-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20070412)
Date: 12th April 2007
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: DSL-G624T router (V3.00B01T02.UK-A.20060208)
<http://www.dlink.co.uk/?go=gNTyP9CgrdFOIC4AStFCF834mptYKO9ZTdvhLPG3yV3oVo5+hKltbNlwaaFp7DQtFzrqyCJG948BANfh>
Vendor: D-Link <http://www.dlink.co.uk/>
Risk: Medium

Summary

Following the Securiteam posting "D-Link DSL-G604T Wireless Router
Directory Traversal" which described a directory traversal in release
V1.00B02T02.EU.20040618 of the DSL-G624T router firmware, research
was carried out on the DSL-G624T router which indicated that it too
was vulnerable to this and a second vulnerability.  Nth Dimension
would also point out that the directory traversal have been reported in
other router and firmware combinations.

1) Firmware CGI is vulnerable to directory traversal and can be made
to retrieve any file to which the web server user has read access
(for example /etc/shadow).

2) Firmware CGI is vulnerable to Javascript injection within the 
requested URL.

Technical Details

1) The firmware CGI script can be made to read any arbitrary file that
the web server user has read access to, as it makes no sanity checks on
the value passed within the getpage parameter of the URL, for example:

http://192.168.1.1/cgi-bin/webcm?getpage=/etc/shadow

In the event that the user has not authenticated, then the user is prompted
for authentication credentials before the request is processed.

As noted above this vulnerability bares an uncanny resemblance to a previously
reported vulnerability with another D-Link router running a (presumably) older
version of the firmware.

2) The value of the URL requested is used in within the web pages returned
by the firmware CGI script, in its unsanitised form.  Specifically, it makes
no sanity checks on the value passed within the var:RelaodHref parameter of the
URL, for example:

http://192.168.1.1/cgi-bin/webcm?getpage=../html/home/home_RelaodHref.htm&var:RelaodHref=a"%20==%20"a"){alert("XSS")}}</script>

As with the example of Javascript injection, the user will be
prompted to authenticate if required.

Combining these vulnerabilities should allow the compromise of any router
running affected firmware versions.

Solutions

Unfortunately, Nth Dimension are unware of any fixes for these issues
at the current time.  Note that 2 years have elapsed, and 2 major releases
of the firmware have occurred since the original Securiteam advisory were
published.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGORUZVAlO5exu9x8RAsdLAKDe/poB55PYW3TrwA0zy4bD6L70KQCgsxXx
hQwXSVxG2LMYE4aXpeufz8M=
=lAkO
-----END PGP SIGNATURE-----