D-Link DCS-6517 and DCS-7517 Root Password Vulnerability via Insufficient Entropy

A vulnerability has been identified in D-Link DCS-6517 and DCS-7517 cameras, in versions through 2.02.0. The issue arises in the function 'generate_pass_from_mac' within the '/bin/httpd' file, part of the Root Password Generation Handler component. This vulnerability leads to insufficient entropy in password generation, allowing for the creation of predictable passwords. As a result, an attacker can gain unauthorized administrative access by exploiting this weakness. The vulnerability can be exploited remotely, but the attack's complexity is considered high.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access on the affected devices, with full root privileges granted to the attacker.

Reproduction

The vulnerability can be reproduced by accessing the '/bin/httpd' binary, which calls the 'generate_pass_from_mac' function in the 'libnvram.so' shared library. This function generates a password for the root user based on the device's MAC address, using a predictable algorithm that can be reversed to obtain the static password. The generated password hash is written to the '/etc/passwd' file, creating a root user entry that can be used to gain administrative access.