Tag Archives: DGS-1210-48

D-Link DGS-1210 Vulnerabilities

We’ve used D-Link DGS-1210-48 at work for a while, and found some vulnerabilites by accident. We decommissioned all of them about two years ago, so it’s already overdue to publish this. Enjoy!

The first two are relevant (tested) for hardware revision A1, Firmware before V 2.03.001. See ftp://ftp2.dlink.com/PRODUCTS/DGS-1210-48/REVA/DGS-1210-48_RELEASENOTES_2.03.001_EN_WW.PDF

Searching throught some PDFs, this also seems relevant for DGS-3200 and DGS-1500. D-Link clearly has not a good security history. http://www.cvedetails.com/vendor/899/D-link.html, so I cannot recommand them from a security point of view at all, as it seem they don’t even have a proper testing process.

#1 Information/Config Leak

Just download the device Configuration directly from http://IP/config.bin

It took them 11 months to release a new firmware to fix this.

#2 Denial of Service

Just download the configuration (/config.bin) 23 times. It will crash due to a memory leak and reboot after a while.

#3 Time-based Security Tokens

The “gambit” value you get after logging into the web interface is not random, but time-based.

See for yourself, unix timestamp vs. “gambit”:

1328333368 jdfdkdbdadedbdjdjdjdcdkdadkdbgegngjgogkdlgfgjgogdh
1328333369 jdfdkdbdadedbdjdjdjdddkdadkdbgegngjgogkdlgfgjgogdh
1328333370 jdfdkdbdadedbdjdjdjdedkdadkdbgegngjgogkdlgfgjgogdh

This issue is not fixed AFAIR. It’s probably possible to calculate valid gambit tokens without a valid login, but I haven’t put much time into this.

#4 Directory Traversal via HTTP

This is not your usual ../../ traversal, but try this:

curl http://10.90.90.90/flash:iss.log

<134> Jan 1 00:00:00 2009:SYSTEM-6:Side Fan is in low speed.
<130> Jul 25 15:40:35 2012:SYSTEM-2:System started up
<134> Jul 25 15:40:49 2012:LinkStatus-6:Port 48 link up, 100Mbps FULL duplex

[…]

There are some more interesting files available. 😉

#5 Directory Traversal via TFTP

Found in 2015, not sure on which firmware version – no details here, enjoy looking. 😉

Paketverlust mit D-Link DGS-1210-48

Beim Testen von zwei brandneuen D-Link DGS-1210-48 fiel auf, dass auf dem Gerät Paketverlust auftritt. Je größer die Pakete, desto höher war auch der Verlust – bis zu 7%. Das ist natürlich nicht akzeptabel. Nach einigem Ãœberlegen hatte ich eine Idee woran es lag:


Tatsächlich behob das Umstellen dann auch das Problem. Offensichtlich gibt es hier ein Problem damit, dass der Switch die Sendeleistung bei kurzen Kabeln (wie sie im Rechenzentrum im Access-Layer üblich sind) herunterschraubt. Eigentlich schade, denn grade die Stromsparfeatures machen den Switch interessant. Ansonsten machen die Geräte bisher aber einen ganz soliden Eindruck. 🙂

EDIT 21.08.2016: ich habe alle DGS nun gegen etwas solideres ausgetauscht – die DGS hatten über 3 Jahre eine Ausfallrate von ~75%! Sample size: 20 Switches.