D-Link DVG-3104MS Hardcoded Credentials Vulnerability Analysis (CVE-2021-39613)

Introduction

D-Link DVG-3104MS version 1.0.2.0.3, 1.0.2.0.4, and 1.0.2.0.4E contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file. Passwords can be easily recovered using john. D-Link DVX-2000MS also has similar vulnerability (CVE-2021-39614).

Analysis

1. Extract filesystem from the firmware using binwalk

binwalk -eM DVG-3104MS_010204.flash

2. Extract etc.tgz file in _DVG-3104MS_010204.flash.extracted/squashfs-root/etc/ directory. Two different types of hashes can be found in passwd file. 

3.Separate them and crack the hashes using john.

john passwd_type1.txt

john passwd_type2.txt

4. Following credentials will be obtained after successful crack:

root:brecis:0:0:root:/root:/bin/sh
CLI:brecis:0:0:root:/root:/bin/sh
demo:demo:5000:5000:Demo User:/home/demo:/bin/bash
maintain:blip:6000:6000:maintainer:/var:/bin/sh
cloudraker:brecis:32770:32770:Linux User,,,:/home/cloudraker:/bin/sh
pmc:pmc123:32771:32771:Linux User,,,:/home/pmc:/bin/sh 

Demo



Comments

Post a Comment

Popular posts from this blog

Decrypt TP-Link config.bin Configuration Backup File

Image
Configuration backup file can be downloaded from certain TP-Link devices by clicking  Backup button on System Tools > Backup & Restore page. The downloaded configuration file, config.bin is encrypted. To decrypt the config.bin  file, use key 478DA50BF9E3D2CF. openssl enc -d -des-ecb -nopad -K 478DA50BF9E3D2CF -in config.bin -out dec_config.bin First 16 bytes of the output file, dec_config.bin is the MD5 hash of configuration text file. Decrypted file may also contain null byte padding at the end. In this case there are 4 null bytes at the end of file. To extract configuration text file, remove MD5 hash (First 16 bytes) and padding (Last 4 bytes).  dd if=dec_config.bin of=config.txt bs=1 skip=16 truncate -s -4 config.txt Output file, config.txt contains the configurations. Its MD5 hash should match the MD5 given in dec_config.bin. Demo
Read more

Firmadyne Installation & Emulation of Firmware

Image
   Introduction Firmadyne can be used to perform emulation and analysis of Linux based firmware. Installation Install Ubuntu 18.04 LTS and upgrade all packages: sudo apt update sudo apt upgrade Install and configure other packages: sudo apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python3-psycopg2 snmp uml-utilities util-linux vlan python3-pip python3-magic sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 10 git clone --recursive https://github.com/firmadyne/firmadyne.git git clone https://github.com/ReFirmLabs/binwalk.git cd binwalk sudo ./deps.sh sudo python ./setup.py install cd .. sudo apt-get install postgresql sudo -u postgres createuser -P firmadyne Give firmadyne as password. sudo -u postgres createdb -O firmadyne firmware sudo -u postgres psql -d firmware < ./firmadyne/database/schema cd firmadyne ./download.sh sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils nano firmadyne.config Un
Read more

Extract / Create Cramfs File System from Ubuntu 20.04

Image
  Extract Cramfs Check the endianness of the Cramfs file: file cramfs  This is a big endian file. Convert  cramfs   file to little endian file  cramfs_le  using cramfsswap. cramfsswap cramfs cramfs_le Extract the little endian file  cramfs_le  to folder  fs  using fsck.cramfs. sudo fsck.cramfs --extract=fs cramfs_le Create Cramfs Use mkfs.cramfs to create Cramfs file system from the contents of folder  fs .To create a little endian file system: sudo mkfs.cramfs fs cramfs_new For big endian Cramfs file system: sudo mkfs.cramfs -N big fs cramfs_new Demo
Read more