- D-Link: DSL6740C.V6.TR069.20211230
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The D-Link DSL6740C modem is configured with default and predictable administrator credentials that compromise the security of the device. These credentials allow unauthorized remote access to the modem's control panel, posing a significant security risk.
During the initial boot process, the firmware executes a script located at /etc/defnodes/S30setnode.sh
.
248 │ user1_pwd_default="740c"
249 │ rgdb -d /sys/user:3
250 │ MAC=`xmldbc -i -g /runtime/layout/wlanmac`
251 │ N1=`echo $MAC | cut -d: -f1`
252 │ N2=`echo $MAC | cut -d: -f2`
253 │ N3=`echo $MAC | cut -d: -f3`
254 │ N4=`echo $MAC | cut -d: -f4`
255 │ N5=`echo $MAC | cut -d: -f5`
256 │ N6=`echo $MAC | cut -d: -f6`
257 │ LAN_PASS=`echo 740c$N5$N6 | tr [A-Z] [a-z]`
258 │ WAN_PASS=`echo cht$N4$N5$N6 | tr [A-Z] [a-z]`
259 │ xmldbc -i -s /sys/user:1/password_for_wan $WAN_PASS
260 │ xmldbc -i -s /sys/user:1/password $LAN_PASS
261 │ xmldbc -i -s /sys/user:2/password "user"
262 │ xmldbc -i -s /sys/user:1/default_pwd $user1_pwd_default
263 │ xmldbc -i -s /sys/user:1/exist 1
This script uses the xmldbc
command to retrieve the MAC address from the XML database, formats it, and sets predictable passwords based on this MAC address:
- Administrator Password for LAN Access:
740c<last 4 chars of MAC>
- Administrator Password for WAN Access:
cht<last 6 chars of MAC>
- Normal User Account Password:
user
The use of predictable credentials derived from publicly accessible information like the MAC address allows attackers to easily gain administrative access to the modem without any user interaction. This vulnerability can lead to several potential threats including:
- Unauthorized Configuration Changes: Attackers can alter network settings, disable services, or reconfigure the modem to route traffic through malicious servers.
- Data Breach: Unauthorized access could lead to interception and theft of sensitive data transmitted over the network.
- Service Disruption: The ability to change configurations or update firmware could be used to disrupt service availability, impacting users connected to the network.
- Network Expansion: Compromised modems can serve as entry points into broader network infrastructures, facilitating further attacks on connected devices and systems.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
The D-Link DSL6740C modem is configured to use a default WiFi password that is identical to its MAC address, which also serves as the BSSID visible during WiFi scans. This predictable password setting allows any attacker within the WiFi signal range to easily connect to the network.
The vulnerability of having a predictable WiFi password based on publicly accessible information such as the BSSID significantly compromises network security by facilitating unauthorized access:
- Unauthorized Network Access: Adjacent attackers can gain easy access to the WiFi network without needing sophisticated tools or techniques.
- Potential Data Exposure: Once connected to the network, an attacker could potentially intercept unencrypted traffic or exploit other network vulnerabilities to access sensitive data.
- Network Resource Abuse: Unauthorized users may consume bandwidth or utilize network resources for malicious purposes, including launching attacks on other networks.
- Loss of Confidentiality: The integrity and confidentiality of personal or business data transmitted over the network are at risk due to potential eavesdropping by unauthorized parties.
- Chiao-Lin Yu (Steven Meow)
- 2024/09/16
- CWE-1391: Use of Weak Credentials
- CWE-1392: Use of Default Credentials