J-Security Center

Title: D-Link DSL Router Remote Authentication Bypass Vulnerability

Severity: HIGH

Description:

Various D-Link DSL routers are susceptible to a remote authentication bypass vulnerability. This issue is due to a failure of the devices to require authentication in certain circumstances.

This issue presents itself when remote attackers attempt to access the '/cgi-bin/firmwarecfg' CGI application.

Reportedly, this CGI application stores a list of IP addresses in '/var/tmp/fw_ip'. This list is used to store IP addresses that are to be given complete access to the affected CGI application without the need to authenticate them. The devices are reportedly shipped without this file in place, and it is automatically populated with the IP address of the first Web client that accesses the CGI application.

This results in an attacker being able to download the 'config.xml' file without being subjected to normal authentication requirements. The configuration file contains the complete device configuration, including the usernames and passwords of valid users.

This vulnerability allows remote attackers to gain complete administrative access to affected devices.

Various D-Link devices with the following firmware revisions are affected by this issue:
- V1.00B01T16.EN.20040211
- V1.00B01T16.EU.20040217
- V0.00B01T04.UK.20040220
- V1.00B01T16.EN.20040226
- V1.00B02T02.EU.20040610
- V1.00B02T02.UK.20040618
- V1.00B02T02.EU.20040729
- V1.00B02T02.DE.20040813
- V1.00B02T02.RU.20041014

Due to the common practice of code reuse, other devices are also likely affected by this issue.

Affected Products:

  • D-Link DSL-502T 0.0.0
  • D-Link DSL-504T 0.0.0
  • D-Link DSL-562T 0.0.0
  • D-Link DSL-G604T
  • ECI Telecom B-FOCuS Combo 322+ 0.0.0
  • ECI Telecom B-FOCuS MultiPort 342+ 0.0.0
  • ECI Telecom B-FOCuS Router 312+ 0.0.0
  • Punto ADSL Aethra Starbridge E-U 0.0.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.