We?d like to report several vulnerabilities in embedded devices developed by D-Link and Netgear, which were discovered using our FIRMADYNE framework for emulation and dynamic analysis of Linux-based embedded devices. For more information, refer to our academic paper and open-source release at https://github.com/firmadyne/firmadyne.
Several Netgear devices include unauthenticated webpages that pass form input directly to the command-line, allowing for a command injection attack in `boardData102.php`, `boardData103.php`, `boardDataJP.php`, `boardDataNA.php`, and `boardDataWW.php`. This has been assigned CVE-2016-1555. Affected devices include:
Several D-Link devices include a web server that is vulnerable to a buffer overflow while parsing the 'dlink_uid' cookie. The length of the value set in the cookie is obtained using strlen(), which is then passed to memcpy(), and the value is copied into a fixed-size buffer. This has been assigned CVE-2016-1558. Affected devices include:
Several Netgear devices include unauthenticated webpages that disclose the wireless WPS PIN, allowing for information disclosure. This has been assigned CVE-2016-1556. Affected devices include:
Several devices by both D-Link and Netgear disclose wireless passwords and administrative usernames/passwords over SNMP, including OID?s iso.126.96.36.199.188.8.131.52.184.108.40.206.220.127.116.11.4, iso.18.104.22.168.22.214.171.124.126.96.36.199.188.8.131.52.4, iso.184.108.40.206.220.127.116.11.18.104.22.168.1, iso.22.214.171.124.126.96.36.199.188.8.131.52.1, iso.184.108.40.206.220.127.116.11.18.104.22.168.1, iso.22.214.171.124.1.45126.96.36.199.1.5, iso.188.8.131.52.1.45184.108.40.206.1.5, iso.220.127.116.11.1.4518.104.22.168.1.7, and iso.22.214.171.124.1.45126.96.36.199.1.7. This has been assigned CVE-2016-1557 for Netgear devices, and CVE-2016-1559 for D-Link devices. Affected devices include:
We have not heard back from D-Link after contacting the vendor. Netgear will fix WN604 with firmware 3.3.3 by late February, but the tentative ETA for the remaining devices is mid-March.