Undocumented HTTP get request + default root password allows remote root access
An issue was discovered on D-Link DAP-1360 revision F devices. Firmware versions 609EU to 613EUbeta were tested. Improper access control allows remote attackers to start a telnet service without any authorization via an undocumented HTTP request. Additionally firmware versions up to and including 6.12b01 have weak root credentials, allowing an attacker to gain remote root access. From firmware version 6.12b01 the root credentials were changed but the telnet service can still be started without any authorization.
The minihttpd 1.19 seems to be extended by a function (DAP1360F1_v6.12EUb03/src/opensource/httpd/mini_httpd-1.19/mini_httpd.c in line 1739) to configure inetd to start telentd, which is called whenever start_telnet is requestet via HTTP (DAP1360F1_v6.12EUb03/src/opensource/httpd/mini_httpd-1.19/mini_httpd.c in line 1882).
/*1360 ²úÆ·ÐèÒª½«telnet¹Ø±Õ£¬µ«ÎªÁ˲»Ó°ÏìÉú²ú,µ±¼ì²âµ½ÐèÒª¿ªÆôʱ½«telnet¿ªÆô*/
static int start_telnet(void)
{
FILE *pFile = NULL;
pFile = fopen("/etc/inetd.conf", "w");/* ´ò¿ªÎļþ */
if ( NULL == pFile )
{
printf("Open file /etc/inetd.conf faild.\n");
return -1;
}
fprintf(pFile, "telnet stream tcp nowait root /usr/sbin/telnetd telnetd\n");/* ÁÙʱ´ò¿ªtelnet·þÎñ */
fclose(pFile); /* ¹Ø±ÕÎļþ */
system("killall -9 inetd");/*ɱµôÔÀ´µÄinetd*/
sleep(1);
system("/usr/sbin/inetd &");/*ÖØÀinetd*/
system("echo \"1\">/var/telnetd");//ÅäºÏÓ¦Óò㣬¿ªÆôtelnet·þÎñ
return 0;
}
//...
/* Parse the first line of the request. */
method_str = get_request_line();
if ( method_str == (char*) 0 )
{
send_error( 400, "Bad Request", "", "Can't parse request." );
}
else
{
if ( strcasestr( method_str, "start_telnet"))/*¸ü¸ÄΪstart telnet*/
{
start_telnet();/*ÅжÏÊäÈëµÄÇëÇóÊÇ·ñÊÇÒª´ò¿ªtelnet£¬Èç¹ûÊÇÒª´ò¿ªtelnetÔòµ÷ÓÃstart_tenet¿ªÆôtelnet*/
}
}
//...
This means a curl http://192.168.0.50/start_telnet will launch telnetd. This request is independent of any web-panel access control, so anyone who has access to port 80 on the access-point can remotely launch a telnet daemon.
Together with hard-coded, weak root passwords for all fimware-versions up to DAP-1360_RevF_Firmware612EUb03, this means an attacker can access a root shell on the device.
All tested firmware version are vulnerable for the improper access controlled telnetd switch.
The firmware versions 609, 611, 612b01 in addition have all the same weak root password. From 612b01 to 612b03 the root password was changed.
The root password can not be changed by the user via the web-interface.