{"id":4016,"date":"2024-06-01T17:56:47","date_gmt":"2024-06-01T17:56:47","guid":{"rendered":"https:\/\/chuyendoiso.haiphong.gov.vn\/?p=4016"},"modified":"2025-04-17T09:21:16","modified_gmt":"2025-04-17T09:21:16","slug":"phat-hien-lo-hong-zero-day-rce-trong-bo-dinh-tuyen-d-link-exo-ax4800","status":"publish","type":"post","link":"https:\/\/chuyendoiso.haiphong.gov.vn\/index.php\/2024\/06\/01\/phat-hien-lo-hong-zero-day-rce-trong-bo-dinh-tuyen-d-link-exo-ax4800\/","title":{"rendered":"Ph\u00e1t hi\u1ec7n l\u1ed7 h\u1ed5ng zero-day RCE trong b\u1ed9 \u0111\u1ecbnh tuy\u1ebfn D-Link EXO AX4800"},"content":{"rendered":"

B\u1ed9 \u0111\u1ecbnh tuy\u1ebfn D-Link EXO AX4800 (DIR-X4860) d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng b\u1edfi l\u1ed7 h\u1ed5ng th\u1ef1c thi l\u1ec7nh t\u1eeb xa kh\u00f4ng y\u00eau c\u1ea7u x\u00e1c th\u1ef1c. \u0110i\u1ec1u n\u00e0y c\u00f3 th\u1ec3 d\u1eabn \u0111\u1ebfn vi\u1ec7c nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 quy\u1ec1n truy c\u1eadp v\u00e0o c\u1ed5ng HNAP v\u00e0 chi\u1ebfm \u0111o\u1ea1t quy\u1ec1n ki\u1ec3m so\u00e1t thi\u1ebft b\u1ecb.<\/strong>\"Ph\u00e1t<\/a><\/p>\n

D-Link DIR-X4860 l\u00e0 b\u1ed9 \u0111\u1ecbnh tuy\u1ebfn Wi-Fi 6 hi\u1ec7u su\u1ea5t cao v\u1edbi t\u1ed1c \u0111\u1ed9\u00a0l\u00ean \u200b\u200bt\u1edbi 4.800 Mbps v\u00e0 c\u00e1c t\u00ednh n\u0103ng b\u1ed5 sung nh\u01b0 OFDMA, MU-MIMO v\u00e0 BSS Coloring gi\u00fap n\u00e2ng cao hi\u1ec7u qu\u1ea3 v\u00e0 gi\u1ea3m nhi\u1ec5u. Thi\u1ebft b\u1ecb n\u00e0y\u00a0\u0111\u1eb7c bi\u1ec7t ph\u1ed5 bi\u1ebfn\u00a0\u1edf Canada,\u00a0\u0111\u01b0\u1ee3c b\u00e1n tr\u00ean th\u1ecb tr\u01b0\u1eddng to\u00e0n c\u1ea7u v\u00e0\u00a0v\u1eabn \u0111ang \u0111\u01b0\u1ee3c nh\u00e0 cung c\u1ea5p h\u1ed7 tr\u1ee3.<\/p>\n

M\u1edbi \u0111\u00e2y, nh\u00f3m nghi\u00ean c\u1ee9u c\u1ee7a nh\u00f3m SSD Secure Disclosure th\u00f4ng b\u00e1o r\u1eb1ng h\u1ecd \u0111\u00e3 ph\u00e1t hi\u1ec7n ra c\u00e1c\u00a0l\u1ed7 h\u1ed5ng\u00a0trong c\u00e1c thi\u1ebft b\u1ecb DIR-X4860 ch\u1ea1y phi\u00ean b\u1ea3n firmware m\u1edbi nh\u1ea5t, DIRX4860A1_FWV1.04B03, cho ph\u00e9p th\u1ef1c thi l\u1ec7nh t\u1eeb xa (RCE) m\u00e0 kh\u00f4ng c\u1ea7n x\u00e1c th\u1ef1c. “C\u00e1c l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt trong DIR-X4860 cho ph\u00e9p nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng kh\u00f4ng \u0111\u01b0\u1ee3c x\u00e1c th\u1ef1c c\u00f3 th\u1ec3 truy c\u1eadp v\u00e0o c\u1ed5ng HNAP \u0111\u1ec3 c\u00f3 \u0111\u01b0\u1ee3c c\u00e1c \u0111\u1eb7c quy\u1ec1n n\u00e2ng cao v\u00e0 th\u1ef1c thi c\u00e1c l\u1ec7nh v\u1edbi quy\u1ec1n root. B\u1eb1ng c\u00e1ch k\u1ebft h\u1ee3p b\u1ecf qua x\u00e1c th\u1ef1c v\u1edbi th\u1ef1c thi l\u1ec7nh, thi\u1ebft b\u1ecb c\u00f3 th\u1ec3 b\u1ecb x\u00e2m ph\u1ea1m ho\u00e0n to\u00e0”, ti\u1ebft l\u1ed9 c\u1ee7a SSD\u00a0cho bi\u1ebft.<\/p>\n

