Dsl D Link For Mac

Find D-Link software downloads at CNET Download.com, the most comprehensive source for safe, trusted, and spyware-free downloads on the Web. Products purchased in the US that have reached END-OF-SUPPORT (EOS) or cannot be found using Search on this site (support.dlink.com) may have been moved to our Legacy Products site (legacy.us.dlink.com).You can also click here to access our Legacy Products site: D-Link. The DSL-520B ADSL2+ modem router is an affordable high-performance ADSL device for home and the small office. With integrated ADSL2/2+ supporting up to 24Mbps download speed, firewall protection, Quality of Service (QoS) and 1-port switch, this router provides all the essentials that a home or small office needs to establish a secure and high-speed remote link to the outside world. Jan 30, 2014 D-LINK DSL 2750B B1-E1-D1 Firmware Update & adsl+3G Setup DSL+3G وإعداده على DSL-2750B تحديث راوتر - Duration: 11:14. Networking 4 All – احتراف الشبكات 6,264 views.

Home » Broadband Hardware » List » D-Link » DSL-3590L Details

details:	Wireless AC1900 Dual-Band Gigabit ADSL2+ Router
hardware type:	DSL Wireless Router
date added:	2015-09-06

The DSL-3590L Wireless AC1900 Dual-Band Gigabit ADSL2+ Router combines an ADSL2+ modem and high-end wireless router together to create a single, easy to use device that creates and shares an Internet connection for all your devices.

Connect a storage drive to the USB 3.0 or 2.0 ports to effortlessly stream your digital media library to your TV, PC, tablet or mobile device via the built-in DLNA media server.
The router provides ultimate wireless speed with Wireless AC1900 technology which provides combined wireless speeds of up to 1.9 Gbps (1300AC + 600N).
mydlink™ Cloud access and management allows you to effortlessly monitor your network no matter where you are over the Internet, from your iOS, Android and Windows mobile device or a PC with a web browser.
The antennas inside the DSL-3590L have been carefully designed to ensure that you will get little to no dead space in any environment. The high-powered amplifier sends the signal into the furthest corners of your home. Furthermore, the Wireless AC1900 Dual-Band Gigabit ADSL2+ Modem Router’s multiple internal antennas improve wireless reception by adjusting antenna positions to where they are most needed to achieve the best possible performance.

DSL-3590L Features

General

Street price: $245

LAN / WAN Connectivity

WAN port(s) type: DSL/ISDN/POTS connector (RJ-11)

LAN ports type: Gigabit Ethernet (RJ-45)

USB port(s): 2
one of the USB ports is USB 3.0 (for storage devices)

Router

Multihomed:

Port forwarding:

DHCP client:

QoS:

DSL

PPPoE client:

Wireless

WiFi standards supported: 802.11a (54 Mbps)
802.11b (11 Mbps)
802.11g (54 Mbps)
802.11n
802.11ac (Wi-Fi 5)

WiFi modes: Access point

WMM (QoS):

Dual Band (2.4GHz/5GHz):

VPN

IPSec

L2TP passthrough:

PPTP

Firewall

Device Management

Default admin username: admin

Administration: Web-based (LAN)
Remote configuration (WAN)
Quick Setup Wizard

Event log:

Misc hardware info

NTP client:

Links

Manual: ftp://ftp.dlink.eu/Products/dsl/dsl-3590...

Please use the Add Comment function below to review devices you have used (please be descriptive). If you find an error in our database, or have additional information about the product, please

rate: avg:

In a previous post we shared our considerations on the impact of vulnerabilities in Internet connected devices that are EoL. We used the vulnerabilities that we identified in the D-Link DSL-2640B DSL gateway as a use case to support our considerations. In this post we describe the technical details of these vulnerabilities.

