Title:
ACSA-2013-020 - DLink Telnet access via hardcoded Alphanetworks and image_sign
Author:
Andrei Costin of "FIRMWARE.RE" project
andrei@firmware.re
andrei@andreicostin.com
Vulnerability discovered using "FIRMWARE.RE" platform/service
Security advisory numbering:
ACSA-2013-020
CVE (to be assigned)
Report timeline:
28 October 2013 - Discovery
28 October 2013 - Trying to establish 'product security' contact @ DLink
29 October 2013 - CVE request to MITRE
Vendor(s):
DLink
Product(s):
DIR412
DIR645A1
DIR865L
dap1522
dap2555
dap3525
dir300b
dir412
dir605L
dir645
dir815
dir865L
Firmware(s):
"DIR412A1_FW114WWb02.bin"
"DIR645A1_FW102B08_BETA.zip"
"DIR645A1_FW103RUB08.bin"
"DIR865L_A1_firmware_100b24.zip"
"dap1522_revB_FW_200.zip"
"dap1522_revB_FW_201.zip"
"dap1522_revB_FW_203b.bin"
"dap2555_FW_100.zip"
"dap2555_FW_111.zip"
"dap2555_FW_120.zip"
"dap3525_FW_101.zip"
"dap3525_FW_111.zip"
"dir300b_v2.06_b9fe.bin"
"dir412_FW_109b06CA_beta.zip"
"dir605L_FW_113.zip"
"dir645_FW_101.zip"
"dir645_FW_102.zip"
"dir645_FW_103.zip"
"dir815_FW_101.zip"
"dir815_FW_102.bin"
"dir865L_fw_102.bin"
Details:
The affected products and firmwares enable telnetd on the device with hardcoded credentials in one of the below fashions:
telnetd -l "/usr/bin/login" -u Alphanetworks:$image_sign -i br0 &
telnetd -l "/usr/sbin/login" -u Alphanetworks:$image_sign -i $lf &
telnetd -l /usr/sbin/login -u Alphanetworks:$image_sign -i br0 &
Most commonly, the telnetd daemon above is started from at init stage:
/etc/init0.d/S80telnetd.sh
The username is constant as can be seen 'Alphanetworks'
The password varies according to device and firmware revision and is stored as $image_sign variable.
$image_sign variable is obtained as follows:
image_sign=`cat /etc/config/image_sign`
For the affected devices, the following passwords were retrieved and can be directly used by the attackers:
wapnd03cm_dkbs_dap2555
wapnd04cm_dkbs_dap3525
wapnd15_dlob_dap1522b
wrgac01_dlob.hans_dir865
wrgn23_dlwbr_dir300b
wrgn28_dlob_dir412
wrgn39_dlob.hans_dir645
wrgn39_dlob.hans_dir645_V1
wrgnd08_dlob_dir815
Each hardcoded password can be easily mapped to corresponding device and firmware as follows:
wapnd03cm_dkbs_dap2555
"dap2555_FW_111.zip"
"dap2555_FW_100.zip"
"dap2555_FW_120.zip"
wapnd04cm_dkbs_dap3525
"dap3525_FW_111.zip"
"dap2555_FW_120.zip"
wapnd15_dlob_dap1522b
"dap1522_revB_FW_203b.bin"
"dap1522_revB_FW_201.zip"
"dap1522_revB_FW_200.zip"
wrgac01_dlob.hans_dir865
"DIR865L_A1_firmware_100b24.zip"
"dir865L_fw_102.bin"
wrgn23_dlwbr_dir300b
"dir300b_v2.06_b9fe.bin"
wrgn28_dlob_dir412
"dir412_FW_109b06CA_beta.zip"
"DIR412A1_FW114WWb02.bin"
wrgn39_dlob.hans_dir645
"DIR645A1_FW102B08_BETA.zip"
"dir645_FW_102.zip"
"dir645_FW_101.zip"
"DIR645A1_FW103RUB08.bin"
"dir645_FW_103.zip"
wrgn39_dlob.hans_dir645_V1
"DIR645A1_FW103RUB08.bin"
"dir645_FW_103.zip"
wrgnd08_dlob_dir815
"dir815_FW_101.zip"
"dir815_FW_102.bin"
This vulnerability seems to be discovered by other teams in other products of DLink according to "Related reports" section.
To best of our knowledge, we couldn't track down CVEs for "Related reports" section.
Related reports:
http://www.s3cur1ty.de/node/707
https://github.com/rapid7/metasploit-framework/pull/1648
https://github.com/m-1-k-3/metasploit-framework/blob/76e8d1415140cd83663d763d122c50a51aa0c93b/data/wordlists/dlink_telnet_backdoor_userpass.txt
About the author/project:
Firmware.RE is part of the Firmware Genome Project.
Firmware.RE is a free online service that:
- unpacks, scans and analyzes almost any firmware package and facilitates the quick detection of vulnerabilities, backdoors and all kinds of embedded malware.
- facilitates firmware mounting, modification, loading and emulation.
- facilitates firmware vulnerability and backdoor discovery.
- helps secure your embedded and internet-of-things devices.
