Skip to content

Instantly share code, notes, and snippets.

@stevenyu113228
Last active November 28, 2024 16:12
Show Gist options
  • Save stevenyu113228/e264c145d6e6e6b59cf53fddc27409ad to your computer and use it in GitHub Desktop.
Save stevenyu113228/e264c145d6e6e6b59cf53fddc27409ad to your computer and use it in GitHub Desktop.

Affect Version

  • D-Link: DSL6740C.V6.TR069.20211230

Vulnerability Details

1. Predictable Administrator Credentials in D-Link DSL6740C Modem

CVSSv3.1 Score: 9.8 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The D-Link DSL6740C modem is configured with default and predictable administrator credentials that compromise the security of the device. These credentials allow unauthorized remote access to the modem's control panel, posing a significant security risk.

Root Cause Analysis

During the initial boot process, the firmware executes a script located at /etc/defnodes/S30setnode.sh.

 248   │         user1_pwd_default="740c"
 249   │         rgdb -d /sys/user:3
 250   │         MAC=`xmldbc -i -g /runtime/layout/wlanmac`
 251   │         N1=`echo $MAC | cut -d: -f1`
 252   │         N2=`echo $MAC | cut -d: -f2`
 253   │         N3=`echo $MAC | cut -d: -f3`
 254   │         N4=`echo $MAC | cut -d: -f4`
 255   │         N5=`echo $MAC | cut -d: -f5`
 256   │         N6=`echo $MAC | cut -d: -f6`
 257   │         LAN_PASS=`echo 740c$N5$N6 | tr [A-Z] [a-z]`
 258   │         WAN_PASS=`echo cht$N4$N5$N6 | tr [A-Z] [a-z]`
 259   │         xmldbc -i -s /sys/user:1/password_for_wan $WAN_PASS
 260   │         xmldbc -i -s /sys/user:1/password $LAN_PASS
 261   │         xmldbc -i -s /sys/user:2/password "user"
 262   │         xmldbc -i -s /sys/user:1/default_pwd $user1_pwd_default
 263   │         xmldbc -i -s /sys/user:1/exist 1   

This script uses the xmldbc command to retrieve the MAC address from the XML database, formats it, and sets predictable passwords based on this MAC address:

  • Administrator Password for LAN Access: 740c<last 4 chars of MAC>
  • Administrator Password for WAN Access: cht<last 6 chars of MAC>
  • Normal User Account Password: user

Impact

The use of predictable credentials derived from publicly accessible information like the MAC address allows attackers to easily gain administrative access to the modem without any user interaction. This vulnerability can lead to several potential threats including:

  • Unauthorized Configuration Changes: Attackers can alter network settings, disable services, or reconfigure the modem to route traffic through malicious servers.
  • Data Breach: Unauthorized access could lead to interception and theft of sensitive data transmitted over the network.
  • Service Disruption: The ability to change configurations or update firmware could be used to disrupt service availability, impacting users connected to the network.
  • Network Expansion: Compromised modems can serve as entry points into broader network infrastructures, facilitating further attacks on connected devices and systems.

2. Predictable WiFi Password in D-Link DSL6740C Modem

CVSSv3.1 Score:6.5 (Medium)

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

The D-Link DSL6740C modem is configured to use a default WiFi password that is identical to its MAC address, which also serves as the BSSID visible during WiFi scans. This predictable password setting allows any attacker within the WiFi signal range to easily connect to the network.

Proof-of-Concept

截圖 2024-09-09 下午1 44 12 截圖 2024-09-09 下午1 45 06

Impact

The vulnerability of having a predictable WiFi password based on publicly accessible information such as the BSSID significantly compromises network security by facilitating unauthorized access:

  • Unauthorized Network Access: Adjacent attackers can gain easy access to the WiFi network without needing sophisticated tools or techniques.
  • Potential Data Exposure: Once connected to the network, an attacker could potentially intercept unencrypted traffic or exploit other network vulnerabilities to access sensitive data.
  • Network Resource Abuse: Unauthorized users may consume bandwidth or utilize network resources for malicious purposes, including launching attacks on other networks.
  • Loss of Confidentiality: The integrity and confidentiality of personal or business data transmitted over the network are at risk due to potential eavesdropping by unauthorized parties.

Credits

  • Chiao-Lin Yu (Steven Meow)

Report Date

  • 2024/09/16

CWE types

  • CWE-1391: Use of Weak Credentials
  • CWE-1392: Use of Default Credentials
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment