CVE-2017-8415
Description
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom telnet daemon as a part of the busybox and retrieves the password from the shadow file using the function getspnam at address 0x00053894. Then performs a crypt operation on the password retrieved from the user at address 0x000538E0 and performs a strcmp at address 0x00053908 to check if the password is correct or incorrect. However, the /etc/shadow file is a part of CRAM-FS filesystem which means that the user cannot change the password and hence a hardcoded hash in /etc/shadow is used to match the credentials provided by the user. This is a salted hash of the string "admin" and hence it acts as a password to the device which cannot be changed as the whole filesystem is read only.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
D-Link DCS-1100 and DCS-1130 devices use a hardcoded, unchangeable password hash from a read-only filesystem, allowing authentication bypass.
Vulnerability
The D-Link DCS-1100 and DCS-1130 devices (exact firmware versions not specified) contain a custom telnet daemon as part of BusyBox. The daemon retrieves the password hash from /etc/shadow using the getspnam function at address 0x00053894, then performs a crypt operation on the user-provided password at address 0x000538E0 and compares it with the stored hash via strcmp at address 0x00053908. Because the /etc/shadow file resides on a CRAMFS read-only filesystem, the password hash cannot be changed by the user. The hash is a salted hash of the string "admin", effectively making "admin" the hardcoded, unchangeable password [1] [2].
Exploitation
An attacker with network access to the device can connect to the telnet service and authenticate using the credentials admin / admin, since the hash matches that default password. No authentication bypass or privilege escalation is required; the attacker simply uses the known default credentials that cannot be altered [1] [2].
Impact
Successful authentication via telnet grants the attacker a shell with elevated privileges (likely root, as typical for embedded device telnet daemons). This leads to full compromise of the device, including the ability to read sensitive data, modify device configuration (if not fully read-only), and potentially use the device as a pivot point in the network [1] [2].
Mitigation
D-Link has not released firmware updates for the DCS-1100 and DCS-1130 (both devices appear to be end-of-life). No official patch exists. The only effective mitigation is to disable the telnet service on the device (if possible via web interface) or isolate the device on a separate, restricted network segment. The device should not be exposed to the internet [1] [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- D-Link/DCS-1100 and DCS-1130description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.htmlmitrex_refsource_MISC
- github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdfmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.