Unauthenticated Credential Disclosure through Decompilation of D-Link Firmware (CVE-2020-29321)

Introduction

Telnet credentials can be extracted from firmware of vulnerable D-Link devices like:

DIR-868L Rev. C1 - FW v3.01 (CVE-2020-29321)

DIR-880L Rev. Ax - FW v1.07 (CVE-2020-29322)

DIR-885L Rev. Ax - FW v1.15b02 (CVE-2020-29323)

DIR-895L Rev. Ax - FW v1.21b05 (CVE-2020-29324)

Analysis

1. Extract filesystem from firmware:

binwalk -eM DIR868LC1_FW301b08.bin

2. Obtain username from file squashfs-root/etc/init0.d/S80telnetd.sh. Username can be seen as Alphanetworks. 


3. Get password from file squashfs-root/etc/config/image_sign. In case of DIR-868L password is wrgac35_dlink.2013gui_dir868lc.



Demo

Comments

Post a Comment

Popular posts from this blog

Decrypt TP-Link config.bin Configuration Backup File

Image
Configuration backup file can be downloaded from certain TP-Link devices by clicking  Backup button on System Tools > Backup & Restore page. The downloaded configuration file, config.bin is encrypted. To decrypt the config.bin  file, use key 478DA50BF9E3D2CF. openssl enc -d -des-ecb -nopad -K 478DA50BF9E3D2CF -in config.bin -out dec_config.bin First 16 bytes of the output file, dec_config.bin is the MD5 hash of configuration text file. Decrypted file may also contain null byte padding at the end. In this case there are 4 null bytes at the end of file. To extract configuration text file, remove MD5 hash (First 16 bytes) and padding (Last 4 bytes).  dd if=dec_config.bin of=config.txt bs=1 skip=16 truncate -s -4 config.txt Output file, config.txt contains the configurations. Its MD5 hash should match the MD5 given in dec_config.bin. Demo
Read more

Firmadyne Installation & Emulation of Firmware

Image
   Introduction Firmadyne can be used to perform emulation and analysis of Linux based firmware. Installation Install Ubuntu 18.04 LTS and upgrade all packages: sudo apt update sudo apt upgrade Install and configure other packages: sudo apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python3-psycopg2 snmp uml-utilities util-linux vlan python3-pip python3-magic sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 10 git clone --recursive https://github.com/firmadyne/firmadyne.git git clone https://github.com/ReFirmLabs/binwalk.git cd binwalk sudo ./deps.sh sudo python ./setup.py install cd .. sudo apt-get install postgresql sudo -u postgres createuser -P firmadyne Give firmadyne as password. sudo -u postgres createdb -O firmadyne firmware sudo -u postgres psql -d firmware < ./firmadyne/database/schema cd firmadyne ./download.sh sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils nano firmadyne....
Read more

Extract / Create Cramfs File System from Ubuntu 20.04

Image
  Extract Cramfs Check the endianness of the Cramfs file: file cramfs  This is a big endian file. Convert  cramfs   file to little endian file  cramfs_le  using cramfsswap. cramfsswap cramfs cramfs_le Extract the little endian file  cramfs_le  to folder  fs  using fsck.cramfs. sudo fsck.cramfs --extract=fs cramfs_le Create Cramfs Use mkfs.cramfs to create Cramfs file system from the contents of folder  fs .To create a little endian file system: sudo mkfs.cramfs fs cramfs_new For big endian Cramfs file system: sudo mkfs.cramfs -N big fs cramfs_new Demo
Read more