CVE-2017-8415

Dlink DCS-1130 Command Injection / CSRF / Stack Overflow

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom telnet daemon as a part of the busybox and retrieves the password from the shadow file using the function getspnam at address 0x00053894. Then performs a crypt operation on the password retrieved from the user at address 0x000538E0 and performs a strcmp at address 0x00053908 to check if the password is correct or incorrect. However, the /etc/shadow file is a part of CRAM-FS filesystem which means that the user cannot change the password and hence a hardcoded hash in /etc/shadow is used to match the credentials provided by the user. This is a salted hash of the string "admin" and hence it acts as a password to the device which cannot be changed as the whole filesystem is read only.

Se detectó un problema en los dispositivos DCS-1100 y DCS-1130 de D-Link. El dispositivo presenta un demonio telnet personalizado como parte de la busybox y recupera la contraseña del archivo instantáneo utilizando la función getspnam en la dirección 0x00053894. Luego realiza una operación de cifrado en la contraseña recuperada del usuario en la dirección 0x000538E0 y realiza un strcmp en la dirección 0x00053908 para comprobar si la contraseña es correcta o incorrecta. Sin embargo, el archivo /etc/shadow es una parte del sistema de archivos CRAM-FS, lo que quiere decir que el usuario no puede cambiar la contraseña y, por lo tanto, se utiliza un hash codificado en /etc/shadow para que coincida con las credenciales suministradas por el usuario. Este es un hash con sal de la cadena "admin" y, por lo tanto, actúa como una contraseña para el dispositivo que no se puede cambiar debido a que todo el sistema de archivos es de solo lectura.

Dlink DCS-1130 suffers from command injection, cross site request forgery, stack overflow, and various other vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-05-02 CVE Reserved
2019-06-07 CVE Published
2019-06-07 First Exploit
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-798: Use of Hard-coded Credentials

CAPEC

References (4)

URL	Tag	Source
http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html	Third Party Advisory
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf	Not Applicable
https://seclists.org/bugtraq/2019/Jun/8	Mailing List

URL	Date	SRC
https://packetstorm.news/files/id/153226	2019-06-07

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dlink Search vendor "Dlink"	Dcs-1130 Firmware Search vendor "Dlink" for product "Dcs-1130 Firmware"	-	-	Affected	in	Dlink Search vendor "Dlink"	Dcs-1130 Search vendor "Dlink" for product "Dcs-1130"	-	-	Safe
Dlink Search vendor "Dlink"	Dcs-1100 Firmware Search vendor "Dlink" for product "Dcs-1100 Firmware"	-	-	Affected	in	Dlink Search vendor "Dlink"	Dcs-1100 Search vendor "Dlink" for product "Dcs-1100"	-	-	Safe