DSL-504T (and maybe many other) remote access without password bug

• Previous message: Williams, James K: "RE: CAID 32896 - Computer Associates Vet Antivirus engine heap overflow vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 26 May 2005 20:50:57 +0200
To: bugtraq@securityfocus.com

Device: CUSTOMER=DLinkEU MODEL=DSL-504T
Version: only tested with VERSION=V1.00B01T16.EU.20040217
Bugs: i) remote firmware upgrade without password
      ii) config retrieval without password
Exploitation: remote
Date: 26/05/2005
Status: vendor not contacted
Workaround: disable remote web management
Author: Alessandro Audero

The Bug

DSL-504T is a D-Link router/ADSL modem with a linux system on it based
on MIPS 4KEc V4.8. This is the uname that i found from the device i
tested:

Linux version 2.4.17_mvl21-malta-mips_fp_le
(tiger@fd7.alphanetworks.com) (gcc version 2.95.3 20010315
(release/MontaVista)) #71 Tue Feb 17 01:16:45 GMT 2004

It supports a remote web management console, that at first sigth asks for
a username and a password. The URL should be something like this:

http:://ipaddress/

and if you click on 'login' you'll get this other URL:

http://ipaddress/cgi-bin/webcm

that obviously tells you that you have typed in a wrong password.
But if you look at the root cgi-bin dir, that is

http//ipaddress/cgi-bin/

you'll get a list of two files: one is webcm, the other is firmwarecfg
If you click on the latter one, you will be placed in a page where you are
allowed to upgrade the router firmware, restart the router, download
current configuration or restore a previously saved conf.

There's another point in downloading router configuration. Infact
management username and password are saved in clear text inside the xml
file:

<security>
  <settings>
    <username>XXXXXXXXX</username>
    <password>XXXXXXXXX</password>
    ...
  </setting>
</security>

With this auth info you can log inside the system using telnet and have
a complete shell on that router.

Another issue can be found looking at another username/password section
regarding ADSL connection settings:

<username>XXXXXXXXXX</username>
<password>XXXXXXXXXX</password>

This can lead to email/webaccount security problems if the user uses
these infos also for his accounts (email for example), that can be really
possible in case the internet provider provides also email or web space.

That's all, folks.

Alessandro Audero

Misc:
It is possible that this kind of bug could also be present in other
routers, implementing busybox, and that are configurable via http or
thttp.

• Previous message: Williams, James K: "RE: CAID 32896 - Computer Associates Vet Antivirus engine heap overflow vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages 504T and now also 604T remote access. ... Here is another post about this other bug: ... Workaround: disable remote web management ... This router seems to fix previous 504T vulnerability, ... of /cgi-bin/ and calling firmwarecfg from a password protected page. ... (Bugtraq) Re: Best firmware for Linksys befs41 ... they will need to upgrade to 1.44. ... Version 1.43 had a bug in it ... I have the latest firmware on my router in texas with Road Runner ... (comp.security.firewalls) Re: Connecting 2 computers to wireless broadband... ... firmware, eg as recommended by the maker to fix a bug? ... state of all new routers I've had) then your router is broken. ... (uk.telecom.broadband) Re: NTP and D-Link DI524 router firewall ... a bug in the router firmware... ... Your answer will give the rest of us a chance to avoid that brand. ... (comp.protocols.time.ntp)