D-Link DIR-605L and DIR-816L Hardcoded Credentials in Telnet Service Allow Remote Command Execution

A vulnerability exists in the Telnet service of the D-Link DIR-605L (version 2.13B01) and DIR-816L (version 2.06B01) routers. The issue arises from hardcoded credentials that allow attackers to remotely execute arbitrary commands. This vulnerability can be exploited through analysis of the router's firmware, which reveals the presence of these credentials.

Impact

Exploitation of this vulnerability allows for remote command execution on the affected router.

Reproduction

The vulnerability can be reproduced by extracting the router's firmware using a tool like Binwalk, which reveals a SquashFS file system. After extracting the firmware, grepping for 'Alphanetworks' leads to the Telnet daemon initialization script, which shows that the Telnet service is started with the user 'Alphanetworks'. The password for this user is hardcoded and can be found in a file called 'image_sign' within the firmware. Once the password is obtained, it can be used to log into the Telnet service and execute commands remotely.