Before we dive into the technical details, it's important to note that:

all vulnerabilities are (at least) applicable to the D-Link DSL-2640B (HW revision B2, Firmware version: EU_4.01B)
all vulnerabilities apply to the latest available firmware (as of 27/03/2020)
all vulnerabilities have been reported to D-Link
we are not aware of any security fix released by D-Link
as the device is EoL, following D-Link's policy, no fix may ever be available

The vulnerabilities described in this post may apply to other hardware revisions, other firmware versions and even completely different models. We did not investigate this further and D-Link did not provide any additional insights.

The following vulnerabilities are described in this post:

We hope we provided sufficient technical details of the identified vulnerabilities. Additional information (e.g. video demonstrations) may be provided in the future.

We hope you enjoy the technical remainder of this post! :)

CVE-2020-9275 – D-Link DSL-2640B - Remote credentials exfiltration

This vulnerability allows retrieval of the administrative password by sending a specific UDP packet to port 65002 of the device.

An attacker connected to the WiFi or the local LAN, or who is able to reach the internal device interface in any other way, can retrieve the device password with a single UDP request.

Most functionality of the device, including the administration panel and the web server, are implemented in a single process named cfm executed at startup. The cfm process listens on UDP port 65002. Likely to support device configuration from a dedicated application. The screenshot below, shows the function implementing the communication protocol. The function name, pcApplication, is taken directly from the binary's symbols.

Communication is done using D-Link's proprietrary protocol for which no information is publicly available. Reversing the cfm binary yields the following structure for the protocol packet.

Several commands are supported and accessible by specifying the command code in the 2 bytes cmd field. Communication is in plaintext and without authentication. The code only checks, for some commands, that the provided MAC address matches the device MAC address.

The command x00x01 allows retrieving system information from the device, including the device administrative password which is returned in plaintext. For example:

The MAC address check mentioned earlier is not performed for the x00x01 command. Any additional bytes are completely ignored which allowed us to identify the vulnerability in a very trivial manner.

In fact, we found this vulnerability using a rather dumb fuzzing campaign. To start, we simply piped /dev/urandom into UDP port 65002. Obviously, we did not think this approach would yield vulnerabilities in any way. Especially because no traffic monitoring, no payload selection and no target debugging were in place. However, surprisingly, the device kindly returned the administrative password within a few minutes…

Due of the (very) forgiving implementation, any UDP packet with x00x01 at the right location would return the administrative password. Even our initial dumb approach yielded the administrative password within minutes.

Our initial test identified the vulnerability is exploitable from the LAN. Nonetheless, the service seems to be listening on all the interfaces (see below).

Unfortunately, we were unable to verify the vulnerability on the WAN side as we lacked a suitable DSL connection. Using the information we have, we cannot exclude that the vulnerability is also exploitable on WAN side. Of course, we would be happy to hear more insight on this.

CVE-2020-9279 – D-Link DSL-2640B - Hard-coded privileged account

For this vulnerability we identified is a hard-coded user account. An attacker may use these credentials to login into the device in order to perform administrative tasks.

The vulnerability was identified by analyzing the authentication process accessible via the web interface. While the cfm process provides the communication 'plumbing', the actual authentication is delegated to an external library libpsi.so. The library uses an object-oriented approach for handling the authentication credentials and the incoming authentication requests.

An analysis of the cfm process revealed a code path supporting authentication for the user named user.

The default passwords used for authentication are hard-coded in the libpsi.so binary.

Reverse engineering this library told us that the following default credentials can be used for logging into the web interface of the device.

Although the password of the user user can be changed, no web interface control is provided for modifying it. Therefore, this password will be set to its default state for the entire life time of the device. It is important to note that the account is valid for authenticating to any service relying on lipsi.so, such as ftp, telnet and ssh. As far as we know, the user user has similar capabilities as the admin account.

Dsl D Link For Macbook

Interestingly, even though libpsi.so is only released in binary format, the credentials are clearly visible in the GPL source code of the device (see picture below).

Also, interestingly, these credentials are referred to as ASUS_USER_ACCOUNT. One may wonder how an ASUS related account ends up in a D-Link device.

