www.s3cur1ty.de blogs

Security Advisories

m1k3 — Mon, 06 May 2013 09:44:52 +0000

2013

M1ADV2013-018 - Multiple Vulnerabilities in D-Link DSL-320B
Release Date: 06.05.2013
BID: 59659
Exploit DB ID: 25251

Multiple Vulnerabilities in D-Link DSL-320B

m1k3 — Mon, 06 May 2013 09:42:49 +0000

Device: DSL-320B

Firmware Version: EU_DSL-320B v1.23 date: 28.12.2010

Vendor URL: http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/ds...

============ Vulnerability Overview: ============

Access to the Config file without authentication => full authentication bypass possible!: (1)

Request:

192.168.178.111/config.bin

Response



=======

Your Telnet Backdoor is waiting for you

m1k3 — Tue, 30 Apr 2013 12:18:57 +0000

It is too bad if your device has a backdoor directly from the vendor. In some devices of the vendor D-Link you are able to find a nice telnet server listening on the internal network interface. The following output shows the results of a Nmap scan of three different D-Link DIR devices (DIR-300revA, DIR-300revB, DIR-600revB):

root@bt:~# nmap -sSV -p 23 192.168.178.133,144,222 Starting Nmap 6.01 ( http://nmap.org ) at 2013-04-30 13:42 CEST Nmap scan report for 192.168.178.133 Host is up (0.0067s latency). PORT STATE SERVICE VERSION

Multiple Vulnerabilities in D'Link DIR-635

m1k3 — Thu, 25 Apr 2013 06:36:18 +0000

Device Name: DIR-635
Vendor: D-Link

============ Vulnerable Firmware Releases: ============

Firmwareversion: 2.34EU
Hardware-Version: B1
Produktseite: DIR-635

============ Vulnerability Overview: ============

Stored XSS -> Status - WLAN -> SSID

Special Webcast: Hacking Embedded Systems (No Axe Required)

m1k3 — Wed, 24 Apr 2013 12:28:33 +0000

Hey guys,

yesterday @pauldotcom gave a great webcast on hacking embedded devices. Following some impressions of this webcast.

On a slide with HD Moore ... h00ray ;)

And the MIPS payloads of the #metasploit framework:

Multiple Vulnerabilities in D'Link DIR-615 - Hardware revision D3 / DIR-300 - Hardware revision A

m1k3 — Mon, 22 Apr 2013 14:59:24 +0000

Device Name: DIR-615 - Hardware revision D3 / DIR-300 - Hardware revision A
Vendor: D-Link

============ Device Description: ============

DIR-300: http://www.dlink.com/de/de/home-solutions/connect/routers/dir-300-wirele...
DIR-615: http://www.dlink.com/de/de/support/product/dir-615-wireless-n-300-router...

============ Vulnerable Firmware Releases - DIR-615: ============

Tested Firmware Version : 4.13

============ Vulnerable Firmware Releases - DIR-300: ============

Multiple Vulnerabilities in D-Link devices

m1k3 — Fri, 05 Apr 2013 12:55:30 +0000

Device Name: DIR-600 / DIR-300 revB / DIR-815 / DIR-645 / DIR-412 / DIR-456 / DIR-110
Vendor: D-Link

============ Vulnerable Firmware Releases: ============

DIR-815 v1.03b02 (unauthenticated command injection)
DIR-645 v1.02 (unauthenticated command injection)
DIR-645 v1.03 (authenticated command injection)
DIR-600 below v2.16b01 (with v2.16b01 D-Link also fixes different vulnerabilities reported in M1ADV2013-003)
DIR-300 revB v2.13b01 (unauthenticated command injection)
DIR-300 revB v2.14b01 (authenticated command injection)
DIR-412 Ver 1.14WWB02 (unauthenticated command injection)
DIR-456U Ver 1.00ONG (unauthenticated command injection)
DIR-110 Ver 1.01 (unauthenticated command injection)

Possible other versions and devices are also affected by this vulnerability.

Metasploit Updates with some Home Network Horror stuff

m1k3 — Fri, 29 Mar 2013 08:51:45 +0000

The last two updates from #Metasploit include some new stuff to test your home network devices within your pentests.

You could find the original text of the following paragraph over here.

Consumer-Grade Hacking

Last month, I talked about community contributor Michael @m-1-k-3 Messner's nifty D-Link authentication bypass, and made the case that having Metasploit modules for consumer-grade access points is, in fact, useful and important.

Well, this week's update has a pile of new modules from m-1-k-3, all of which are targeting these kinds of consumer-grade networked devices: We now have a Linksys E1500 / E2500 remote command exec exploit, a Linksys 1500 directory traversal exploit, a directory traversal module for TP-Link's TL-WA701ND access point, a password extractor for the DLink DIR-645, and a directory traversal module for NetGear's weird single-purpose cordless phone device.

That's right, we have a Metasploit module for a cordless phone. The era of there being a difference between your "electronic devices" and your "computer devices" is coming to a close. What I said last month about these sorts of devices being in scope for a pen-test still stands -- if they're not in scope today, they really ought to be, at least for key personnel. Criminals don't particularly care about your scope doc.

You could find the original text of the following paragraph over here.

Getting a full Shell on D-Link DSL-320B

m1k3 — Tue, 19 Mar 2013 09:54:58 +0000

This time not a big thing ... more a nice detail on getting a shell on the DSL-320B device.

If you are doing a portscan on your local network with Nmap you will see the following output:

PORT   STATE SERVICE    VERSION
21/tcp open  ftp        D-Link or USRobotics ADSL router firmware update ftpd
22/tcp open  tcpwrapped
23/tcp open  telnet     D-Link DSL-2542B ADSL router telnetd
80/tcp open  http?

You could login with the credentials from the webinterface and you get a stripped access:

root@bt:~# telnet 192.168.178.111 Trying 192.168.178.111...

Auf ein Wort mit: Michael Messner #ffg2013

m1k3 — Tue, 26 Feb 2013 11:52:24 +0000

"Morgen beginnt mit den ersten Tutorials das Frühjahrsfachgespräch in Frankfurt. Letzter Appetithappen, bevor wir direkt vom FFG berichten: Ein Gespräch mit Michael Messner, ebenfalls schon lange im GUUG- und FFG-Umfeld bekannt und geschätzt. Er berichtet in diesem Interview über seinen Vortrag sowie das Metasploit-Tutorial, das er am Mittwoch hält."

Das Programm findet ihr hier.