header-logo
Suggest Exploit
vendor:
DSL-2640R
by:
Todor Donev
7.5
CVSS
HIGH
Unauthorized DNS Change
200
CWE
Product Name: DSL-2640R
Affected Version From: UK_1.06
Affected Version To: UK_1.06
Patch Exists: YES
Related CWE: None
CPE: h:d-link:dsl-2640r
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: None
2018

D-Link DSL-2640R Unauthenticated Remote DNS Change Vulnerability

The vulnerability exist in the web interface of D-Link's various routers which are susceptible to unauthorized DNS change. The problem is when entering an invalid / wrong user and password. Once modified, systems use foreign DNS servers, which are usually set up by cybercriminals. Users with vulnerable systems or devices who try to access certain sites are instead redirected to possibly malicious sites. Modifying systems' DNS settings allows cybercriminals to perform malicious activities like steering unknowing users to bad sites, replacing ads on legitimate sites, controlling and redirecting network traffic, and pushing additional malware.

Mitigation:

Users should ensure that their routers are running the latest firmware version and that they are using strong passwords for their router's web interface.
Source

Exploit-DB raw data:

#
#
#  D-Link DSL-2640R Unauthenticated Remote DNS Change Vulnerability
#
#  Firmware Version: UK_1.06 Hardware Version: B1
#
#  Copyright 2018 (c) Todor Donev <todor.donev at gmail.com>
#
#  https://ethical-hacker.org/
#  https://facebook.com/ethicalhackerorg/
#
#  Description:  
#  The vulnerability exist in the web interface.
#  D-Link's various routers are susceptible to unauthorized DNS change. 
#  The problem is when entering an invalid / wrong user and password.  
#
#  ACCORDING TO THE VULNERABILITY DISCOVERER, MORE D-Link 
#  DEVICES MAY AFFECTED.
#
#  Once modified, systems use foreign DNS servers,  which are 
#  usually set up by cybercriminals. Users with vulnerable 
#  systems or devices who try to access certain sites are 
#  instead redirected to possibly malicious sites.
#  
#  Modifying systems' DNS settings allows cybercriminals to 
#  perform malicious activities like:
#
#    o  Steering unknowing users to bad sites: 
#       These sites can be phishing pages that 
#       spoof well-known sites in order to 
#       trick users into handing out sensitive 
#       information.
#
#    o  Replacing ads on legitimate sites: 
#       Visiting certain sites can serve users 
#       with infected systems a different set 
#       of ads from those whose systems are 
#       not infected.
#   
#    o  Controlling and redirecting network traffic: 
#       Users of infected systems may not be granted 
#       access to download important OS and software 
#       updates from vendors like Microsoft and from 
#       their respective security vendors.
#
#    o  Pushing additional malware: 
#       Infected systems are more prone to other 
#       malware infections (e.g., FAKEAV infection).
#
#  

Proof of Concept:

http://<TARGET>/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=<MALICIOUS DNS>&dnsSecondary=<MALICIOUS DNS>

Navigation

Suggest Exploit

Services By CQR