The source code itself does not reveal any intention of obfuscation. The credentials seem to be valid for other ASUS devices as well. ASUS refers to them as the ASUS Super account in some old pages.

One could say that it's basically an ASUS feature ( :-) ) which ended up for some unknown reason in a D-Link device. The supply chain of IoT devices are definitely not devoid any mysteries. We believe it may be the result of some 'supply chain magic' rather than malicious intent.

Dsl D Link For Mac Pro

The last remark we would like to make is that this vulnerability may be exploited through browser pivoting. A malicious website, visited with any device connected to the WiFi/LAN, may perform crafted requests towards the gateway.

CVE-2020-9278 – D-Link DSL-2640B - Unauthenticated configuration reset

This vulnerability allows an attacker to reset the device to its default configuration by accessing a specific URL. No authentication is required.

Dsl D Link For Mac Windows 10

In fact, the following URLs can be accessed without authentication.

rebootinfo.cgi
ppppasswordinfo.cgi
qosqueue.cmd?action=savReboot
restoreinfo.cgi

Specifically, the device can be reset to default factory configuration by simply requesting the following URL:

An attacker may reset the administrative password to its default value admin, log in and perform any administrative tasks on the device, such as upload of malicious firmware or configuration of malicious DNS servers.

While the exploitation of this vulnerability requires access to the device LAN interface, it can also be remotely exploited via browser pivoting. An attacker in control of a malicious website may blindly reset the configuration of the device and, under some conditions, take full control of the device.

CVE-2020-9277 – D-Link DSL-2640B - CGI Authentication bypass

The CVE-2020-9277 vulnerability allows bypassing the authentication process for authenticated resources. An attacker may be able to directly access administrative functions of the web interface, without the need to supply valid credentials.

The web server first identifies (1) whether the requested URL requires authentication. The check is carried on by analyzing the requested file extension, located at the end of an URL. For instance, accessing administrative cgi modules requires authentication. The authentication is not performed immediately but delayed at a later point in the code.

The code then identifies (2) special resources for which the authentication is not necessary. Examples are images or Javascript utilities. The code matches the start of an URL with the specific string (e.g: /images/, utils.js) using the strncmp() function. If a match is found, no authentication is performed, regardless of the outcome of (1). The request is then further processed as it had been successfully authenticated.

Finally, if a cgi module is requested, the do_cgi() function determines (3) the module to be executed by searching the module name anywhere in the URL, using the strstr() function.

All the above checks act in isolation, no state is carried over. An attacker can then craft malicious URLs for bypassing authentication for cgi modules. The attack URL below changes the device admin password to newpass without any need for authentication:

This vulnerability gives an attacker full device control and allows performing unauthenticated administrative functions. This vulnerability requires accessing the device LAN interface, but it is suitable for exploitation via browser pivoting, allowing for remote attacks over the Internet.

CVE-2020-9276 – D-Link DSL-2640B - do_cgi buffer overflow

This vulnerability is a buffer overflow occurring in the do_cgi() function, while parsing the requested cgi module name. An attacker may execute arbitrary code on the device with administrative privileges, by supplying a malicious cgi module name in the URL.

The do_cgi function, in order to identify the module to be executed, copies the module name on the stack. However, it does not check whether the length of the supplied module name fits in the allocated buffer (see picture).

Dsl D Link For Mac Os

A long cgi module name will overwrite the return address saved on the stack, allowing for a classical stack buffer overflow which is easy to exploit.

D-link For Mac

The do_cgi() function can, in principle, only be accessed after authentication. However, unauthenticated exploitation of this vulnerability is possible by combining it with CVE-2020-9277. In the picture below we exploit this vulnerability without authentication, execute a reverse shell payload.

Dsl D Link For Mac Download

While the vulnerability is potentially exploitable via browser pivoting, exploitation may not be trivial due to the URL mangling introduced by the browser when applying URL encoding on the outgoing requests.

Sharedblog887