Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Insecure Authentication Practices in D-LINK DIR-601 Router, Hardware version A1, Firmware Version 1.02NA (CVE-2018-10641).md

ANNOUNCING CVE-2018-10641

I am announcing a vulnerability that I found in the D-Link model DIR-601 home router. The hardware version is A1 and the firmware is 1.02NA.

Model: D-Link DIR-601

Hardware Version: A1

Firmware Version: 1.02NA

The data (as submitted to Mitre, Full Disclosure Mailing List, and Exploit-DB) is below:

Vulnerability Announcement

Suggested Description

D-Link DIR-601 A1 1.02NA devices do not require the old password for a password change, which occurs in cleartext.

Additional Information

Insecure Authentication Practices in D-LINK DIR-601 Router, Hardware version A1, Firmware Version 1.02NA

When logging into the router, the authentication module passes the username and password BASE64 encoded vice encrypted. When changing the password a) no current password is required; and b) it passes the new password and username in plain text. There is also no support for HTTPS connections to the router.

Due to no schedule viability D-Link asks that two items are mentioned in disclosure:

  1. For this out of service router, users are encouraged too used DD-WRT firmware here
  2. They can contact support@dlink.com for the latest information on updates. VULNERABILITYTYPE Other: Weak Authentication and No HTTPS support

Vendor of Product

D-Link

Affected Product Code Base

DIR 601 - Hardware A1, Firmware 1.02NA

Affected Component

Login, Password Changing

Attack Type

Context-dependent

Impact Information Disclosure

True

Attack Vectors

To exploit this, an attacker must have a proxy or man-in-the-middle attack completed and be able to discern the URLs to intercept passed parameters.

Has vendor confirmed or acknowledged the vulnerability?

True

Discoverer

Joe Gray

Remediation

Due to no schedule viability D-Link asks that two items are mentioned in disclosure:  

  1. For this out of service router, users are encouraged to use DD-WRT firmware here https://www.dd-wrt.com/site/support/router-database
  2. They can contact mailto:support@dlink.com for the latest information on updates.

References

Technically Verbose Explanation

  • Exploit Title: Insecure Authentication Practices in D-LINK DIR-601 Router, Hardware version A1, Firmware Version 1.02NA
  • Google Dork: N/A
  • Date: May 3, 2018
  • Exploit Author: Joe Gray (C_3PJoe)
  • Vendor Homepage: http://us.dlink.com/
  • Software Link: ftp://ftp2.dlink.com/PRODUCTS/DIR-601/REVA/DIR-601_REVA_FIRMWARE_1.02.ZIP
  • Version: Hardware Version A1, Firmware Version 1.02NA
  • Tested on: D-Link DIR-601 Router
  • CVE : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10641  

1. DESCRIPTION

Having network access, although unauthenticated, attackers can ascertain the username and password. With access to the URLs visited by the configuring host via proxy or MITM, the username and password are passed BASE64 encoded for login and in clear text for password resets. Note: A current password is not required to reset the admin password.  

2. PROOF OF CONCEPT

(For proof of concept, the real Admin password is "123test123test123")

Step 1: Access default gateway/router login page

 

Step 2: Admin logs in and the following is passed:

POST /login.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/login_auth.asp
Content-Type: application/x-www-form-urlencoded
Content-Length: 154
Connection: close
Upgrade-Insecure-Requests: 1
 
html_response_page=login_fail.asp&login_name=YWRtaW4A&login_pass=MTIzdGVzdDEyM3Rlc3Qx&graph_id=31a96&log_pass=MTIzdGVzdDEyM3Rlc3Qx&graph_code=&login=Login

NOTE: Notice that the decoded password is truncated to 15 characters.  

Step 3: Should you want to change the password, the existing password is not required. 

 

Step 4: In changing the password, the following is passed:

  POST /apply.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.0.1/tools_admin.asp Content-Type: application/x-www-form-urlencoded Content-Length: 1023 Connection: close Upgrade-Insecure-Requests: 1   html_response_page=back.asp&html_response_message=The+setting+is+saved.&html_response_return_page=login.asp&reboot_type=none&inbound_filter_name_00=&inbound_filter_name_01=&inbound_filter_name_02=&inbound_filter_name_03=&inbound_filter_name_04=&inbound_filter_name_05=&inbound_filter_name_06=&inbound_filter_name_07=&inbound_filter_name_08=&inbound_filter_name_09=&inbound_filter_name_10=&inbound_filter_name_11=&inbound_filter_name_12=&inbound_filter_name_13=&inbound_filter_name_14=&inbound_filter_name_15=&inbound_filter_name_16=&inbound_filter_name_17=&inbound_filter_name_18=&inbound_filter_name_19=&inbound_filter_name_20=&inbound_filter_name_21=&inbound_filter_name_22=&inbound_filter_name_23=&button1=Save+Settings&admin_password=123test123test1&admin_password1=123test123test1&admPass2=123test123test1&user_password=WDB8WvbXdHtZyM8Ms2RENgHlacJghQyG&user_password1=WDB8WvbXdH&usrPass2=WDB8WvbXdH&hostname=mothership&graph_auth_enable=0&remote_http_management_enable=0&remote_http_management_inbound_filter=Allow_All  

Step 5: I verified that I could login with both '123test123test123' and '123test123test1'

 

3. SOLUTION:

N/A. Unknown as of the moment

Due to no schedule viability D-Link asks that two items are mentioned in disclosure:  

  1. For this out of service router, users are encouraged to use DD-WRT firmware here https://www.dd-wrt.com/site/support/router-database
  2. They can contact mailto:support@dlink.com for the latest information on updates.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.