CVE-2020-15896:Authentication Bypass in D-link Firmware DAP-1522

Authentication Bypass in D-link Firmware DAP-1522

Loginsoft-2020-1007

23 July, 2020

CVE Number

CVE-2020-15896

CWE

CWE-288: Authentication Bypass Using an Alternate Path or Channel

Product Details

D-Link DAP-1522 Wireless N Dual Band Access Point and Ethernet Bridge, DAP-1522 allows you to easily connect up to 4 Ethernet-enabled devices in your entertainment center to your wireless network. Connect devices such as Game Consoles, Digital Video Recorders (DVR), and Digital Media Adapters (DMA) to the built-in 4-Port Gigabit Switch.

URL: https://legacy.us.dlink.com/pages/product.aspx?id=d1d3d17dda4c47eca25e39a4cfc39827

Vulnerable Firmware Versions

1.41 & 1.42 (Latest)

Hardware

A1

Vulnerability Details

Authentication bypass vulnerability exists in D’link DAP 1522 access point, allowing an attacker to gain unauthorized access to the web interface.

SYNOPSIS

There exist few pages, which are directly accessible by any un-authorized user. Few of them being logout.php, login.php etc. The same is being accomplished by checking the value of NO_NEED_AUTH.
If the value of `NO_NEED_AUTH` is 1, the user is directly authenticated to the webpage without any authentication.
Unfortunately, the same being applicable for other protected pages too. By appending a query string `NO_NEED_AUTH` with the value of 1 to any protected URL, any unauthorized user can access the application directly.

Analysis

Payload – NO_NEED_AUTH=1

POC –
Protected Webpage – http://192.168.0.1/bsc_lan.php
Authentication Bypass – http://192.168.0.1/bsc_lan.php?NO_NEED_AUTH=1&AUTH_GROUP=0

Exploitation:

An attacker can be anyone connected to the network & able to access the router login page. The above-mentioned payload needs to be appended to any protected webpage to gain unauthorized access to the interface, affecting all the elements of the VIA triad.

Vendor Disclosure: 9 february 2019

Credit

Discovered by ACE Team – Loginsoft