{"id":7570,"date":"2021-01-08T21:03:17","date_gmt":"2021-01-09T04:03:17","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7570"},"modified":"2023-04-05T12:41:27","modified_gmt":"2023-04-05T19:41:27","slug":"securin-disclosed-4-hardcoded-credentials-on-d-link-products","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/securin-disclosed-4-hardcoded-credentials-on-d-link-products\/","title":{"rendered":"Securin (previously CSW) Disclosed 4 Hardcoded Credentials on D-Link Products"},"content":{"rendered":"

Asset and lifecycle management are complex initiatives that organizations should keep pace with as products reach the end of life (EOL) or end of support (EOS) and become obsolete. This obsolescence gives rise to security vulnerabilities that could be exploited by threat actors.\u00a0<\/span><\/span><\/p>\n

\n

Cyber Security Works discovered four such vulnerabilities in D-Link Models – CVE-2020-29321,\u00a0CVE-2020-29322,\u00a0CVE-2020-29323, and\u00a0CVE-2020-29324\u00a0on August 17,2020.<\/span><\/span><\/p>\n<\/blockquote>\n

Detection<\/span><\/strong><\/span><\/h2>\n

Cyber Security researchers have reported telnet hardcoded credentials in four firmware in D-Link models listed below:<\/span><\/span><\/p>\n

    \n
  1. \n

    D-Link Router DIR-868L-Telnet<\/span><\/span><\/p>\n<\/li>\n

  2. \n

    D-Link Router DIR-880L-Telnet<\/span><\/span><\/p>\n<\/li>\n

  3. \n

    D-Link Router DIR-885L-MFC<\/span><\/span><\/p>\n<\/li>\n

  4. \n

    D-Link Router DIR-895L MFC<\/span><\/span><\/p>\n<\/li>\n<\/ol>\n

    Disclosure\u00a0<\/span><\/span><\/strong><\/h2>\n

    The vulnerability was reported to the vendor on 08\/18\/2020. The CSW team reported unauthenticated credential disclosure through decompilation of firmware in the following devices –<\/span><\/span><\/p>\n

      \n
    1. \n

      DIR-868L Rev. C1 – FW v3.01\u00a0<\/span><\/span><\/p>\n<\/li>\n

    2. \n

      DIR-880L Rev. Ax – FW v1.07\u00a0<\/span><\/span><\/p>\n<\/li>\n

    3. \n

      DIR-885L Rev. Ax – FW v1.15b02\u00a0<\/span><\/span><\/p>\n<\/li>\n

    4. \n

      DIR-895L Rev. Ax – FW v1.21b05\u00a0<\/span><\/span><\/p>\n<\/li>\n<\/ol>\n

      Timeline<\/span><\/strong><\/h2>\n\n\n\n\n\n\n\n\n\n
      Date\u00a0<\/strong><\/span><\/span><\/td>\n\u00a0Description<\/strong><\/span><\/span><\/td>\n<\/tr>\n
      August 17,2020<\/span><\/span><\/td>\nDiscovered in our research lab<\/span><\/span><\/td>\n<\/tr>\n
      August 18,2020<\/span><\/span><\/td>\nVulnerability reported to Vendor who acknowledged the same<\/span><\/span><\/td>\n<\/tr>\n
      August 20, 2020<\/span><\/span><\/td>\nVendor responded saying “elevated to D-Link Corporation<\/span><\/span><\/td>\n<\/tr>\n
      Sep 4, 2020<\/span><\/span><\/td>\nFollow up<\/span><\/span><\/td>\n<\/tr>\n
      Sep 7, 2020<\/span><\/span><\/td>\nVendor responded saying need more time to review and response from R&D\u00a0\u00a0<\/span><\/span><\/td>\n<\/tr>\n
      Sep 10, 2020<\/span><\/span><\/td>\nVendor responded with a support announcement <\/span><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      <\/p>\n

