Improper access control in D-link Firmware DIR-601

Improper access control in D-link Firmware DIR-601

Bug Reports
March 31, 2020
Profile Icon

Jason Franscisco

Improper access control in D-link Firmware DIR-601


31 March, 2020

CVE Number

CWE-284: Improper Access Control

Product Details

D-Link introduces the Wireless N 150 Home Router (DIR-601), which delivers high performance end-to-end wireless connectivity based on Wireless N technology. The DIR-601 provides better wireless coverage and improved speeds over previous-generation Wireless G*. Upgrading your home network to Wireless N 150 provides an excellent solution for experiencing better wireless performance while sharing a broadband Internet connection with multiple computers over a secure wireless network.


Vulnerable Firmware Versions




Vulnerability Details

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor


Steps to reproduce:Method 1

  • Log in as a user & visit .
  • Right-click on the admin “password” input field and click on the inspect element.
  • Modify the input field, by removing the “disable” attribute, repeating the same for the “verify password” input field & “save settings” button.
  • Now enter new values to the available input field and click on submit. Now the password will be updated with supplied values.

Method 2

  • Login as admin & visit .
  • Intercept & record the request to change the admin password.
  • Now login as a user & replay the recorded request, the admin’s password will be updated.

As part of the exploitation, the attacker (user account) can change the admin’s “password”, and similarly other settings, configurations available.

  • Proper access control check needs to be employed, before processing the request.

Vendor Disclosure:


Discovered by ACE Team - Loginsoft

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Discover Lovi

Sign up to our Newsletter