360 Code Guard help D-LINK to fix multiple high-risk vulnerability brief technical analysis-vulnerability warning-the black bar safety net

Recently, the 360 Enterprise Security Group Code Guard team of security researchers found that the Friends news(D-LINK)the company’s product line DIR-619, THE DIR-605 series routers and two high-risk security vulnerability(CVE-2018-20056 and CVE-2018-20057), and the first time to the Friends of the news(D-LINK)company reporting, assist them to fix the vulnerability.
The DIR-605 and the DIR-619 series is the Friends of the telecommunications company’s home router products. GMT 2019 1 December 4, friends of the news(DLINK)the company released a security update announcement(https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10100), the public Acknowledgements of 360 Enterprise Security Group Code Guard team, and publishes the appropriate patches to fix vulnerabilities.
! [](/Article/UploadPic/2019-1/2019129165048571. png)
! [](/Article/UploadPic/2019-1/2019129165048544. png)
Figure Acknowledgements the 360 Code Guard
The Friends of the telecommunications company to fix the vulnerability, CVE-2018-20056 is a buffer overflow vulnerability, this article will address the vulnerability to technical analysis.
! [](/Article/UploadPic/2019-1/2019129165048853. png)

Vulnerability overview
CVE-2018-20056
The vulnerability is the one without the authorization of the stack buffer overflow vulnerability affects D-LINK DIR-605L 300M wireless cloud routing and DIR-619L 300M wireless cloud routing model. The vulnerability occurs in the web server in a function interface, can be without the authentication of the user by the post request to make the call. Request URL: http://[target_ip]/goform/formLanguageChange, wherein the POST data currtime parameter is not the length of the check through the dangerous memory copy function to write on the stack, resulting in carefully constructed currtime parameters can trigger a buffer overflow vulnerability, even directly get the device rootshell for.

Technical analysis
By binwalk unpack the firmware after the analysis of the system files directory, find the system exists in the boa program. Boa app is a lightweight web server program. Common in embedded systems. Through the reverse analysis found that this program is in the boa source code on the basis of adding a multi-function interface to implement a router on a different function.
Wherein most of the functions of the interface need to go through authentication before you can use, but still the presence of a small part of the function interface such as login logout, etc. can be used. Through reverse analysis of the boa program is positioned to process_header_end function, you can find not verify the user can use the part function. Wherein the portion of the key code is as follows, the judgment process can be simply summed up as,if is_valid_user function to determine a request from the unauthenticated user, again through the strstr function to determine the url of the request whether or not this user can use the function interface. Through analysis and experiments found that, in addition to the login function, not verified user can also use the formlanguagechange function interface to change the web UI display language.
! [](/Article/UploadPic/2019-1/2019129165048819. png)
! [](/Article/UploadPic/2019-1/2019129165048876. png)
Figure process_header_end function
Next, by positioning the analysis of the distribution function websaspinit looking to enter this function mode, the key code is as follows:
! [](/Article/UploadPic/2019-1/2019129165049505. png)
Figure websaspinit function
Through the analysis of the experiment found that in a post request to access http://[target_ip]/goform/formLanguageChange will enter formLanguageChange function process, function by websgetvar function to get the post request in the config. i18n_language, the currtime, the nextpage parameter value.
In websgetvar function, by strlen and malloc, memcpy function the parameter value is saved to the application out of a piece of memory space, but not on the parameters of the length of the judgment and restrictions. This parameter gets in the way in the face of danger of the memory copy function is very easy to produce the problem that is behind the generation of vulnerability root causes.
! [](/Article/UploadPic/2019-1/2019129165050981. png)
Figure websgetvar function
To continue the analysis formLanguageChange function, the program will get to the currtime parameter values directly through the hazard function sprintf to write on the stack 0x110-0xf8 position leads to a buffer overflow.
Through the analysis, the function return address is stored at 0x110-0x4 position, i.e., when the parameter length is greater than 0xf4 will directly overwrite the function return address, causing program control flow is hijacked.
! [](/Article/UploadPic/2019-1/2019129165050711. png)
Figure formLanguageChange function
Combination router environment itself is protective mechanism is insufficient, in attacker to control program flow, through the rop technique to achieve arbitrary code execution.
The Rop process is: 1. assign the value of the a0 parameter. 2, the call sleep function. 3, the assignment of a register to the stack address. 4, by Register jump ways to jump into the stack, the shellcode’s location complete the exploit.
! [](/Article/UploadPic/2019-1/2019129165050349. png)
Figure the use of the results

Reference links
https://securityadv.isories.dlink.com/announcement/publication.aspx?name=SAP10100
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20056
On the 360 Code Guard
“360 Code Guard”is the 360 Enterprise Security Group’s focus on software source code security product line, the ability to cover a source code defect detection, source compliance testing, source code traceability to detect three directions, respectively, to solve the software development process of the security flaws and vulnerability issues, code compliance issues, open source code security management and control problems.“ 360 code Defenders”series product can support Windows, Linux, Android, Apple iOS, IBM AIX and other platforms on source code security analysis, support for programming language covering C, C++, C#, Objective-C, Java, JSP, JavaScript, PHP, Python, Go, the block chain smart contracts Solidity, etc. Currently 360 Code Guard has been applied to hundreds of large organizations, help the users to build their own code security system, the elimination of software code a security risk.