We’ve used D-Link DGS-1210-48 at work for a while, and found some vulnerabilites by accident. We decommissioned all of them about two years ago, so it’s already overdue to publish this. Enjoy!

The first two are relevant (tested) for hardware revision A1, Firmware before V 2.03.001. See ftp://ftp2.dlink.com/PRODUCTS/DGS-1210-48/REVA/DGS-1210-48_RELEASENOTES_2.03.001_EN_WW.PDF

Searching throught some PDFs, this also seems relevant for DGS-3200 and DGS-1500. D-Link clearly has not a good security history. http://www.cvedetails.com/vendor/899/D-link.html, so I cannot recommand them from a security point of view at all, as it seem they don’t even have a proper testing process.

#1 Information/Config Leak

Just download the device Configuration directly from http://IP/config.bin

It took them 11 months to release a new firmware to fix this.

#2 Denial of Service

Just download the Configuration with the link from #1 for 23 times. Not kidding! It will crash due to a memory leak and reboot after a while.

#3 Time-based Security Tokens

The “gambit” value you get after logging into the webinterface is not random, but time-based.

See for yourself, unix timestamp vs. “gambit”:

1328333368 jdfdkdbdadedbdjdjdjdcdkdadkdbgegngjgogkdlgfgjgogdh
1328333369 jdfdkdbdadedbdjdjdjdddkdadkdbgegngjgogkdlgfgjgogdh
1328333370 jdfdkdbdadedbdjdjdjdedkdadkdbgegngjgogkdlgfgjgogdh

This issue is not fixed AFAIR. It’s probably possible to calculate valid gambit tokens without a valid login, but I haven’t put much time into this.

#4 Directory Traversal via HTTP

Yes, this is not your usual ../../ traversal, but try this:

curl http://10.90.90.90/flash:iss.log

<134> Jan 1 00:00:00 2009:SYSTEM-6:Side Fan is in low speed.
<130> Jul 25 15:40:35 2012:SYSTEM-2:System started up
<134> Jul 25 15:40:49 2012:LinkStatus-6:Port 48 link up, 100Mbps FULL duplex

[…]

There are some more interesing files.

#5 Directory Traversal via TFTP

Only found in 2015, not sure on which firmware version – no details here, enjoy looking. 😉