CVE-2017-8415

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom telnet daemon as a part of the busybox and retrieves the password from the shadow file using the function getspnam at address 0x00053894. Then performs a crypt operation on the password retrieved from the user at address 0x000538E0 and performs a strcmp at address 0x00053908 to check if the password is correct or incorrect. However, the /etc/shadow file is a part of CRAM-FS filesystem which means that the user cannot change the password and hence a hardcoded hash in /etc/shadow is used to match the credentials provided by the user. This is a salted hash of the string "admin" and hence it acts as a password to the device which cannot be changed as the whole filesystem is read only.

CVSS v3 9.8 CRITICAL
CVSS v2.0 10.0 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html	Third Party Advisory VDB Entry
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf	Not Applicable Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/8	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:dlink:dcs-1130_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dcs-1130:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:dlink:dcs-1100_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dcs-1100:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-07-02 21:15

Updated : 2023-12-10 12:59

NVD link : CVE-2017-8415

Mitre link : CVE-2017-8415

CVE.ORG link : CVE-2017-8415

JSON object : View

Products Affected

dlink

dcs-1130_firmware
dcs-1130
dcs-1100_firmware
dcs-1100

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2017-8415", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-07-02T21:15:10.493", "references": [{"url": "http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf", "tags": ["Not Applicable", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://seclists.org/bugtraq/2019/Jun/8", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom telnet daemon as a part of the busybox and retrieves the password from the shadow file using the function getspnam at address 0x00053894. Then performs a crypt operation on the password retrieved from the user at address 0x000538E0 and performs a strcmp at address 0x00053908 to check if the password is correct or incorrect. However, the /etc/shadow file is a part of CRAM-FS filesystem which means that the user cannot change the password and hence a hardcoded hash in /etc/shadow is used to match the credentials provided by the user. This is a salted hash of the string \"admin\" and hence it acts as a password to the device which cannot be changed as the whole filesystem is read only."}, {"lang": "es", "value": "Se detect\u00f3 un problema en los dispositivos DCS-1100 y DCS-1130 de D-Link. El dispositivo presenta un demonio telnet personalizado como parte de la busybox y recupera la contrase\u00f1a del archivo instant\u00e1neo utilizando la funci\u00f3n getspnam en la direcci\u00f3n 0x00053894. Luego realiza una operaci\u00f3n de cifrado en la contrase\u00f1a recuperada del usuario en la direcci\u00f3n 0x000538E0 y realiza un strcmp en la direcci\u00f3n 0x00053908 para comprobar si la contrase\u00f1a es correcta o incorrecta. Sin embargo, el archivo /etc/shadow es una parte del sistema de archivos CRAM-FS, lo que quiere decir que el usuario no puede cambiar la contrase\u00f1a y, por lo tanto, se utiliza un hash codificado en /etc/shadow para que coincida con las credenciales suministradas por el usuario. Este es un hash con sal de la cadena \"admin\" y, por lo tanto, act\u00faa como una contrase\u00f1a para el dispositivo que no se puede cambiar debido a que todo el sistema de archivos es de solo lectura."}], "lastModified": "2021-04-26T16:09:42.453", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dcs-1130_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DB53465-4FE2-43EF-B2C6-839DFEA80D62"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dcs-1130:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "33A388EC-275D-4180-83E2-AD73F7EEB54F"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dcs-1100_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "554817F7-7E3D-4D69-90AC-46D86056143B"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dcs-1100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "704F9608-72CE-49C0-B7D2-F2FE84DF0C74"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}