Find D-Link software downloads at CNET Download.com, the most comprehensive source for safe, trusted, and spyware-free downloads on the Web. Products purchased in the US that have reached END-OF-SUPPORT (EOS) or cannot be found using Search on this site (support.dlink.com) may have been moved to our Legacy Products site (legacy.us.dlink.com).You can also click here to access our Legacy Products site: D-Link. The DSL-520B ADSL2+ modem router is an affordable high-performance ADSL device for home and the small office. With integrated ADSL2/2+ supporting up to 24Mbps download speed, firewall protection, Quality of Service (QoS) and 1-port switch, this router provides all the essentials that a home or small office needs to establish a secure and high-speed remote link to the outside world. Jan 30, 2014 D-LINK DSL 2750B B1-E1-D1 Firmware Update & adsl+3G Setup DSL+3G وإعداده على DSL-2750B تحديث راوتر - Duration: 11:14. Networking 4 All – احتراف الشبكات 6,264 views.
details: | Wireless AC1900 Dual-Band Gigabit ADSL2+ Router |
hardware type: | DSL Wireless Router |
date added: | 2015-09-06 |
Connect a storage drive to the USB 3.0 or 2.0 ports to effortlessly stream your digital media library to your TV, PC, tablet or mobile device via the built-in DLNA media server.
The router provides ultimate wireless speed with Wireless AC1900 technology which provides combined wireless speeds of up to 1.9 Gbps (1300AC + 600N).
mydlink™ Cloud access and management allows you to effortlessly monitor your network no matter where you are over the Internet, from your iOS, Android and Windows mobile device or a PC with a web browser.
The antennas inside the DSL-3590L have been carefully designed to ensure that you will get little to no dead space in any environment. The high-powered amplifier sends the signal into the furthest corners of your home. Furthermore, the Wireless AC1900 Dual-Band Gigabit ADSL2+ Modem Router’s multiple internal antennas improve wireless reception by adjusting antenna positions to where they are most needed to achieve the best possible performance.
DSL-3590L Features | |
General | |
Street price: | $245 |
LAN / WAN Connectivity | |
WAN port(s) type: | DSL/ISDN/POTS connector (RJ-11) |
LAN ports type: | Gigabit Ethernet (RJ-45) |
USB port(s): | 2 one of the USB ports is USB 3.0 (for storage devices) |
Router | |
Multihomed: | |
Port forwarding: | |
DHCP client: | |
QoS: | |
DSL | |
PPPoE client: | |
Wireless | |
WiFi standards supported: | 802.11a (54 Mbps) 802.11b (11 Mbps) 802.11g (54 Mbps) 802.11n 802.11ac (Wi-Fi 5) |
WiFi modes: | Access point |
WMM (QoS): | |
Dual Band (2.4GHz/5GHz): | |
VPN | |
IPSec | |
L2TP passthrough: | |
PPTP | |
Firewall | |
Device Management | |
Default admin username: | admin |
Administration: | Web-based (LAN) Remote configuration (WAN) Quick Setup Wizard |
Event log: | |
Misc hardware info | |
NTP client: | |
Links | |
Manual: | ftp://ftp.dlink.eu/Products/dsl/dsl-3590... |
rate: avg: |
In a previous post we shared our considerations on the impact of vulnerabilities in Internet connected devices that are EoL. We used the vulnerabilities that we identified in the D-Link DSL-2640B DSL gateway as a use case to support our considerations. In this post we describe the technical details of these vulnerabilities.
Before we dive into the technical details, it's important to note that:
- all vulnerabilities are (at least) applicable to the D-Link DSL-2640B (HW revision B2, Firmware version: EU_4.01B)
- all vulnerabilities apply to the latest available firmware (as of 27/03/2020)
- all vulnerabilities have been reported to D-Link
- we are not aware of any security fix released by D-Link
- as the device is EoL, following D-Link's policy, no fix may ever be available
The vulnerabilities described in this post may apply to other hardware revisions, other firmware versions and even completely different models. We did not investigate this further and D-Link did not provide any additional insights.
