D-Link DGS-1210 Vulnerabilities

We’ve used D-Link DGS-1210-48 at work for a while, and found some vulnerabilites by accident. We decommissioned all of them about two years ago, so it’s already overdue to publish this. Enjoy!

The first two are relevant (tested) for hardware revision A1, Firmware before V 2.03.001. See ftp://ftp2.dlink.com/PRODUCTS/DGS-1210-48/REVA/DGS-1210-48_RELEASENOTES_2.03.001_EN_WW.PDF

Searching throught some PDFs, this also seems relevant for DGS-3200 and DGS-1500. D-Link clearly has not a good security history. http://www.cvedetails.com/vendor/899/D-link.html, so I cannot recommand them from a security point of view at all, as it seem they don’t even have a proper testing process.

#1 Information/Config Leak

Just download the device Configuration directly from http://IP/config.bin

It took them 11 months to release a new firmware to fix this.

#2 Denial of Service

Just download the Configuration with the link from #1 for 23 times. Not kidding! It will crash due to a memory leak and reboot after a while.

#3 Time-based Security Tokens

The “gambit” value you get after logging into the webinterface is not random, but time-based.

See for yourself, unix timestamp vs. “gambit”:

1328333368 jdfdkdbdadedbdjdjdjdcdkdadkdbgegngjgogkdlgfgjgogdh
1328333369 jdfdkdbdadedbdjdjdjdddkdadkdbgegngjgogkdlgfgjgogdh
1328333370 jdfdkdbdadedbdjdjdjdedkdadkdbgegngjgogkdlgfgjgogdh

This issue is not fixed AFAIR. It’s probably possible to calculate valid gambit tokens without a valid login, but I haven’t put much time into this.

#4 Directory Traversal via HTTP

Yes, this is not your usual ../../ traversal, but try this:


<134> Jan 1 00:00:00 2009:SYSTEM-6:Side Fan is in low speed.
<130> Jul 25 15:40:35 2012:SYSTEM-2:System started up
<134> Jul 25 15:40:49 2012:LinkStatus-6:Port 48 link up, 100Mbps FULL duplex


There are some more interesing files.

#5 Directory Traversal via TFTP

Only found in 2015, not sure on which firmware version – no details here, enjoy looking. 😉

Posted in english, Security | Tagged , , , , , | Leave a comment

Windows 10 Installation USB-Stick unter Linux erstellen (UEFI/neueres BIOS)

Um unter Linux fĂŒr Windows 10 einen USB-Stick zur Installation erstellen, muss man etwas mehr tun, es gibt keine vorgefertigten Tools. Hier eine Kurzanleitung fĂŒr Moderne PCs mit UEFI:

/dev/sda im Folgenden durch euren USB-Stick ersetzen.

# Partitionierung

# Partitionierung auf dem USB Stick löschen
dd if=/dev/zero of=$DEVICE bs=1M count=1

# Partitionen einrichten
fdisk ${DEVICE}

# Formatierung, mounten des Laufwerks
mkfs.vfat ${DEVICE}1
mkdir /mnt/usb
mount ${DEVICE}1 /mnt/usb

# Kopieren der Daten
mkdir Win10
mount -o loop Win10_1709_German_x64.iso Win10
cp -a Win10/* /mnt/usb

# AushÀngen der Laufwerke
umount /mnt/usb
umount Win10

Nun einfach davon booten. Ins BIOS kommt ihr meist, wenn ihr sofort nach dem Einschalten eures PCs ESC, F1, F2, F8, F11 oder F12 drĂŒckt. Viel Erfolg!

