### Critical Vulnerability Information #### Affected Versions - DNS-320 - Version 1.00 - DNS-320LW - Version 1.01.0914.2012 - DNS-325 - Versions 1.01 and 1.02 - DNS-340L - Version 1.08 #### Affected Component These vulnerabilities reside in `account_mgr.cgi`, where the `cmd` parameter determines which code branch is executed. #### Vulnerability Details 1. **Controlling Which Branch is Executed**: ```c if ( !strcmp(s, "cgi_open_tree") ) cgi_open_tree(); else if ( !strcmp(s, "cgi_open_new_folder") ) cgi_open_new_folder(); else if ( !strcmp(s, "cgi_user_add") ) cgi_user_ADD(); else if ( !strcmp(s, "cgi_user_list") ) cgi_user_list(); else if ( !strcmp(s, "cgi_add_session") ) ``` 2. **Bypassing `check_login()` Authentication**: - The `wfc_chkTime()` function always returns success, even if the user is not logged in. Direct access to the CGI will cause `check_login()` to succeed. ```c int check_login() { int v2; // [sp+4h] [bp-10h] char v3[16]; // [sp+Bh] [bp-5h] BYREF wfc_chkTime(); return 1; } ``` 3. **Submitting Passwords to Control System Parameters**: - Passwords can be submitted to control system parameters. ```c else if ( !strcmp(s, "__cgi_chg_admin_pw") ) __cgi_chg_admin_pw(); else if ( !strcmp(s, "_cgi_chg_admin_pw") ) _cgi_chg_admin_pw(); else if ( !strcmp(s, "cgi_nfs_enable") ) cgi_nfs_enable(); ``` #### PoC & EXP (Combined for Four Vulnerabilities) - Vulnerability testing is determined by `vulnpoint_template`.