Vi\u1ec7c truy c\u1eadp c\u1ed5ng Giao th\u1ee9c qu\u1ea3n tr\u1ecb m\u1ea1ng gia \u0111\u00ecnh (HNAP) tr\u00ean b\u1ed9 \u0111\u1ecbnh tuy\u1ebfn D-Link DIR-X4860 t\u01b0\u01a1ng \u0111\u1ed1i \u0111\u01a1n gi\u1ea3n trong h\u1ea7u h\u1ebft c\u00e1c tr\u01b0\u1eddng h\u1ee3p, v\u00ec c\u1ed5ng n\u00e0y th\u01b0\u1eddng c\u00f3 th\u1ec3 truy c\u1eadp HTTP (c\u1ed5ng 80) ho\u1eb7c HTTPS (c\u1ed5ng 443) th\u00f4ng qua giao di\u1ec7n qu\u1ea3n l\u00fd t\u1eeb xa c\u1ee7a b\u1ed9 \u0111\u1ecbnh tuy\u1ebfn.<\/p>\n

Qu\u00e1 tr\u00ecnh khai th\u00e1c<\/strong><\/p>\n

C\u00e1c nh\u00e0 ph\u00e2n t\u00edch SSD \u0111\u00e3 chia s\u1ebb b\u01b0\u1edbc khai th\u00e1c cho c\u00e1c l\u1ed7 h\u1ed5ng m\u00e0 h\u1ecd ph\u00e1t hi\u1ec7n, m\u00e3 khai th\u00e1c cho l\u1ed7 h\u1ed5ng c\u0169ng \u0111\u00e3 \u0111\u01b0\u1ee3c c\u00f4ng khai.<\/p>\n

Cu\u1ed9c t\u1ea5n c\u00f4ng b\u1eaft \u0111\u1ea7u b\u1eb1ng vi\u1ec7c g\u1eedi m\u1ed9t y\u00eau c\u1ea7u \u0111\u0103ng nh\u1eadp HNAP \u0111\u1ed9c h\u1ea1i t\u1edbi giao di\u1ec7n qu\u1ea3n l\u00fd c\u1ee7a b\u1ed9 \u0111\u1ecbnh tuy\u1ebfn, bao g\u1ed3m m\u1ed9t tham s\u1ed1 c\u00f3 t\u00ean “PrivateLogin”\u00a0\u0111\u01b0\u1ee3c \u0111\u1eb7t th\u00e0nh “Username” v\u00e0 m\u1ed9t username\u00a0(t\u00ean ng\u01b0\u1eddi d\u00f9ng) l\u00e0 “Admin”.<\/p>\n

B\u1ed9 \u0111\u1ecbnh tuy\u1ebfn ph\u1ea3n h\u1ed3i v\u1edbi m\u1ed9t th\u1eed th\u00e1ch, cookie v\u00e0 kh\u00f3a c\u00f4ng khai (public key), nh\u1eefng gi\u00e1 tr\u1ecb n\u00e0y\u00a0\u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng\u00a0\u0111\u1ec3 t\u1ea1o\u00a0m\u1eadt kh\u1ea9u \u0111\u0103ng nh\u1eadp\u00a0h\u1ee3p l\u1ec7 cho t\u00e0i kho\u1ea3n “Admin”.<\/p>\n

Y\u00eau c\u1ea7u \u0111\u0103ng nh\u1eadp ti\u1ebfp theo c\u00f3 ti\u00eau \u0111\u1ec1 HNAP_AUTH v\u00e0 LoginPassword (m\u1eadt kh\u1ea9u \u0111\u0103ng nh\u1eadp) \u0111\u00e3 \u0111\u01b0\u1ee3c t\u1ea1o \u0111\u01b0\u1ee3c g\u1eedi \u0111\u1ebfn thi\u1ebft b\u1ecb m\u1ee5c ti\u00eau,\u00a0v\u1ec1 c\u01a1 b\u1ea3n l\u00e0 b\u1ecf qua x\u00e1c th\u1ef1c.<\/p>\n

\"Ph\u00e1t<\/a><\/div>\n

Y\u00eau c\u1ea7u \u0111\u0103ng nh\u1eadp b\u1ecf qua b\u01b0\u1edbc x\u00e1c th\u1ef1c (Ngu\u1ed3n:\u00a0SSD Secure Disclosure)<\/em><\/p>\n

