Return to site
Return to site

Dsl D Link For Mac

broken image


In a previous post we shared our considerations on the impact of vulnerabilities in Internet connected devices that are EoL. We used the vulnerabilities that we identified in the D-Link DSL-2640B DSL gateway as a use case to support our considerations. In this post we describe the technical details of these vulnerabilities.

  1. Dsl D Link For Mac Osx
  2. Dsl D Link For Mac Osx
  3. Dsl D Link For Mac Windows 7

Before we dive into the technical details, it's important to note that:

  • all vulnerabilities are (at least) applicable to the D-Link DSL-2640B (HW revision B2, Firmware version: EU_4.01B)
  • all vulnerabilities apply to the latest available firmware (as of 27/03/2020)
  • all vulnerabilities have been reported to D-Link
  • we are not aware of any security fix released by D-Link
  • as the device is EoL, following D-Link's policy, no fix may ever be available

The vulnerabilities described in this post may apply to other hardware revisions, other firmware versions and even completely different models. We did not investigate this further and D-Link did not provide any additional insights.

The following vulnerabilities are described in this post:

DSL-2750B User Guide 9 Below are instructions for configuring your Mac OS® X operating system 1. In the Mac OS X Dock, click on the System Preferences icon. Under Internet & Network, click Network. In the Show menu, select Built-in Ethernet or Ethernet (Depending on your Mac OS version.) 3. Click the TCP/IP tab. D-Link DSL-2640B ADSL Router - Authentication Bypass. Webapps exploit for Hardware platform. Does the DSL-300T work with the Apple Mac? My DSL-300T/DSL-320T is not working with Windows Vista. And I understand and agree to D-Link's.

Few cable internet providers requires you to clone PC Mac address in order to go online through the router. Note: It is recommended to clone MAC address from last computer which was able to go online when connected to modem. D-Link Makes your Smart Home Smarter, Safer and Truly seamless. Get started with our award-winning Smart Home technology, Whole-Home Wi-Fi, IP cameras, and more today.

We hope we provided sufficient technical details of the identified vulnerabilities. Additional information (e.g. video demonstrations) may be provided in the future.

We hope you enjoy the technical remainder of this post! :)

CVE-2020-9275 – D-Link DSL-2640B - Remote credentials exfiltration

This vulnerability allows retrieval of the administrative password by sending a specific UDP packet to port 65002 of the device.

An attacker connected to the WiFi or the local LAN, or who is able to reach the internal device interface in any other way, can retrieve the device password with a single UDP request.

Most functionality of the device, including the administration panel and the web server, are implemented in a single process named cfm executed at startup. The cfm process listens on UDP port 65002. Likely to support device configuration from a dedicated application. The screenshot below, shows the function implementing the communication protocol. The function name, pcApplication, is taken directly from the binary's symbols.

Communication is done using D-Link's proprietrary protocol for which no information is publicly available. Reversing the cfm binary yields the following structure for the protocol packet.

Several commands are supported and accessible by specifying the command code in the 2 bytes cmd field. Communication is in plaintext and without authentication. The code only checks, for some commands, that the provided MAC address matches the device MAC address.

The command x00x01 allows retrieving system information from the device, including the device administrative password which is returned in plaintext. For example:

The MAC address check mentioned earlier is not performed for the x00x01 command. Any additional bytes are completely ignored which allowed us to identify the vulnerability in a very trivial manner.

In fact, we found this vulnerability using a rather dumb fuzzing campaign. To start, we simply piped /dev/urandom into UDP port 65002. Obviously, we did not think this approach would yield vulnerabilities in any way. Especially because no traffic monitoring, no payload selection and no target debugging were in place. However, surprisingly, the device kindly returned the administrative password within a few minutes…

Due of the (very) forgiving implementation, any UDP packet with x00x01 at the right location would return the administrative password. Even our initial dumb approach yielded the administrative password within minutes.

Our initial test identified the vulnerability is exploitable from the LAN. Nonetheless, the service seems to be listening on all the interfaces (see below).

Unfortunately, we were unable to verify the vulnerability on the WAN side as we lacked a suitable DSL connection. Using the information we have, we cannot exclude that the vulnerability is also exploitable on WAN side. Of course, we would be happy to hear more insight on this.

