Reports of networking vendors hardcoding credentials in their SOHO routers is increasingly becoming a commonplace with the latest one being D-Link, which has hardcoded telnet credentials in quite few of its routers in plaintext.
Matteo Ignaccolo, the security researcher who disclosed the findings through a mailer on full disclosure mailing list, revealed that he first discovered the hardcoded credentials back in 2009 in a D-Link DAP 1522 access point. Ignaccolo neither disclosed the vulnerability to D-Link nor did he go public with the findings. However, 4 years down the line as the hardcoded credentials are still present Ignaccolo decided to go public.
Ignaccolo performed a port scan on the default IP address of D-Link DAP 1522 to find an open telnet port credentials for which haven’t been disclosed in the service manual. Using binwalk, Ignaccolo discovered that the firmware contains a Squashfs filesystem which can be extracted easily using a readily available command.
Next he performed a grep for the string ‘telnet’ to find a certain “image_sign”. Performing a grep on “image_sign” led the researcher to “wapnd01_dlink_dap1522”, which is the hardcoded plain text password for telnet.
Ignaccolo has confirmed that the same password exists on almost all SOHO networking devices tested and that they are functional.
