Overview
Upon analysis of the CAPTCHA function in the DIR-601, a security researcher was able to identify a pair of vulnerabilities. The first of which would allow an attacker to bypass authentication to retrieve information from the DIR-601. The second of which allows an attacker to bypass CAPTCHA due to the fact that the expected answer is transmitted along with the auth attempt.
References
CVE Link to follow
Richard Rogerson, Packetlabs Ltd.
Description
Normal user authentication to the DIR-601 includes an unauthenticated HTTP POST to my_cgi.cgi. It is possibly to append additional table requests to this HTTP POST. Among the tables that can be requested are the following.
Admin_user
Wireless_settings
Wireless_security
Wireless_security_settings
Additionally, when performing CAPTCHA, the user's browser transmits the expected answer along with the CAPTCHA attempt. This allows a malicious user to defeat CAPTCHA.
Affected Product
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
DIR-601
|
A1
|
v. 2.02NA and older
|
FW: Under Development
(Updated: 04/24/2015)
|
Security patch for your D-Link Devices
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.