CVE-2021-40655 Scanner

CVE-2021-40655 Scanner - Information Disclosure vulnerability in D-Link DIR-605

Short Info


Level

High

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

9 days 8 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

D-Link DIR-605 is a wireless N300 router used in home and small office networks for providing internet connectivity and local area networking. It is widely adopted for its ease of use, affordability, and basic routing capabilities. Managed through a web interface, the router offers configuration for firewall rules, MAC filtering, DHCP, and wireless settings. This model is particularly popular among home users due to its plug-and-play simplicity. The firmware includes essential administrative functions and system monitoring features. Devices like this are often targeted due to weak authentication practices and exposed endpoints.

This scanner detects an information disclosure vulnerability in the D-Link DIR-605 router firmware. The vulnerability allows unauthenticated attackers to obtain sensitive configuration information, including usernames and passwords. It is caused by improper access control on the `/getcfg.php` endpoint, which is supposed to be protected. A forged POST request with specific parameters can trigger the router to return its configuration in XML format. This vulnerability is rated high due to the sensitive nature of the exposed data and the lack of authentication requirements.

The vulnerable endpoint is `/getcfg.php`, which improperly processes requests containing the `SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a` payload. When a POST request with this body is sent, the server responds with configuration details containing credential data. The detection logic checks for a successful status code, proper content type (`text/xml`), and the presence of the `DEVICE.ACCOUNT` tag in the response body. These conditions confirm that the endpoint is accessible and leaking sensitive information.

Exploitation of this vulnerability can lead to the unauthorized disclosure of administrative credentials for the router. This allows attackers to log in to the router’s web interface, modify configurations, and even redirect network traffic. In more advanced attacks, this access could be used to install malicious firmware or spy on internal network communications. The impact extends to both confidentiality and system control. If the router is internet-facing, it becomes an attractive target for automated botnet recruitment or surveillance.

REFERENCES

Get started to protecting your digital assets