A hard-coded password vulnerability exists in the Libcli Test Environment functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to code execution. An attacker can send a sequence of requests to trigger this vulnerability.
D-LINK DIR-3040 1.13B03
10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-798 - Use of Hard-coded Credentials
The DIR-3040 is an AC3000-based wireless internet router.
A hidden telnet service can be started without authentication by visiting
This service presents the user with a login prompt for their “libcli test environment”:
$ telnet 192.168.0.1 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. dlinkrouter login: admin Password:
From here, a user can interact with the Libcli environment using their password with the static-salt discussed in this series of vulnerabilites.
While this is typically the same password that was created using the setup wizard, a default password can be used to login before this is changed.
The current password at any time can be found unencrypted in
/var/2860_data.dat. There is a default password that will allow you to access the
Libcli test environment via
$ telnet 192.168.100.1 Trying 192.168.100.1... Connected to 192.168.100.1. Escape character is '^]'. dlinkrouter login: admin Password: libcli test environment router> help Show available commands quit Disconnect history Show a list of previously run commands protest protest cmd iwpriv iwpriv cmd ifconfig ifconfig cmd iwconfig iwconfig cmd reboot reboot cmd brctl brctl cmd ated ated cmd ping ping cmd router>
2021-04-28 - Vendor disclosure
2021-05-12 - Vendor acknowledged
2021-06-08 - Vendor provided patch for Talos to test
2021-06-09 - Talos provided feedback on patch
2021-06-23 - Talos follow up with vendor
2021-07-13 - Vendor patched
2021-07-15 - Public Release
Discovered by Dave McDaniel of Cisco Talos.