Improper access control in D-link Firmware DIR-601

Improper access control in D-link Firmware DIR-601

Loginsoft-2020-1009

31 March, 2020

CVE Number
CWE

CWE-284: Improper Access Control

Product Details

D-Link introduces the Wireless N 150 Home Router (DIR-601), which delivers high performance end-to-end wireless connectivity based on Wireless N technology. The DIR-601 provides better wireless coverage and improved speeds over previous-generation Wireless G*. Upgrading your home network to Wireless N 150 provides an excellent solution for experiencing better wireless performance while sharing a broadband Internet connection with multiple computers over a secure wireless network.

URL: http://www.dlink.cc/d-link-reviews/d-link-dir-601-wireless-router-overview-and-user-reviews.html

Vulnerable Firmware Versions

2.02NA

Hardware

B1

Vulnerability Details

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor

Analysis

Steps to reproduce:
Method 1

  • Log in as a user & visit http://192.168.0.1/tools_admin.htm .
  • Right-click on the admin “password” input field and click on the inspect element.
  • Modify the input field, by removing the “disable” attribute, repeating the same for the “verify password” input field & “save settings” button.
  • Now enter new values to the available input field and click on submit. Now the password will be updated with supplied values.
  • Method 2

  • Login as admin & visit http://192.168.0.1/tools_admin.htm .
  • Intercept & record the request to change the admin password.
  • Now login as a user & replay the recorded request, the admin’s password will be updated.
  • Exploitation

    As part of the exploitation, the attacker (user account) can change the admin’s “password”, and similarly other settings, configurations available.

    Mitigation
  • Proper access control check needs to be employed, before processing the request.
  • Vendor Disclosure:

    Credit

    Discovered by ACE Team – Loginsoft