Tag Archives: security

D-Link DGS-1210 Vulnerabilities

We’ve used D-Link DGS-1210-48 at work for a while, and found some vulnerabilites by accident. We decommissioned all of them about two years ago, so it’s already overdue to publish this. Enjoy!

The first two are relevant (tested) for hardware revision A1, Firmware before V 2.03.001. See ftp://ftp2.dlink.com/PRODUCTS/DGS-1210-48/REVA/DGS-1210-48_RELEASENOTES_2.03.001_EN_WW.PDF

Searching throught some PDFs, this also seems relevant for DGS-3200 and DGS-1500. D-Link clearly has not a good security history. http://www.cvedetails.com/vendor/899/D-link.html, so I cannot recommand them from a security point of view at all, as it seem they don’t even have a proper testing process.

#1 Information/Config Leak

Just download the device Configuration directly from http://IP/config.bin

It took them 11 months to release a new firmware to fix this.

#2 Denial of Service

Just download the configuration (/config.bin) 23 times. It will crash due to a memory leak and reboot after a while.

#3 Time-based Security Tokens

The “gambit” value you get after logging into the web interface is not random, but time-based.

See for yourself, unix timestamp vs. “gambit”:

1328333368 jdfdkdbdadedbdjdjdjdcdkdadkdbgegngjgogkdlgfgjgogdh
1328333369 jdfdkdbdadedbdjdjdjdddkdadkdbgegngjgogkdlgfgjgogdh
1328333370 jdfdkdbdadedbdjdjdjdedkdadkdbgegngjgogkdlgfgjgogdh

This issue is not fixed AFAIR. It’s probably possible to calculate valid gambit tokens without a valid login, but I haven’t put much time into this.

#4 Directory Traversal via HTTP

This is not your usual ../../ traversal, but try this:

curl http://10.90.90.90/flash:iss.log

<134> Jan 1 00:00:00 2009:SYSTEM-6:Side Fan is in low speed.
<130> Jul 25 15:40:35 2012:SYSTEM-2:System started up
<134> Jul 25 15:40:49 2012:LinkStatus-6:Port 48 link up, 100Mbps FULL duplex

[…]

There are some more interesting files available. 😉

#5 Directory Traversal via TFTP

Found in 2015, not sure on which firmware version – no details here, enjoy looking. 😉

Gentoo Linux Security Weekend

Last weekend, Gentoo Linux developers a3li and keytoaster came around and with help from p-y and underling via IRC, we killed the huge backlog of open CVEs in our tracker, voted on about 100 security bugs, drafted several dozens of GLSAs and were hunting bugs on GLSAMaker2. We also had good company from (non-security) developer idl0r on saturday. 🙂

During the week, we polished up some GLSAs and since sunday, we send these (a lot more to come!):

OpenSSL: Multiple vulnerabilities
Wireshark: Multiple vulnerabilities
Bugzilla: Multiple vulnerabilities
Dovecot: Multiple vulnerabilities
GnuTLS: Multiple vulnerabilities
PHP: Multiple vulnerabilities
vsftpd: Denial of Service
feh: Multiple vulnerabilities
Conky: Privilege escalation
Wget: User-assisted file creation or overwrite
Adobe Flash Player: Multiple vulnerabilities

Thanks for helping out, everyone!

Here are some impressions: