Search
00

UPDATE:

D-LINK has released a patch to fix this backdoor. You can download it here.

Backdoor for D-Link Router Firmware 6.07.

Over the last few weeks, my team and I have been doing extensive penetration tests on routers. We have been successful in many ways and have found a serious Backdoor for the D-Link Router Firmware 6.07.

At the time of writing this, this exploit can still be leveraged. We have contacted D-Link and we currently awaiting feedback on the patch. While we wait, read the in-depth breakdown below.

Breakdown.

http://192.168.0.1/cgi-bin/webproc

Tested on

Product Page: DAP-1360

Hardware Version: F1

Firmware Version: 6.07

 

Test incorrect password for admin username.

 

Change admin to user and set password to user.

 

Notice how the cookie is updated.

 

Full access to the console.

http://192.168.0.1/cgi-bin/webproc?getpage=html/index.html&var:menu=tools&var:page=accountpsd

 

Pre-Shared WiFi key shared in plain text.

http://192.168.0.1/cgi-bin/webproc?getpage=html/index.html&var:menu=setup&var:page=wireless_basic

 

Download and view system configuration file.

http://192.168.0.1/cgi-bin/webproc?getpage=html/index.html&var:menu=tools&var:page=system

 

Save config.xml locally and find sensitive information.
Username and password in cleartext for serial connection.

 

WiFi SSID and cleartext password.

 

Username and hashed password for users.

 

Tested and does not affect DAP-1360, DSL-2750U, DAP-1533, DAP-1665, DAP-1650 with Firmware 1.00JP, 1.13, 1.16.

Keep an eye on our blog in the upcoming weeks as we will release all our findings here first.

This blog post is for educational purposes only. GTconsult does not condone nor promote using this for malicious purposes.