mailing list archives
DSL-504T (and maybe many other) remote access without password bug
From: alessandro <alessandro () sideralis net>
Date: Thu, 26 May 2005 20:50:57 +0200
Device: CUSTOMER=DLinkEU MODEL=DSL-504T
Version: only tested with VERSION=V1.00B01T16.EU.20040217
Bugs: i) remote firmware upgrade without password
ii) config retrieval without password
Status: vendor not contacted
Workaround: disable remote web management
Author: Alessandro Audero
DSL-504T is a D-Link router/ADSL modem with a linux system on it based
on MIPS 4KEc V4.8. This is the uname that i found from the device i
Linux version 2.4.17_mvl21-malta-mips_fp_le
(tiger () fd7 alphanetworks com) (gcc version 2.95.3 20010315
(release/MontaVista)) #71 Tue Feb 17 01:16:45 GMT 2004
It supports a remote web management console, that at first sigth asks for
a username and a password. The URL should be something like this:
and if you click on 'login' you'll get this other URL:
that obviously tells you that you have typed in a wrong password.
But if you look at the root cgi-bin dir, that is
you'll get a list of two files: one is webcm, the other is firmwarecfg
If you click on the latter one, you will be placed in a page where you are
allowed to upgrade the router firmware, restart the router, download
current configuration or restore a previously saved conf.
There's another point in downloading router configuration. Infact
management username and password are saved in clear text inside the xml
With this auth info you can log inside the system using telnet and have
a complete shell on that router.
Another issue can be found looking at another username/password section
regarding ADSL connection settings:
This can lead to email/webaccount security problems if the user uses
these infos also for his accounts (email for example), that can be really
possible in case the internet provider provides also email or web space.
That's all, folks.
It is possible that this kind of bug could also be present in other
routers, implementing busybox, and that are configurable via http or
- DSL-504T (and maybe many other) remote access without password bug alessandro (May 27)