DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure Scanner
This scanner detects the use of DSL-124 Wireless N300 ADSL2+ Improper File Process in digital assets. It checks for unauthorized access to downloadable backup configuration files, which may expose sensitive router settings.
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
10 days 10 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
The DSL-124 Wireless N300 ADSL2+ is a router device produced by D-Link and is typically used in home and small office environments to provide internet connectivity and wireless access. It supports high-speed broadband access with ADSL2+ technology and provides wireless connectivity through the 802.11n standard. This router also offers firewall protection, multiple SSIDs, and advanced configuration through a web interface. The device is frequently used by residential users and small businesses that require basic networking capabilities. It features a simple setup and is commonly distributed by ISPs to end users. The web interface is often the primary access point for managing network settings and configurations.
This scanner checks for a specific issue where the DSL-124 Wireless N300 ADSL2+ router allows unauthorized users to download a backup of its configuration file. This problem can result in exposure of sensitive information such as Wi-Fi passwords, administrative credentials, and network configurations. Since the router does not enforce authentication on the backup file request, attackers can exploit this to gain unauthorized access. The issue is a clear violation of secure configuration standards and exposes users to further network-level threats. Public exposure of such configuration files can lead to full compromise of the device. The scanner identifies this exposure by simulating a POST request to the vulnerable endpoint.
The vulnerability lies in the `/form2saveConf.cgi` endpoint, which processes a POST request used to download the backup configuration. The request is accepted without authentication, and a successful response contains key indicators like “WLAN_WPA_PSK” and “Config” within a binary file response. The content type returned is typically "application/octet-stream", confirming the presence of a configuration file. No session validation or login mechanism is enforced for this request, allowing anyone with network access to retrieve the file. The presence of router-specific keywords further confirms successful exploitation. Detection relies on pattern-matching the HTTP response body and headers to confirm vulnerability.
If exploited, the vulnerability may result in significant security risks. Unauthorized parties can gain access to router administrative credentials and Wi-Fi passwords. Attackers can manipulate router configurations or establish persistence in a network. Additionally, exposure of internal settings can facilitate man-in-the-middle attacks, DNS hijacking, or lateral movement within the network. It could also lead to complete loss of control over the device by legitimate users. This poses a critical risk especially in environments where the router controls multiple connected systems.
REFERENCES
