D-Link DIR-810L Login Bypass

First a little background story (otherwise just skip ahead to the bottom):

I’m from Denmark. I live in one of the poorer regions. “Poor” by Danish standards however, means not driving an Audi A7 to work everyday, so it’s not as bad as it sounds.

Denmark do however have one general problem, which only gets worse out in the country. TDC, our main internet monopoly, owns all the cables, so the speeds are stagnating. We are number 17 on the world list, with 11.2 Mbit/s, but at my place our maximum speed were 5,4 Mbit/s down, and 0,8Mbit/s up. Yes, I ran a software development company on this line,even with 2 developers for a period of time.

Meanwhile, we are currently just about to move closer to “the big city” and during that we need to quit our internet connection. “Enough is enough” I thought, and went looking for alternatives. I found https://www.3.dk/ and saw that they had a 200GB Wireless “Home package” with a 4G router. I decided to try them out, and so far they have been mostly great. We are getting consistent 15 Mbit/s down and 2 Mbit/s up, and even bursting to 20 down and 3,5 up sometimes.

Except for one little thing. Their router sucks. 

Huawei 4G Router This router is a Huawei E5180 “4G LTE Cube”. It’s actually a pretty nice device, with good reception, nice speeds, small power usage, and a nice small physical design, with a blue light on top, that can be turned on and off. It even let’s you manage the LED, send/receive SMS and monitor your bandwidth, both through the web interface and mobile app (which is also quite nicely designed). I will write more about this router in the future. This router have no known easily exploitable security problems as far as I could see by tampering with it.

Why does it suck then? Because it’s WiFi sucks. It advertises 250 Meters coverage (I knew that was a lie before even getting it), and it actually does a pretty decent coverage, but I guess the WiFi module itself is way too small. It would simply CRASH during heavy video streaming. You would have to wait 5-15 minutes with the power off, to get it back to work, because it would get insanely hot.

Instead of complaining to the company “3”, I figured I would try and offload it, as it seemed to only have problems when in heavy use, and the heat would be centered on the back off the unit, where I guess the WiFi module is located.

Enough back story.

Enter the D-Link DIR-810L

This router seemed great when looking at a cheap workhorse, to offload the LAN network. The plan was simple. Connect a cheap WiFi router to the Huawei 4G Router’s single LAN port, turn off the WiFi on the Huawei router, and let the other router handle the local network. Running all traffic through a 100Mbit Ethernet port wouldn’t be a problem, as we are maximum getting around 70 Mbit/s over 4G, which will be at our new house, and that’s more than enough anyway.

DIR810L1664x936SIDELEFT

It’s not the prettiest of routers, but it only costs 332 DKK with overnight shipping, which is $50 exactly by the current rate. It is advertised as an “AC router”, which should allow extremely high WiFi speeds, but I’m honestly pleased with it just having 2.4GHz/5GHz dualband “N” networks.

It is performing great right now, and I like all the toggles and switches inside the control panel. BUT I WANTED MORE.

As a programmer, I like to disassemble stuff, reverse engineer and build my own tools. I wanted access to the current list of WiFi clients. This router is fully DD-WRT capable, but I liked the current functionality and decided not to mess with it right now, as I have other things to worry about than bricking my router.

I decided to make a quick and dirty PHP scraper for this “Beautiful web interface”. Let me say here already, that I had at least medium expectations to the quality of the interface, as you can configure external Syslog servers and lots of different advanced stuff, which normal consumer devices ignore completely.

Skærmbillede 2015-06-19 kl. 11.39.41 Skærmbillede 2015-06-19 kl. 11.39.23

 

 

 

 

I began as usual by recording the login request using Chromes Developer tools. “Hmm this is weird”. The username and password are Base64 encoded? Oh well, that is probably some weird request by management, these D-link guys seem to know their stuff, I will try and replicate this.

I was somewhat horrified by the response from the server.

Uhm.. Maybe this is just for UI? Let me have a quick look at the response headers. NOPE! No freaking cookies. Could it really be this simple?

I tried manually setting the cookie to “1” on the login screen.  Manually setting D-Link login cookie

Afterwards I went directly to http://192.168.0.1/index.asp (without hitting login or anything as that resets the cookie). Voila, I was now logged in to my router. 

I was freaking horrified. How could somebody even think of a scheme that would contact the server to check the username/password combo, and afterwards set a single “hasLogin” cookie, using Javascript returned directly from that server check? What.The.Actual.Fuck. 

Well, there you have it. If you are facing one of these D-Link DIR-810L routers, and probably others in the same series too, try and set a “hasLogin” cookie to “1” and visit the admin page (index.asp) directly, before anything else.

Please note that this is on the newest firmware available. I will probably update to DD-WRT in a few days, but until then, I can live with it being firewalled behind the other router, and having it’s remote Webinterface disabled.