      Incident Analysis<\/span><\/strong><\/span><\/h2>\n

      Multiple vulnerabilities have been discovered in D-Link models, the most severe of which could allow arbitrary code execution.\u00a0<\/span><\/span>The status of the devices reported are End of Support (“EOS”), also known as End of Life (“EOL”). As a general policy, when a product reaches EOS\/EOL, it can no longer be supported, and all firmware development for the product ceases. Products\u00a0purchased in the US that have reached EOS\/EOL are moved to the Legacy Products site (legacy.us.dlink.com) which is the final archive as of the EOS\/EOL date.<\/span><\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n\n
      Model<\/strong><\/span><\/span><\/td>\nRegion<\/strong><\/span><\/span><\/td>\nHardware Revision<\/strong><\/span><\/span><\/td>\nLast Sales Date<\/strong><\/span><\/span><\/td>\nEnd of Support<\/strong><\/span><\/span><\/td>\n<\/tr>\n
      DIR-868L<\/span><\/span><\/td>\nGlobally<\/span><\/span><\/td>\nA1\/A2\/B1\/C1<\/span><\/span><\/td>\nn\/a<\/span><\/span><\/td>\n06\/30\/20<\/span><\/span><\/td>\n<\/tr>\n
      DIR-868L<\/span><\/span><\/td>\nOnly USA<\/span><\/span><\/td>\nA1<\/span><\/span><\/td>\n10\/31\/18<\/span><\/span><\/td>\n08\/07\/20<\/span><\/span><\/td>\n<\/tr>\n
      DIR-880L<\/span><\/span><\/td>\nGlobally<\/span><\/span><\/td>\nA1\/A2<\/span><\/span><\/td>\nn\/a<\/span><\/span><\/td>\n01\/10\/19<\/span><\/span><\/td>\n<\/tr>\n
      DIR-880L<\/span><\/span><\/td>\nOnly USA<\/span><\/span><\/td>\nA1\/A2<\/span><\/span><\/td>\n02\/12\/19<\/span><\/span><\/td>\n08\/07\/20<\/span><\/span><\/td>\n<\/tr>\n
      DIR-885L\/R<\/span><\/span><\/td>\nGlobally<\/span><\/span><\/td>\nA1\/A2\/A3<\/span><\/span><\/td>\nn\/a<\/span><\/span><\/td>\n01\/10\/19<\/span><\/span><\/td>\n<\/tr>\n
      DIR-885L\/R<\/span><\/span><\/td>\nOnly USA<\/span><\/span><\/td>\nA1<\/span><\/span><\/td>\n02\/12\/19<\/span><\/span><\/td>\n08\/07\/20<\/span><\/span><\/td>\n<\/tr>\n
      DIR-885L\/R<\/span><\/span><\/td>\nGlobally<\/span><\/span><\/td>\nA1\/A2\/A3<\/span><\/span><\/td>\nn\/a<\/span><\/span><\/td>\n01\/10\/19<\/span><\/span><\/td>\n<\/tr>\n
      DIR-885L\/R<\/span><\/span><\/td>\nOnly USA<\/span><\/span><\/td>\nA1<\/span><\/span><\/td>\n12\/08\/16<\/span><\/span><\/td>\n08\/07\/20<\/span><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      Vulnerability Analysis<\/span><\/span><\/strong><\/h2>\n

      The telnet hardcoded default credentials are the vulnerable elements in the firmware of DIR-868L, DIR-880L, DIR-885L\/R, and DIR-895L\/R.<\/span><\/p>\n

      Proof of Concept<\/span><\/strong><\/span><\/h2>\n

      Vulnerability Name:<\/strong> Telnet Hardcoded credentials<\/span><\/span><\/p>\n

      Severity:<\/strong> High<\/span><\/span><\/p>\n

      Steps to Reproduce<\/span><\/strong><\/span><\/h2>\n

      Step 1:<\/strong> Extract the firmware<\/span><\/span><\/p>\n

      Step 2:<\/strong> Run the command cat etc\/init0.d\/S80telnetd.sh to get the username and the location of the variable used for storing the password.
      \nStep 3:<\/strong> Run the command cat etc\/config\/image_sign to get the password<\/span><\/span><\/p>\n

      <\/p>\n

      Figure 1: Clear text showing username<\/span><\/strong><\/span><\/p>\n

      <\/span><\/span><\/p>\n

      Figure 2: The password is printed in the terminal<\/span><\/strong><\/span><\/p>\n

      Exploited D-Link firmware with hardcoded default credentials<\/span><\/strong><\/span><\/h2>\n\n\n\n\n\n\n\n
      Affected Firmware<\/b><\/span><\/span><\/strong><\/td>\nAssociated URL<\/b><\/span><\/span><\/strong><\/td>\nUsername<\/b><\/span><\/span><\/strong><\/td>\nPassword<\/b><\/span><\/span><\/strong><\/td>\n<\/tr>\n
      DIR-868L C1 FW v3.01<\/span><\/span><\/td>\nhttps:\/\/tsd.dlink.com.tw\/downloads-2008detailgo.asp<\/a><\/span><\/span><\/td>\nAlphanetworks<\/span><\/span><\/td>\nwrgac35_dlink.2013gui_dir868lc<\/span><\/span><\/td>\n<\/tr>\n
      DIR-880L B08 v1.07<\/span><\/span><\/td>\nhttp:\/\/legacyfiles.us.dlink.com\/DIR-880L\/REVA\/FIRMWARE\/<\/a><\/span><\/span><\/td>\nAlphanetworks<\/span><\/span><\/td>\nwrgac16_dlink.2013gui_dir880<\/span><\/span><\/td>\n<\/tr>\n
      DIR885LA1_FW115b02<\/span><\/span><\/td>\nhttps:\/\/tsd.dlink.com.tw\/downloads-2008detail.asp<\/a><\/span><\/span><\/td>\nAlphanetworks<\/span><\/span><\/td>\nwrgac42_dlink.2015_dir885l<\/span><\/span><\/td>\n<\/tr>\n
      DIR895LA1_FW121b05_middle.
      \nmagic.v1.15<\/span><\/span><\/td>\n      		https:\/\/tsd.dlink.com.tw\/downloads-2008detailgo.asp<\/a><\/span><\/span><\/td>\nAlphanetworks<\/span><\/span><\/td>\n\n

      wrgac40_dlink.2015_dir895l<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      Impact<\/span><\/strong><\/span><\/h2>\n

      The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data.<\/span><\/p>\n

      Recommendations<\/span><\/strong><\/span><\/h2>\n

      CSW reported the identified telnet hardcoded credentials in four firmware, which was acknowledged by the D-Link team. They provided a support announcement in response to the recommendations provided by our team for these D-Link products.<\/span><\/span><\/p>\n

      Announcement from D-Link<\/a><\/span><\/span><\/p>\n

      Reference<\/span><\/strong><\/span><\/h2>\n

      Zero Days<\/strong><\/span><\/span><\/h3>\n