The following advisory describes two (2) vulnerabilities found in D-Link DSL-6850U versions BZ_1.00.01 – BZ_1.00.09.
D-Link DSL-6850U is a router “manufactured by D-Link for Bezeq in Israel” The vulnerabilities found are:
Remote Command Execution
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Bezeq was informed of the vulnerability on June 9, and released patches to address these vulnerabilities.
The device has a custom firmware with the following issues:
The default account username is:
The password is:
The shell interface allows only a set of commands however you can “bind” them using ‘&&’ ‘||’
Sending the command to the shell:
echo && /bin/bash
Will result in a BusyBox shell