CVE-2020-9279 – D-Link DSL-2640B - Hard-coded privileged account

For this vulnerability we identified is a hard-coded user account. An attacker may use these credentials to login into the device in order to perform administrative tasks.

The vulnerability was identified by analyzing the authentication process accessible via the web interface. While the cfm process provides the communication 'plumbing', the actual authentication is delegated to an external library libpsi.so. The library uses an object-oriented approach for handling the authentication credentials and the incoming authentication requests.

An analysis of the cfm process revealed a code path supporting authentication for the user named user.

The default passwords used for authentication are hard-coded in the libpsi.so binary.

Reverse engineering this library told us that the following default credentials can be used for logging into the web interface of the device.

Although the password of the user user can be changed, no web interface control is provided for modifying it. Therefore, this password will be set to its default state for the entire life time of the device. It is important to note that the account is valid for authenticating to any service relying on lipsi.so, such as ftp, telnet and ssh. As far as we know, the user user has similar capabilities as the admin account.

Interestingly, even though libpsi.so is only released in binary format, the credentials are clearly visible in the GPL source code of the device (see picture below).

Also, interestingly, these credentials are referred to as ASUS_USER_ACCOUNT. One may wonder how an ASUS related account ends up in a D-Link device.

The source code itself does not reveal any intention of obfuscation. The credentials seem to be valid for other ASUS devices as well. ASUS refers to them as the ASUS Super account in some old pages.

Mozilla for mac os 9 x. Retrieved 2007-03-29.

One could say that it's basically an ASUS feature ( :-) ) which ended up for some unknown reason in a D-Link device. The supply chain of IoT devices are definitely not devoid any mysteries. We believe it may be the result of some 'supply chain magic' rather than malicious intent. Best free mac os x apps.

The last remark we would like to make is that this vulnerability may be exploited through browser pivoting. A malicious website, visited with any device connected to the WiFi/LAN, may perform crafted requests towards the gateway.

CVE-2020-9278 – D-Link DSL-2640B - Unauthenticated configuration reset

This vulnerability allows an attacker to reset the device to its default configuration by accessing a specific URL. No authentication is required.

Dsl D Link For Mac Osx

Dsl d link for mac pro

In fact, the following URLs can be accessed without authentication.

  • rebootinfo.cgi
  • ppppasswordinfo.cgi
  • qosqueue.cmd?action=savReboot
  • restoreinfo.cgi

Specifically, the device can be reset to default factory configuration by simply requesting the following URL:

Dsl D Link For Mac Osx

An attacker may reset the administrative password to its default value admin, log in and perform any administrative tasks on the device, such as upload of malicious firmware or configuration of malicious DNS servers.

While the exploitation of this vulnerability requires access to the device LAN interface, it can also be remotely exploited via browser pivoting. An attacker in control of a malicious website may blindly reset the configuration of the device and, under some conditions, take full control of the device.

CVE-2020-9277 – D-Link DSL-2640B - CGI Authentication bypass

The CVE-2020-9277 vulnerability allows bypassing the authentication process for authenticated resources. An attacker may be able to directly access administrative functions of the web interface, without the need to supply valid credentials.

The web server first identifies (1) whether the requested URL requires authentication. The check is carried on by analyzing the requested file extension, located at the end of an URL. For instance, accessing administrative cgi modules requires authentication. The authentication is not performed immediately but delayed at a later point in the code.

The code then identifies (2) special resources for which the authentication is not necessary. Examples are images or Javascript utilities. The code matches the start of an URL with the specific string (e.g: /images/, utils.js) using the strncmp() function. If a match is found, no authentication is performed, regardless of the outcome of (1). The request is then further processed as it had been successfully authenticated.

Finally, if a cgi module is requested, the do_cgi() function determines (3) the module to be executed by searching the module name anywhere in the URL, using the strstr() function.

All the above checks act in isolation, no state is carried over. An attacker can then craft malicious URLs for bypassing authentication for cgi modules. The attack URL below changes the device admin password to newpass without any need for authentication:

This vulnerability gives an attacker full device control and allows performing unauthenticated administrative functions. This vulnerability requires accessing the device LAN interface, but it is suitable for exploitation via browser pivoting, allowing for remote attacks over the Internet.

