UPDATE:
D-LINK has released a patch to fix this backdoor. You can download it here.
Over the last few weeks, my team and I have been doing extensive penetration tests on routers. We have been successful in many ways and have found a serious Backdoor for the D-Link Router Firmware 6.07.
At the time of writing this, this exploit can still be leveraged. We have contacted D-Link and we currently awaiting feedback on the patch. While we wait, read the in-depth breakdown below.
Breakdown.
http://192.168.0.1/cgi-bin/webproc
Tested on
Product Page: DAP-1360
Hardware Version: F1
Firmware Version: 6.07
Test incorrect password for admin username.
Change admin to user and set password to user.
Notice how the cookie is updated.
Full access to the console.
http://192.168.0.1/cgi-bin/webproc?getpage=html/index.html&var:menu=tools&var:page=accountpsd
Pre-Shared WiFi key shared in plain text.
http://192.168.0.1/cgi-bin/webproc?getpage=html/index.html&var:menu=setup&var:page=wireless_basic
Download and view system configuration file.
http://192.168.0.1/cgi-bin/webproc?getpage=html/index.html&var:menu=tools&var:page=system
Save config.xml locally and find sensitive information.
Username and password in cleartext for serial connection.
WiFi SSID and cleartext password.
Username and hashed password for users.
Tested and does not affect DAP-1360, DSL-2750U, DAP-1533, DAP-1665, DAP-1650 with Firmware 1.00JP, 1.13, 1.16.
Keep an eye on our blog in the upcoming weeks as we will release all our findings here first.
This blog post is for educational purposes only. GTconsult does not condone nor promote using this for malicious purposes.