D-Link M60 Authentication Bypass Vulnerability Allowing Unauthenticated Password Changes

An authentication bypass vulnerability has been identified in the D-Link M60 router, affecting firmware versions up to 1.20B02. The issue resides in the web management interface, specifically within the file '/usr/bin/httpd'. This vulnerability allows for weak password recovery through an exploitation method that can be initiated remotely, although it requires a high degree of complexity.

Impact

Exploitation of this vulnerability allows an unauthenticated attacker to bypass authentication, manipulate protected API content, and change the administrator password, leading to full control over the web management interface.

Reproduction

The vulnerability can be reproduced by sending a login request to the router's web management interface. This request should include a crafted API-AUTH header that exploits the improper HMAC verification. Once the authentication bypass is achieved, the attacker can forge API-CONTENT using the leaked AES-CTR keystream to read and write protected configuration settings. Finally, the attacker can change the administrator password by forging a request that includes the encrypted password field, using the same keystream reuse technique.