Posted in Linux | Tagged , , , , , | 7 Comments

MACSEC unter Linux

Der Linux Kernel 4.6 unterstĂŒtzt nun MACSEC nativ. Damit ist es möglich, auf Layer2 verschlĂŒsselte Links zu realisieren. Sehr schön! 🙂

PrÀsentationsfolien: http://bit.ly/20ZBkpV

Posted in Info, Linux, Rechenzentrum, Security | Tagged , , | Leave a comment

Review of Open-E DSS v7

Initially, we were looking for a 10GE-iSCSI storage solution that would do synchronous or at least memory-synchronous mirroring of data to a second system and automatic failover. We planned to use the system as storage backend for a few dozens VMs, and wanted the storage to be highly available on a shared IP. Active-Active supported seemed pretty awesome too, and the system should allow seamless failover.

However, some vendors didn’t provide this option, others were too expensive and the project was an open bidding, so we had to be cheap. The only viable options seemed to be building something ourselves or buying Open-E from a distributor that would take care of the hardware part. They were also offering 24/7 support. It sounded pretty good, and our distributor was saying he did a couple of installations with it, so we went for it. The system consisted of:

Continue reading

Posted in english, Linux, Rant, Rechenzentrum, Security | Tagged , , , , , , , , | 6 Comments

Eindeutigkeit von IP-Adressen bei Unitymedia nicht gegeben

Bis vor wenigen Tagen konnte man bei Unitymedia anonym oder mit der Adresse eines anderen Internetteilnehmers im Internet surfen. Sofern man einen Linuxrechner mit dem von Unitymedia bereitgestellen Cisco-Router EPC3212 verbunden hatte (etwa als Firewall), ging das sehr leicht, und wird im Folgenden beschrieben. Linux-Grundkenntnisse werden vorausgesetzt. Da dies nicht mehr funktioniert, sehe ich kein Problem damit, hier eine Anleitung zu veröffentlichen. 🙂

Zuerst guckt man, welche IP und welches Subnetz man im Unitymedia-Netz derzeit nutzt:

Continue reading

Posted in Info, Security | Tagged , , , , | 1 Comment

DELL about SSH key authentication on PowerConnect M6220

PowerConnect M6220 SwitchA coworker asked DELL about SSH public key auth on PowerConnect M6220, because we wanted to automate something. Anyways, it’s pretty common to automate stuff nowadays, right?


Here is DELL’s reply on using a ssh with keys:

Von: xxx@Dell.com [mailto:xxx@Dell.com]
An: xxx
Cc: xxx@Dell.com
Betreff: Dell SR:xxxxxxxxx

Good morning Mr. xxx,

I’m the engineer to whom Mr. xxx has escalated the above mentioned
service request. I’m writing to you today to inform you that unfortunately
public key authentication isn’t supported in way  you’d like to on these
switches with version 5.x firmware. That is, you will either always end up
being asked for a password, in addition / even though you supply correct
private/public key during your ssh session negotiations, or you might end
up inadvertently opening a backdoor for unauthenticated users wishing to
use password authentication only.

Either way, it seems this will take quite some time to fix, so I suggest I
close this service request out now and will keep you informed about any
future developments on this issue.

Kind regards,
xxx, B.Sc. (Hons) in IS/IT

Enterprise Product Engineer, Networking & Linux & Security
Dell | Enterprise Support Services
Office Number (+353 1 xxx xxxx)
M-F (8:00 – 16:30 IST)
Certification: CCNP, RHCE & JNCIP-SEC
How am I doing? Email my manager xxx, xxx
<mailto:xxx@DELL.com>  with any feedback.


Uhm… what? Oo


Posted in english, fun, Rechenzentrum, Uncategorized | Tagged , , , , , , | 2 Comments

Why Oracle (and Java) sucks

We were investigating random crashes of a webapp, and it turned out to be a JAVA CORBA bug, so we  reported it to Oracle. Today, I got the following reply in my mail:

I own your service request *-*********** about a Java Corba problem.
Please understand that Java is a free product. Hence support (and bugfixes) can only be provided for Java SE contract customers.

Unfortunately, the Customer Support Identifier CSI#******** you entered does not entitle you to Oracle Java SE support. To submit a Service Request (SR) for Java SE when running your own or third party Java applications, a Java SE Support contract is required.

