Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

DSL-504T.txt

🗓️ 14 Aug 2005 00:00:00Reported by Alessandro AuderoType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

The D-Link DSL-504T router has a security vulnerability allowing remote firmware upgrade and config retrieval without passwor

Code
`Device: CUSTOMER=DLinkEU MODEL=DSL-504T  
Version: only tested with VERSION=V1.00B01T16.EU.20040217  
Bugs: i) remote firmware upgrade without password  
ii) config retrieval without password  
Exploitation: remote  
Date: 26/05/2005  
Status: vendor not contacted  
Workaround: disable remote web management  
Author: Alessandro Audero  
  
The Bug  
  
DSL-504T is a D-Link router/ADSL modem with a linux system on it based  
on MIPS 4KEc V4.8. This is the uname that i found from the device i  
tested:  
  
Linux version 2.4.17_mvl21-malta-mips_fp_le  
([email protected]) (gcc version 2.95.3 20010315  
(release/MontaVista)) #71 Tue Feb 17 01:16:45 GMT 2004  
  
It supports a remote web management console, that at first sigth asks for  
a username and a password. The URL should be something like this:  
  
http:://ipaddress/  
  
and if you click on 'login' you'll get this other URL:  
  
http://ipaddress/cgi-bin/webcm  
  
that obviously tells you that you have typed in a wrong password.  
But if you look at the root cgi-bin dir, that is  
  
http//ipaddress/cgi-bin/  
  
you'll get a list of two files: one is webcm, the other is firmwarecfg  
If you click on the latter one, you will be placed in a page where you are  
allowed to upgrade the router firmware, restart the router, download  
current configuration or restore a previously saved conf.  
  
There's another point in downloading router configuration. Infact  
management username and password are saved in clear text inside the xml  
file:  
  
<security>  
<settings>  
<username>XXXXXXXXX</username>  
<password>XXXXXXXXX</password>  
...  
</setting>  
</security>  
  
With this auth info you can log inside the system using telnet and have  
a complete shell on that router.  
  
Another issue can be found looking at another username/password section  
regarding ADSL connection settings:  
  
<username>XXXXXXXXXX</username>  
<password>XXXXXXXXXX</password>  
  
This can lead to email/webaccount security problems if the user uses  
these infos also for his accounts (email for example), that can be really  
possible in case the internet provider provides also email or web space.  
  
That's all, folks.  
  
Alessandro Audero  
  
Misc:  
It is possible that this kind of bug could also be present in other  
routers, implementing busybox, and that are configurable via http or  
thttp.  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4
d-link dsl-504tsecurity vulnerabilityremote exploitationrouter/adsl modemclear text password
22