CVE-2017-8415

CRITICAL

D-Link DCS-1100 and DCS-1130 - Use of Hard-coded Credentials

Title source: llm

Description

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom telnet daemon as a part of the busybox and retrieves the password from the shadow file using the function getspnam at address 0x00053894. Then performs a crypt operation on the password retrieved from the user at address 0x000538E0 and performs a strcmp at address 0x00053908 to check if the password is correct or incorrect. However, the /etc/shadow file is a part of CRAM-FS filesystem which means that the user cannot change the password and hence a hardcoded hash in /etc/shadow is used to match the credentials provided by the user. This is a salted hash of the string "admin" and hence it acts as a password to the device which cannot be changed as the whole filesystem is read only.

References (3)

Core 3

Core References

Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq

https://seclists.org/bugtraq/2019/Jun/8

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html

Not Applicable, Third Party Advisory x_refsource_misc

https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0369

EPSS Percentile 88.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-798

Status published

Products (2)

dlink/dcs-1100_firmware

dlink/dcs-1130_firmware

Published Jul 02, 2019

Tracked Since Feb 18, 2026