The bug you are referring is in state accepted indeed. There are no plans right now to fix it. Of course, if a contract customer requests a fix, then it will be fixed. Otherwise it might take quite some time until a fix becomes available.


Oracle Java Support starts at $10,000. Thank you very much, so leave the bug open and let other customers stumble upon it. Just yesterday I heard that armed US drones are using CORBA for communication, too… oh my.

Our approach might be using Nagios Eventhandlers to restart crashed application servers, as we got more than N+1 of those. Oracle’s mentality pisses me off…

Posted in english, Rant, Rechenzentrum, Uncategorized, web | Tagged , , , , , , , , , , | 7 Comments

Hidden Services

Nicht jede Software unterstĂŒtzt das URL-Schema von Tor hidden services; in dem Falle kann man als hack einfach socat benutzen, hier im Beispiel wird ein IRC hidden service mit  irssi genutzt:


socat TCP4-LISTEN:4223,fork SOCKS4A:localhost:XYZ.onion:6667,socksport=9050

Dadurch wird der Port lokal gebunden und ĂŒber den lokalen Tor Socks Port auf den Hidden Service umgeleitet. In irssi tippt kann man nun einfach:

/connect localhost 4223

Ich finde das einen schönen generischen Hack, den ich euch nicht vorenthalten wollte. 🙂

Posted in Linux | Tagged , , , , | Leave a comment

Defending against & having fun with WebLOIC

Lately, one of the websites under my protection was being DDoSed by a well-known trouble-making party whose name shall not be released and stay anonymous. Another party that is monitoring the web for threats against our websites notified me that a DDoS was currently being  started. It seemed that the attackers were spamming a link to an automatically starting WebLOIC via mail and tricked others with a variation of methods to open the URL so that they would automatically participate in the DDoS.

Let’s move to the technical side: it was a pretty small DDoS, with about 50MBit/s – we probably wouldn’t have noticed as it just looked like a normal traffic spike and did not endanger the availability of the website at all. We’ve handled much larger legitimate traffic spikes for that site already.

A quick investigation showed that WebLOIC was being used and was ‘hosted’ on a nopaste service. Requests looked like this:

GET /?id=1300380622178&msg=We%20Are%20Legion! HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://xxxxxxxxx.html

Quickly checking out the referer gave me the sourcecode; the id consists of a timestamp and the request id. The ‘msg’ is a user-changable text, but ‘id’ is javascript-generated.

How to block it?
– Use a regular expression for the query string (very easy)
– Block users with a referer from that nopaste service (very easy, too)
– Block users that do more than X connections within a minute (easy if you have a decent firewall), side-effects might cause large NAT gateways from mobile providers to be blocked, but that’s better than being completely offline, right?

Where to block:
– block as early as possible: in your DPI firewall, web application firewall or loadbalancer
– *not* in every single webserver

Having Fun:
As the WebLOIC runs in the attacker’s browser, there are lots of possibilites:
– redirect attackers to a site known to be monitored by the FBI (explosives, terrorism etc.)
– CSRF, make them post something on a service like facebook or twitter (#iDDoS-site.tdl) and search for their posts. Kindly ask them to stop.
– redirect the attackers to do lots of google searches – they will quickly be blocked by google services
– send a gzip-encoded stream that consumes lots of cpu time and memory on their side, this might even crash the browser
– ‘reflect’ the DDoS to somewhere else (sending 301/302 redirects is pretty low-bandwidth for you)

So in total, WebLOIC was a good idea, but right now rather inefficient and its usage might have unwanted sideeffects… 😉

Posted in english, fun, Rechenzentrum, Security | Tagged , , | Leave a comment

Firefox kopiert Protokoll aus der Adressleiste mit

Das ganze ist wirklich nervig, wenn man öfter mal nur die Domain ohne fĂŒhrendes http:// und abschließenden Slash kopieren möchte. Ändern kann man es wie folgt:

Posted in Info | 1 Comment