D-Link DIR-820L Improper Access Control Vulnerability Allowing Unverified Password Changes

A vulnerability exists in the D-Link DIR-820L router, specifically in version 1.06B02, due to improper access control in the administrator password setting. The issue allows for unverified password changes by sending a crafted POST request to the '/get_set.ccp' endpoint, without the need for user authentication. This vulnerability arises because the router's 'ncc2' service does not verify user identity before accepting configuration change requests, enabling attackers to alter the admin password remotely.

Impact

Exploitation of this vulnerability allows for unauthorized changes to the administrator password, potentially leading to unauthorized access to the router's admin account.

Reproduction

To reproduce this vulnerability, send a POST request to the '/get_set.ccp' endpoint with a crafted payload that includes the desired password change. This can be done using a tool like Burp Suite or by writing a custom script. The request does not require authentication, allowing the password change to be made without logging into the admin account or providing the current admin password. After the request is sent, the changed password can be verified by checking the '/var/tmp/cfg.txt' file on the device, which will reflect the new password. The updated password can then be used to access the admin account on the router.