CVE-2022-36786 DLINK router allows you to configure NTP servers via jsonrpc API.

This will allow you to set your system time back to the time it was before the device was hacked. It can also be used to inject commands into the device like changing the DNS server or setting up a SAML SSO login. It is important to note that not all routers allow external time configuration and changing the DNS server will not have any effect on the system unless the system time is manually changed. The majority of the DLINK routers do allow external time configuration, so it is a good idea to check before doing any type of penetration testing.

The D-Link DIR-869 router is a pretty high end device that allows for external time configuration. This would make it easy to exploit the system with a brute force login, but most likely not enough to gain access to the firmware and install an SSH key so you can connect into the device and run commands.

This type of device would also be vulnerable to a MITM attack and be vulnerable to man in the middle attacks like phishing or other social engineering methods.

Changing the time on a router

There are two ways to change the system time on a router. The first way is to use the built-in web interface on the device and the second way is to use an SSH client like putty. The built-in web interface for changing the time is found at 127.0.0.1:8080 and can be accessed by typing in http://192.168.1.1 in your browser's address bar and hitting enter on your keyboard or clicking on the icon that looks like a computer screen with a network cable going into it (see figure 1).
Figure 1: Accessing the built-in web interface for changing time
The other option of changing the system time is using an SSH client like putty, which can be downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/. This program allows you to access your router through the command line which will allow you to change the system time as well as execute any commands that need to be run on your device if you have root access (see figure 2).

How to set the system time back to original?

1. Click on the System menu.
2. Click on the Time link.
3. Select the appropriate time zone for your location, and click on Apply to set the system time back to original time.
4. If you have completed all of this, click on Reboot (F5) to reboot the router at the configured time.

Should you change the system time?

It is important to note that not all routers allow external time configuration and changing the DNS server will not have any effect on the system unless the system time is manually changed. The majority of the DLINK routers do allow external time configuration, so it is a good idea to check before doing any type of penetration testing.
If you are performing a penetration test with a device that has external time configuration, you may want to change the system time back to before the router was compromised. This is because it can help make your job easier by making it easier for you to identify security events in logs such as when access was gained. However, if you are conducting white-box testing or trying to simulate an attack on your own network, then changing the system time could cause problems for your test and there really isn’t a need for it.

Timeline

Published on: 11/17/2022 23:15:00 UTC
Last modified on: 11/22/2022 17:09:00 UTC

References