Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected, but the password is hardcoded in the HTLM of login page.

The story started in 2018 when Anubhav noticed a very basic flaw the routers of the Korean vendor Davolink. These Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected. Analyzing the code of the page the expert has noticed a function named “clickApply” that included the password in standard base 64 coding. function clickApply(sel) { var user_passwd="YWRtaW4="; var super_passwd="(null)"; document.forms[0].http_passwd.value = encode(document.forms[0].tmp_http_passwd.value);

Scanning the Internet for similar devices using the search engine Zoomeye, he discovered more than 50 routers in Korea are exposed only and are accessible providing the hardcoded password.

The expert reported the issue to the vendor that quickly acknowledged it and responded that they have discontinued the product. The vendor added that a working patch is already available.

The expert published the exploit code on exploit-db.

“Many IoT vendors are not doing the basics right as keeping the password in the HTML source, it is a very basic security issue” concluded Anubhav

“and it is a relevant issue as users in Korea are using it”

Pierluigi Paganini

( Security Affairs – Davolink, hacking)

Share this...

Linkedin Reddit Pinterest

Share On