Authentication Bypass in D-link Firmware DAP-1522
23 July, 2020
CWE-288: Authentication Bypass Using an Alternate Path or Channel
D-Link DAP-1522 Wireless N Dual Band Access Point and Ethernet Bridge, DAP-1522 allows you to easily connect up to 4 Ethernet-enabled devices in your entertainment center to your wireless network. Connect devices such as Game Consoles, Digital Video Recorders (DVR), and Digital Media Adapters (DMA) to the built-in 4-Port Gigabit Switch.
Vulnerable Firmware Versions
1.41 & 1.42 (Latest)
Authentication bypass vulnerability exists in D’link DAP 1522 access point, allowing an attacker to gain unauthorized access to the web interface.
There exist few pages, which are directly accessible by any un-authorized user. Few of them being logout.php, login.php etc. The same is being accomplished by checking the value of NO_NEED_AUTH.
If the value of `NO_NEED_AUTH` is 1, the user is directly authenticated to the webpage without any authentication.
Unfortunately, the same being applicable for other protected pages too. By appending a query string `NO_NEED_AUTH` with the value of 1 to any protected URL, any unauthorized user can access the application directly.
Payload – NO_NEED_AUTH=1
Protected Webpage – http://192.168.0.1/bsc_lan.php
Authentication Bypass – http://192.168.0.1/bsc_lan.php?NO_NEED_AUTH=1&AUTH_GROUP=0
An attacker can be anyone connected to the network & able to access the router login page. The above-mentioned payload needs to be appended to any protected webpage to gain unauthorized access to the interface, affecting all the elements of the VIA triad.
Vendor Disclosure: 9 february 2019
Discovered by ACE Team – Loginsoft