CVE CyberSecurity Database News

CVE-2022-36785 - D-Link G Integrated Access Device4: Information Disclosure & Authorization Bypass Vulnerability

Poster -

A newly discovered vulnerability with the identifier CVE-2022-36785 affects D-Link G Integrated Access Device4, a widely used device providing internet connectivity via networking products such as routers, access points, and switches. This vulnerability presents a significant security threat, as it discloses sensitive information and bypasses authorization mechanisms, potentially allowing unauthorized access to critical device settings and configurations.

The following sections will describe the exploit details, including relevant code snippets and an explanation on how this vulnerability can be exploited. It will also provide links to the original references and resources for further information on the topic.

Information Disclosure

The information disclosure vulnerability exists within the "login.asp" file of D-Link G Integrated Access Device4. A private IP address is revealed at line 15 of the file, disclosing sensitive information that could potentially be used by an attacker to gain unauthorized access to the device.

Code Snippet

window.location.href = "http://192.168.1.1/setupWizard.asp";

In addition, the default username value "admin" is hardcoded in the "login.asp" file, making it easier for an attacker to guess the default login credentials.

"admin"

To ensure your device is not vulnerable, always change the default username and password for your D-Link G Integrated Access Device4.

Authorization Bypass

The authorization bypass vulnerability occurs when accessing the web interface of the device. The login form at the URL "setupWizard.asp" does not properly validate user identity variables values located on the client side. As a result, an unauthorized user can access sensitive device settings and configurations without providing valid login credentials.

Code Snippet illustrating the absence of "login_flag" and "login_status" checks in the browser

http://192.168.1.1/setupWizard.asp

To mitigate this threat, ensure your device's web interface is configured to validate user identity variables on the client side properly.

Conclusion

In summary, CVE-2022-36785 presents a serious security threat to D-Link G Integrated Access Device4 users. It discloses sensitive information, including private IP addresses and default login credentials, and allows for unauthorized access to critical device settings and configurations. To protect your device, change the default username and password and ensure proper user identity validation is in place on the client side.

Original References and Resources

1. CVE-2022-36785 - MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36785
2. D-Link G Integrated Access Device4 - Official Product Page: http://www.dlink.com/en/products/g-integrated-access-device4
3. D-Link – Security Advisory for Information Disclosure and Authorization Bypass: [Link to official security advisory when available]

Findings presented in this post are exclusively based on the research and analysis of the latest CVE-2022-36785 vulnerability. For more information and updates, follow the official references and resources provided.

Timeline

Published on: 11/17/2022 23:15:00 UTC
Last modified on: 11/22/2022 17:09:00 UTC