Overview
The DIR-280 Rev. A1 contains a flaw that allows a user to change user/admin credentials to the web configuration pages without authentication/login.
References
Andres Otondo - http://packetstormsecurity.com/files/98114/D-LINK-DIR-280-Direct-Access-Administrative-Password-Change.html
Description
In order to maintain author's intent of the disclosure please read at: http://packetstormsecurity.com/files/98114/D-LINK-DIR-280-Direct-Access-Administrative-Password-Change.html
To perform the exploit, assuming router is a default IP address of 192.168.0.1:
Post Changes through form to http://192.168.0.1/goform/formPasswordSetup by submitting new credentials to /tools_admin.asp
After further testing, it was found this only works if you are on the "configuring-PC", under the same session as the authenticated browser, and and the PC is attached to the LAN side of the DIR-280.
D-Link Corportation reports this is not a security bug, but normal operation. The form, form validation, and form submission are working as expected.
A firmware fix will not be offered for this report.
All devices on your network should have log-in credentials and if your network has WiFi, please make sure WiFi encryptiion-keys are enabled. Also for devices that cannot notify the owner of new software updates, check for updates from the devices manufacture.
Recommendations
D-Link Corportation reports this is not a security bug, since it requires an active logged-in browser session. The form, form validation, and form submission are working as expected. A firmware fix will not be offered for this report.
Please continue to monior this page for further updates and disclousres.
D-Link recommend your D-Link router remote network management feature is disabled (factory default is disabled) to mitigate a malicious remote user using this vulnerability to directly access/exploit your router. If remote network mangement is disabled, a malicious user would require to be on the local network side of the router or have compromised another device on the network that could be used to attack the router.
D-Link recommends all PCs (Window or Mac) are up-to-date and scanned for virus, bots, or other damaging software that could compromise the network they are connected.
WiFi encryption reduces the risk to this vulnerabilty if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption, or PC using the Web-GUI utility, in order to monitor the traffice and intercept the cookie.
The default configuration of D-Link's routers are to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems (D-Link US) reminds customers to configure their devices specifically to the for security concerns with in their network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enable WiFi encrytion, monitor the routers log files, and access-lists for your devices so security risks for your entire network are minimized.
Affected Product
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
DIR-280
|
A1
|
v. All
|
FW: Not Required
|