Reports and Resources
Authentication Bypass in D-link Firmware DAP-1522
Loginsoft-2020-1007
23 July, 2020
CVE Number
CVE-2020-15896
CWE
CWE-288: Authentication Bypass Using an Alternate Path or Channel
Product Details
D-Link DAP-1522 Wireless N Dual Band Access Point and Ethernet Bridge, DAP-1522 allows you to easily connect up to 4 Ethernet-enabled devices in your entertainment center to your wireless network. Connect devices such as Game Consoles, Digital Video Recorders (DVR), and Digital Media Adapters (DMA) to the built-in 4-Port Gigabit Switch.
URL:https://legacy.us.dlink.com/pages/product.aspx?id=d1d3d17dda4c47eca25e39a4cfc39827
Vulnerable Firmware Versions
1.41 & 1.42 (Latest)
Hardware
A1
Vulnerability Details
Authentication bypass vulnerability exists in D’link DAP 1522 access point, allowing an attacker to gain unauthorized access to the web interface.
SYNOPSIS
There exist few pages, which are directly accessible by any un-authorized user. Few of them being logout.php, login.php etc. The same is being accomplished by checking the value of NO_NEED_AUTH.If the value of `NO_NEED_AUTH` is 1, the user is directly authenticated to the webpage without any authentication.Unfortunately, the same being applicable for other protected pages too. By appending a query string `NO_NEED_AUTH` with the value of 1 to any protected URL, any unauthorized user can access the application directly.
Analysis
Payload - NO_NEED_AUTH=1POC -Protected Webpage - http://192.168.0.1/bsc_lan.phpAuthentication Bypass - http://192.168.0.1/bsc_lan.php?NO_NEED_AUTH=1&AUTH_GROUP=0
Exploitation:
An attacker can be anyone connected to the network & able to access the router login page. The above-mentioned payload needs to be appended to any protected webpage to gain unauthorized access to the interface, affecting all the elements of the VIA triad.
Vendor Disclosure: 9 february 2019
Credit
Discovered by ACE Team - Loginsoft