and always has WIFI encryption enabled with a unique password.”