An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom telnet daemon as a part of the busybox and retrieves the password from the shadow file using the function getspnam at address 0x00053894. Then performs a crypt operation on the password retrieved from the user at address 0x000538E0 and performs a strcmp at address 0x00053908 to check if the password is correct or incorrect. However, the /etc/shadow file is a part of CRAM-FS filesystem which means that the user cannot change the password and hence a hardcoded hash in /etc/shadow is used to match the credentials provided by the user. This is a salted hash of the string "admin" and hence it acts as a password to the device which cannot be changed as the whole filesystem is read only.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-02T20:13:08

Updated: 2024-08-05T16:34:22.971Z

Reserved: 2017-05-02T00:00:00

Link: CVE-2017-8415

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2019-07-02T21:15:10.493

Modified: 2021-04-26T16:09:42.453

Link: CVE-2017-8415

cve-icon Redhat

No data.