CVE-2020-9276 – D-Link DSL-2640B - do_cgi buffer overflow

This vulnerability is a buffer overflow occurring in the do_cgi() function, while parsing the requested cgi module name. An attacker may execute arbitrary code on the device with administrative privileges, by supplying a malicious cgi module name in the URL.

All in one free video converter for mac os x. Better yet, with Any Video Converter Ultimate for Mac, you can also edit videos and add special effects. In addition, the best video converter can also extract audio from video and convert video to MP3, AC3, and AAC.As a powerful Mac DVD Converter & Creator, it can convert even encrypted DVD movies and burn DVDs. This versatile video converter can convert all kinds of video formats with super fast speed and high output quality so as to playback on hot devices like iPhone, iPod, iPad Pro, iPad Mini 4, iPad Air, Samsung Galaxy Series, HTC One, Amazon Kindle Fire, Google Nexus, Nook HD, Xbox One, Apple TV, etc. What's more, Any Video Converter Ultimate for Mac can also work as a Web Video Downloader to download web videos from more than 20 websites and a Screen Recorder to record all desktop activities.

The do_cgi function, in order to identify the module to be executed, copies the module name on the stack. However, it does not check whether the length of the supplied module name fits in the allocated buffer (see picture).

A long cgi module name will overwrite the return address saved on the stack, allowing for a classical stack buffer overflow which is easy to exploit.

The do_cgi() function can, in principle, only be accessed after authentication. However, unauthenticated exploitation of this vulnerability is possible by combining it with CVE-2020-9277. In the picture below we exploit this vulnerability without authentication, execute a reverse shell payload.

While the vulnerability is potentially exploitable via browser pivoting, exploitation may not be trivial due to the URL mangling introduced by the browser when applying URL encoding on the outgoing requests.

  • How do I reset my ADSL Router back to factory default settings?
  • What is the default username and password for my ADSL modem/router?
  • What is the default IP address of my ADSL router/modem?
  • How do I save/load the configuration file of my wireless router?
  • How do I reset my ADSL Ethernet modem back to factory default settings?
  • How to setup DSL-320B revision Z1 in bridge mode
  • What are Virtual Servers?
  • How do I upgrade the firmware on my router?
  • How do I change the MTU/MRU settings on my DSL-604?
  • The status light on my router is flashing what is it indicating?
  • How do I setup my ADSL router for Internet Access?
  • How do I secure my wireless network on the DSL-G624T?
  • How do I change the IP address on my DSL-G624M ADSL router?
  • Does the DSL-300T work with the Apple Mac?
  • How do I reset DSL-G624T to factory default settings?
  • Does my DSL-604 have a system log?
  • How do I setup DSL-G624T for ADSL2?
  • Why isn't my router getting an IP address from the DSL-300T?
  • I'm trying to update my firmware from my wireless computer but it never reports success.
  • Why do I get error 721?

Dsl D Link For Mac Windows 7

  • When I connect the DSL-320T modem to my hub or switch I can still only get online with one computer. What's wrong?
  • I am having problems logging onto my router. I forgot the admin/user password. What can I do?
  • How do I set up my DSL-604 so that my Playstation 2 or XBox can host games?
  • I have an ADSL2 line. Will I be able to connect at full speed with my modem/router?
  • How do I open ports on my DSL-G624M?
  • How do I setup Port Forwarding or Virtual Server on the DSL-G624T?
  • How do I stop ping to my DSL-G624M WAN connection?
  • How do I configure a DMZ host on my DSL-G624M?
  • How do I use the Special Applications feature on my router?
  • I can browse the web but get an error message when I 'send & recieve' from my email software. Why?
  • How do I configure the Remote Management feature on my DSL-G624M?
  • I get an Auth Error under PPP Information but I KNOW my username/password are correct..
  • How do I enable Wireless Security on my DSL-2640B?
  • I purchased a wireless router to share my cable Internet connection but I cannot get it to work. What could the problem be?
  • I can get online connecting directly to my PC/Mac but not using a NAT Router in between. Why?
  • My DSL-300T/DSL-320T is not working with Windows Vista. Is it broken?
  • I was connected to the Internet but now get the message 'Page cannot be found'
  • Can I access the web management of the DSL-320T from a remote (Internet) address?
  • How do I setup my ADSL Ethernet modem for Internet access?
  • How do I secure my wireless network on the DSL-G604T?




broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save