We’ve used D-Link DGS-1210-48 at work for a while, and found some vulnerabilites by accident. We decommissioned all of them about two years ago, so it’s already overdue to publish this. Enjoy!
The first two are relevant (tested) for hardware revision A1, Firmware before V 2.03.001. See ftp://ftp2.dlink.com/PRODUCTS/DGS-1210-48/REVA/DGS-1210-48_RELEASENOTES_2.03.001_EN_WW.PDF
Searching throught some PDFs, this also seems relevant for DGS-3200 and DGS-1500. D-Link clearly has not a good security history. http://www.cvedetails.com/vendor/899/D-link.html, so I cannot recommand them from a security point of view at all, as it seem they don’t even have a proper testing process.
#1 Information/Config Leak
Just download the device Configuration directly from http://IP/config.bin
It took them 11 months to release a new firmware to fix this.
#2 Denial of Service
Just download the Configuration with the link from #1 for 23 times. Not kidding! It will crash due to a memory leak and reboot after a while.
#3 Time-based Security Tokens
The “gambit” value you get after logging into the webinterface is not random, but time-based.
See for yourself, unix timestamp vs. “gambit”:
This issue is not fixed AFAIR. It’s probably possible to calculate valid gambit tokens without a valid login, but I haven’t put much time into this.
#4 Directory Traversal via HTTP
Yes, this is not your usual ../../ traversal, but try this:
<134> Jan 1 00:00:00 2009:SYSTEM-6:Side Fan is in low speed.
<130> Jul 25 15:40:35 2012:SYSTEM-2:System started up
<134> Jul 25 15:40:49 2012:LinkStatus-6:Port 48 link up, 100Mbps FULL duplex
There are some more interesing files.
#5 Directory Traversal via TFTP
Only found in 2015, not sure on which firmware version – no details here, enjoy looking. 😉