An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom telnet daemon as a part of the busybox and retrieves the password from the shadow file using the function getspnam at address 0x00053894. Then performs a crypt operation on the password retrieved from the user at address 0x000538E0 and performs a strcmp at address 0x00053908 to check if the password is correct or incorrect. However, the /etc/shadow file is a part of CRAM-FS filesystem which means that the user cannot change the password and hence a hardcoded hash in /etc/shadow is used to match the credentials provided by the user. This is a salted hash of the string "admin" and hence it acts as a password to the device which cannot be changed as the whole filesystem is read only.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2019-07-02T20:13:08
Updated: 2024-08-05T16:34:22.971Z
Reserved: 2017-05-02T00:00:00
Link: CVE-2017-8415
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2019-07-02T21:15:10.493
Modified: 2021-04-26T16:09:42.453
Link: CVE-2017-8415
Redhat
No data.