The following vulnerabilities are described in this post:
We hope we provided sufficient technical details of the identified vulnerabilities. Additional information (e.g. video demonstrations) may be provided in the future.
We hope you enjoy the technical remainder of this post! :)
CVE-2020-9275 – D-Link DSL-2640B - Remote credentials exfiltration
This vulnerability allows retrieval of the administrative password by sending a specific UDP packet to port 65002 of the device.
An attacker connected to the WiFi or the local LAN, or who is able to reach the internal device interface in any other way, can retrieve the device password with a single UDP
request.
Most functionality of the device, including the administration panel and the web server, are implemented in a single process named cfm
executed at startup. The cfm
process listens on UDP
port 65002
. Likely to support device configuration from a dedicated application. The screenshot below, shows the function implementing the communication protocol. The function name, pcApplication
, is taken directly from the binary's symbols.
Communication is done using D-Link's proprietrary protocol for which no information is publicly available. Reversing the cfm
binary yields the following structure for the protocol packet.
Several commands are supported and accessible by specifying the command code in the 2 bytes cmd
field. Communication is in plaintext and without authentication. The code only checks, for some commands, that the provided MAC
address matches the device MAC
address.
The command x00x01
allows retrieving system information from the device, including the device administrative password which is returned in plaintext. For example:
The MAC address check mentioned earlier is not performed for the x00x01
command. Any additional bytes are completely ignored which allowed us to identify the vulnerability in a very trivial manner.
In fact, we found this vulnerability using a rather dumb fuzzing campaign. To start, we simply piped /dev/urandom
into UDP
port 65002
. Obviously, we did not think this approach would yield vulnerabilities in any way. Especially because no traffic monitoring, no payload selection and no target debugging were in place. However, surprisingly, the device kindly returned the administrative password within a few minutes…
Due of the (very) forgiving implementation, any UDP
packet with x00x01
at the right location would return the administrative password. Even our initial dumb approach yielded the administrative password within minutes.
Our initial test identified the vulnerability is exploitable from the LAN. Nonetheless, the service seems to be listening on all the interfaces (see below).
Unfortunately, we were unable to verify the vulnerability on the WAN side as we lacked a suitable DSL connection. Using the information we have, we cannot exclude that the vulnerability is also exploitable on WAN side. Of course, we would be happy to hear more insight on this.
CVE-2020-9279 – D-Link DSL-2640B - Hard-coded privileged account
For this vulnerability we identified is a hard-coded user account. An attacker may use these credentials to login into the device in order to perform administrative tasks.
The vulnerability was identified by analyzing the authentication process accessible via the web interface. While the cfm
process provides the communication 'plumbing', the actual authentication is delegated to an external library libpsi.so
. The library uses an object-oriented approach for handling the authentication credentials and the incoming authentication requests.
An analysis of the cfm
process revealed a code path supporting authentication for the user named user
.
The default
passwords used for authentication are hard-coded in the libpsi.so
binary.
Reverse engineering this library told us that the following default
credentials can be used for logging into the web interface of the device.
Although the password of the user user
can be changed, no web interface control is provided for modifying it. Therefore, this password will be set to its default state for the entire life time of the device. It is important to note that the account is valid for authenticating to any service relying on lipsi.so
, such as ftp
, telnet
and ssh
. As far as we know, the user user
has similar capabilities as the admin
account.
Dsl D Link For Macbook
Interestingly, even though libpsi.so
is only released in binary format, the credentials are clearly visible in the GPL source code of the device (see picture below).
Also, interestingly, these credentials are referred to as ASUS_USER_ACCOUNT
. One may wonder how an ASUS related account ends up in a D-Link device.
