• Home Support Forums Security Advisories Shop     English | French
Security Announcement
Announcement > SAP10021
DIR-280 - Rev. A1 - Change User Credentails without Authentication
Publication ID: SAP10021
Resolved Status: Yes
Published on: 17 March 2014 11:18 GMT
Last updated on: 11 August 2014 10:20 GMT

Overview

 

The DIR-280 Rev. A1 contains a flaw that allows a user to change user/admin credentials to the web configuration pages without authentication/login.

 

References

 

 Andres Otondo - http://packetstormsecurity.com/files/98114/D-LINK-DIR-280-Direct-Access-Administrative-Password-Change.html

 

 

Description

 

In order to maintain author's intent of the disclosure please read at:  http://packetstormsecurity.com/files/98114/D-LINK-DIR-280-Direct-Access-Administrative-Password-Change.html

 

To perform the exploit, assuming router is a default IP address of 192.168.0.1:

 

Post Changes through form to http://192.168.0.1/goform/formPasswordSetup by submitting new credentials to /tools_admin.asp

 

After further testing, it was found this only works if you are on the "configuring-PC", under the same session as the authenticated browser, and and the PC is attached to the LAN side of the DIR-280.

 

D-Link Corportation reports this is not a security bug,  but normal operation.  The form,  form validation, and form submission are working as expected.

 

A firmware fix will not be offered for this report.

 

All devices on your network should have log-in credentials and if your network has WiFi, please make sure WiFi encryptiion-keys are enabled. Also for devices that cannot notify the owner of  new software updates,  check for updates from the devices manufacture.

 

Recommendations

 

 

D-Link Corportation reports this is not a security bug, since it requires an active logged-in browser session.  The form,  form validation, and form submission are working as expected. A firmware fix will not be offered for this report.

 

Please continue to monior this page for further updates and disclousres.

 

 D-Link recommend your D-Link router remote network management feature is disabled (factory default is disabled) to mitigate a malicious remote user using this vulnerability to directly access/exploit your router.  If remote network mangement is disabled, a malicious user would require to be on the local network side of the router or have compromised another device on the network that could be used to attack the router.

 

D-Link recommends all PCs (Window or Mac) are up-to-date and scanned for virus, bots, or other damaging software that could compromise the network they are connected.

 

WiFi encryption reduces the risk to this vulnerabilty if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption, or PC using the Web-GUI utility, in order to monitor the traffice and intercept the cookie. 

 

The default configuration of D-Link's routers are to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems (D-Link US) reminds customers to configure their devices specifically to the for security concerns with in their network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enable WiFi encrytion, monitor the routers log files, and access-lists for your devices so security risks for your entire network are minimized.

 

 

Affected Product

   

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DIR-280

A1

v. All

FW: Not Required