Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

DIR-823G SetFactoryDefault DoS

Vulnerability for D-Link Router

Product: D-Link DIR-823G (Refer: http://www.dlink.com.cn/home/product?id=2960)

Version: The latest firmware -- 1.02B03 (Download link: http://support.dlink.com.cn/ProductInfo.aspx?m=DIR-823G)

image

Vulnerability Type: Incorrect Access Control

Author: David Chen

Institution: Technology Research Institute of Legendsec at Qi’anxin Group

Vulnerability description

An issue was discovered in /bin/goahead on D-Link DIR-823G with the latest firmware 1.02B03. There is a incorrect access control problem allowing remote attackers to reset router without authentication via access a HNAP API named SetFactoryDefault.

POC

Attacker should call a HNAP API SetFactoryDefault remotely and reset router to factory defaults immediately. Attacker just need to send a POST request as below:

Headers:

image

Body: image

This PoC can result in a DOS as below, you can see that the router need to set again after exploit:

image

P.S. Given the vendor's security, we only provide parts of this exploit.