The source code itself does not reveal any intention of obfuscation. The credentials seem to be valid for other ASUS devices as well. ASUS refers to them as the ASUS Super account
in some old pages.
One could say that it's basically an ASUS feature
( :-) ) which ended up for some unknown reason in a D-Link device. The supply chain of IoT devices are definitely not devoid any mysteries. We believe it may be the result of some 'supply chain magic' rather than malicious intent.
Dsl D Link For Mac Pro
The last remark we would like to make is that this vulnerability may be exploited through browser pivoting. A malicious website, visited with any device connected to the WiFi/LAN, may perform crafted requests towards the gateway.
CVE-2020-9278 – D-Link DSL-2640B - Unauthenticated configuration reset
This vulnerability allows an attacker to reset the device to its default configuration by accessing a specific URL. No authentication is required.
Dsl D Link For Mac Windows 10
In fact, the following URLs can be accessed without authentication.
- rebootinfo.cgi
- ppppasswordinfo.cgi
- qosqueue.cmd?action=savReboot
- restoreinfo.cgi
Specifically, the device can be reset to default factory configuration by simply requesting the following URL:
An attacker may reset the administrative password to its default value admin
, log in and perform any administrative tasks on the device, such as upload of malicious firmware or configuration of malicious DNS servers.
While the exploitation of this vulnerability requires access to the device LAN interface, it can also be remotely exploited via browser pivoting. An attacker in control of a malicious website may blindly reset the configuration of the device and, under some conditions, take full control of the device.
CVE-2020-9277 – D-Link DSL-2640B - CGI Authentication bypass
The CVE-2020-9277 vulnerability allows bypassing the authentication process for authenticated resources. An attacker may be able to directly access administrative functions of the web interface, without the need to supply valid credentials.
The web server first identifies (1) whether the requested URL
requires authentication. The check is carried on by analyzing the requested file extension, located at the end
of an URL
. For instance, accessing administrative cgi
modules requires authentication. The authentication is not performed immediately but delayed at a later point in the code.
The code then identifies (2) special resources for which the authentication is not necessary. Examples are images or Javascript
utilities. The code matches the start
of an URL
with the specific string (e.g: /images/
, utils.js
) using the strncmp()
function. If a match is found, no authentication is performed, regardless of the outcome of (1). The request is then further processed as it had been successfully authenticated.
Finally, if a cgi
module is requested, the do_cgi()
function determines (3) the module to be executed by searching the module name anywhere
in the URL
, using the
All the above checks act in isolation, no state is carried over. An attacker can then craft malicious URLs for bypassing authentication for cgi
modules. The attack URL below changes the device admin password to newpass without any need for authentication:
This vulnerability gives an attacker full device control and allows performing unauthenticated administrative functions. This vulnerability requires accessing the device LAN interface, but it is suitable for exploitation via browser pivoting, allowing for remote attacks over the Internet.
CVE-2020-9276 – D-Link DSL-2640B - do_cgi buffer overflow
This vulnerability is a buffer overflow occurring in the do_cgi()
function, while parsing the requested cgi
module name. An attacker may execute arbitrary code on the device with administrative privileges, by supplying a malicious cgi
module name in the URL.
The do_cgi
function, in order to identify the module to be executed, copies the module name on the stack. However, it does not check whether the length of the supplied module name fits in the allocated buffer (see picture).
Dsl D Link For Mac Os
A long cgi
module name will overwrite the return address saved on the stack, allowing for a classical stack buffer overflow which is easy to exploit.
D-link For Mac
The do_cgi()
function can, in principle, only be accessed after authentication. However, unauthenticated exploitation of this vulnerability is possible by combining it with CVE-2020-9277. In the picture below we exploit this vulnerability without authentication, execute a reverse shell payload.
Dsl D Link For Mac Download
While the vulnerability is potentially exploitable via browser pivoting, exploitation may not be trivial due to the URL mangling introduced by the browser when applying URL encoding on the outgoing requests.