DDNS vulnerability

Hi

I was able to setup test “phishing” (not really phishing because no backend) page on your DDNS because of vulnerability!

Here you can see this video with proof.

To check it run following script:

#!/bin/bash

read -p "Enter your custom IP address: " CUSTOM_IP
read -p "Enter your device MAC address (without colons!): " MAC_ADDRESS
read -p "Enter your device serial number: " SERIAL_NUMBER
read -p "Enter your DDNS ID: " DDNS_ID

echo "Please select a method to check DDNS vuln:"
echo "1: Method 1"
echo "2: Method 2"
read -p "Enter your choice (1 or 2): " METHOD_CHOICE

if [ "$METHOD_CHOICE" == "1" ]; then
    curl --connect-timeout 4 -m4 "http://${MAC_ADDRESS//:/}:${SERIAL_NUMBER}@ddns.glddns.com/nic/update?hostname=${DDNS_ID}&myip=$CUSTOM_IP"
elif [ "$METHOD_CHOICE" == "2" ]; then
    curl --connect-timeout 4 -m 4 --location --request GET "http://${MAC_ADDRESS//:/}${SERIAL_NUMBER}@ddns.glddns.com/nic/update?hostname=${DDNS_ID}&myip=$CUSTOM_IP"
else
    echo "Invalid choice. Exiting."
    exit 1
fi

What kind of vulnerability requires you to have a serial number, device name and the occurring MAC address?
I don't get what kind of vuln this should be. It's totally OK that you can update the IP by using those values; that's how DDNS works mostly.

What is this ?! I don’t see any vulnerability!

As @admon said the URLs you’re using are the normal ones used for registering devices on GL DDNS.

If you search the forum I have a shell one-linear that does it all.

Let's say this, no if you have mac address adn serial number you can update the ddns.

This is not very secure but it is just the design. However we are enhancing this to add more protections.

1 Like

The only issue I can see here is that not using SSL.

1 Like

For example you can just google this information and use it for malicious purposes.

Proof (see related photos)

Maybe add some password? And use SSL, because HTTP can be easily intercepted…

No, you can't.

Device ID is only found on the factory partition of the device itself.
Newer devices contain all the information on the label - but what's the point here? If I upload my credit card details - everyone can use it.

The recent firmware had been added the TLS & HTTP client certificate authentication for the DDNS feature, and we still keep the DDNS server support the unsecure http request in the period of time in order to compatible with old firmware.

1 Like

If that’s what you meant by “vulnerability”, then it is partially true! I would call it insecure mechanism rather than vulnerability.

You are right if someone leaks his device id and SN then his device info can be used to be registered with an attacker IP. Then the attacker can mimic that victim device’s web admin panel hoping to phish on the victim admin when he logs in.

That’s why you see GL admins on the forum always try to remove logs and screenshot that contain SN and Device ID.

This is a good news ! You can make sure that all newer firmware are released with HTTPS support as well. My Spitz running on the latest firmware still have hardcoded http urls for glddns!

Once you see in the web server logs lesser users using http the I think it is better to turn it offf completely.

Of course, we will turn it off in appropriate time.