devolo dLAN 500 AV Wireless+ Authentication Bypass Vulnerability Allowing Remote Code Execution

An authentication bypass vulnerability has been identified in the devolo dLAN 500 AV Wireless+ version 3.1.0-1. This vulnerability allows attackers to exploit the htmlmgr CGI script to enable hidden services such as telnet and remote shell access. By manipulating system configuration parameters, attackers can gain root access without a password, reboot the device, and execute arbitrary code with elevated privileges.

Impact

Exploitation of this vulnerability leads to unauthorized root access on the device, allowing for arbitrary code execution with full system privileges. Additionally, the vulnerability can be exploited to enable deprecated services such as telnet, creating further security risks.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/cgi-bin/htmlmgr' endpoint. The request must include parameters to enable telnet and the remote maintenance shell. After activating these services, the device can be rebooted through the same CGI script, which will open the telnet service on port 23. Once the device has restarted, it is possible to log in as the 'root' user without a password, gaining complete access to the device.