DSL-504T (and maybe many other) remote access without password bug

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: DSL-504T (and maybe many other) remote access without password bug
From: alessandro <alessandro@xxxxxxxxxxxxx>
Date: Thu, 26 May 2005 20:50:57 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 0.9 (Windows/20041103)

Device: CUSTOMER=DLinkEU MODEL=DSL-504T
Version: only tested with VERSION=V1.00B01T16.EU.20040217
Bugs: i)  remote firmware upgrade without password
     ii) config retrieval without password
Exploitation: remote
Date: 26/05/2005
Status: vendor not contacted
Workaround: disable remote web management
Author: Alessandro Audero

The Bug

DSL-504T is a D-Link router/ADSL modem with a linux system on it based
on MIPS 4KEc V4.8. This is the uname that i found from the device i
tested:

Linux version 2.4.17_mvl21-malta-mips_fp_le
(tiger@xxxxxxxxxxxxxxxxxxxxx) (gcc version 2.95.3 20010315
(release/MontaVista)) #71 Tue Feb 17 01:16:45 GMT 2004

It supports a remote web management console, that at first sigth asks for
a username and a password. The URL should be something like this:

http:://ipaddress/

and if you click on 'login' you'll get this other URL:

http://ipaddress/cgi-bin/webcm

that obviously tells you that you have typed in a wrong password.
But if you look at the root cgi-bin dir, that is

http//ipaddress/cgi-bin/

you'll get a list of two files: one is webcm, the other is firmwarecfg
If you click on the latter one, you will be placed in a page where you are
allowed to upgrade the router firmware, restart the router, download
current configuration or restore a previously saved conf.

There's another point in downloading router configuration. Infact
management username and password are saved in clear text inside the xml
file:

<security>
 <settings>
   <username>XXXXXXXXX</username>
   <password>XXXXXXXXX</password>
   ...
 </setting>
</security>

With this auth info you can log inside the system using telnet and have
a complete shell on that router.

Another issue can be found looking at another username/password section
regarding ADSL connection settings:

<username>XXXXXXXXXX</username>
<password>XXXXXXXXXX</password>

This can lead to email/webaccount security problems if the user uses
these infos also for his accounts (email for example), that can be really
possible in case the internet provider provides also email or web space.

That's all, folks.

Alessandro Audero

Misc:
It is possible that this kind of bug could also be present in other
routers, implementing busybox, and that are configurable via http or
thttp.

Prev by Date: RE: CAID 32896 - Computer Associates Vet Antivirus engine heap overflow vulnerability
Next by Date: Citrix security contact
Previous by thread: [AppSecInc Advisory BEA05-V0101] BEA WebLogic Administration Console login page cross-site scripting vulnerability
Next by thread: Citrix security contact
Index(es):
- Date
- Thread