V\u1edbi quy\u1ec1n truy c\u1eadp \u0111\u01b0\u1ee3c x\u00e1c th\u1ef1c, k\u1ebb t\u1ea5n c\u00f4ng sau \u0111\u00f3 khai th\u00e1c l\u1ed7 h\u1ed5ng command injection trong ch\u1ee9c n\u0103ng “SetVirtualServerSettings”.<\/p>\n

SSD cho bi\u1ebft \u0111\u00e3 li\u00ean h\u1ec7 v\u1edbi D-Link ba l\u1ea7n \u0111\u1ec3 chia s\u1ebb v\u1ec1 nh\u1eefng ph\u00e1t hi\u1ec7n c\u1ee7a h\u1ecd v\u1edbi nh\u00e0 s\u1ea3n xu\u1ea5t b\u1ed9 \u0111\u1ecbnh tuy\u1ebfn trong 30 ng\u00e0y qua, nh\u01b0ng m\u1ecdi n\u1ed7 l\u1ef1c th\u00f4ng b\u00e1o \u0111\u1ec1u kh\u00f4ng th\u00e0nh c\u00f4ng, khi\u1ebfn c\u00e1c l\u1ed7 h\u1ed5ng hi\u1ec7n v\u1eabn ch\u01b0a \u0111\u01b0\u1ee3c kh\u1eafc ph\u1ee5c.<\/p>\n

Cho \u0111\u1ebfn khi b\u1ea3n c\u1eadp nh\u1eadt b\u1ea3o m\u1eadt firmware \u0111\u01b0\u1ee3c ph\u00e1t h\u00e0nh, ng\u01b0\u1eddi d\u00f9ng\u00a0DIR-X4860 n\u00ean t\u1eaft giao di\u1ec7n qu\u1ea3n l\u00fd\u00a0truy c\u1eadp t\u1eeb xa\u00a0c\u1ee7a thi\u1ebft b\u1ecb \u0111\u1ec3 ng\u0103n ch\u1eb7n vi\u1ec7c khai th\u00e1c v\u00e0 \u00e1p d\u1ee5ng b\u1ea3n c\u1eadp nh\u1eadt ngay khi n\u00f3 c\u00f3 s\u1eb5n.<\/p>\n

Ngu\u1ed3n tin: https:\/\/antoanthongtin.vn\/<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

B\u1ed9 \u0111\u1ecbnh tuy\u1ebfn D-Link EXO AX4800 (DIR-X4860) d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng b\u1edfi l\u1ed7 h\u1ed5ng th\u1ef1c thi l\u1ec7nh t\u1eeb xa kh\u00f4ng y\u00eau c\u1ea7u x\u00e1c th\u1ef1c. \u0110i\u1ec1u n\u00e0y c\u00f3 th\u1ec3 d\u1eabn \u0111\u1ebfn vi\u1ec7c nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 quy\u1ec1n truy c\u1eadp v\u00e0o c\u1ed5ng HNAP v\u00e0 chi\u1ebfm \u0111o\u1ea1t quy\u1ec1n ki\u1ec3m so\u00e1t thi\u1ebft b\u1ecb. D-Link DIR-X4860 l\u00e0 b\u1ed9 \u0111\u1ecbnh […]<\/p>\n","protected":false},"author":6,"featured_media":4023,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[13],"tags":[],"class_list":{"0":"post-4016","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-tin-tuc"},"_links":{"self":[{"href":"https:\/\/chuyendoiso.haiphong.gov.vn\/index.php\/wp-json\/wp\/v2\/posts\/4016","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chuyendoiso.haiphong.gov.vn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chuyendoiso.haiphong.gov.vn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chuyendoiso.haiphong.gov.vn\/index.php\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/chuyendoiso.haiphong.gov.vn\/index.php\/wp-json\/wp\/v2\/comments?post=4016"}],"version-history":[{"count":1,"href":"https:\/\/chuyendoiso.haiphong.gov.vn\/index.php\/wp-json\/wp\/v2\/posts\/4016\/revisions"}],"predecessor-version":[{"id":4033,"href":"https:\/\/chuyendoiso.haiphong.gov.vn\/index.php\/wp-json\/wp\/v2\/posts\/4016\/revisions\/4033"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/chuyendoiso.haiphong.gov.vn\/index.php\/wp-json\/wp\/v2\/media\/4023"}],"wp:attachment":[{"href":"https:\/\/chuyendoiso.haiphong.gov.vn\/index.php\/wp-json\/wp\/v2\/media?parent=4016"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chuyendoiso.haiphong.gov.vn\/index.php\/wp-json\/wp\/v2\/categories?post=4016"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chuyendoiso.haiphong.gov.vn\/index.php\/wp-json\/wp\/v2\/tags?post=4016"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}