CVE-2023-30061

Vulnerability

The D-Link DIR-879 router running firmware version v105A1 (also referred to as 1.05A1) contains an authentication bypass vulnerability in the phpcgi component. This component is responsible for checking user authorization and processing requests to .php, .asp, and .txt pages. By crafting a malicious request, an attacker can bypass the authorization checks entirely [2].

Exploitation

An attacker needs only network access to the router; no prior authentication is required. The exploit involves sending a specially crafted HTTP request to the phpcgi endpoint that circumvents the authorization logic. Once the bypass succeeds, the attacker can execute a script that returns the router's login credentials (username and password). A proof-of-concept exploit is publicly available [2].

Impact

Successful exploitation allows an unauthenticated attacker to retrieve the administrator credentials for the router. With these credentials, the attacker gains full administrative control over the device, enabling them to modify settings, intercept traffic, or launch further attacks on the local network. The confidentiality of the credentials is directly compromised, and the integrity and availability of the router may be affected.

Mitigation

As of the publication date, D-Link has not released a firmware update to address this vulnerability. The official security bulletin [1] provides general guidance but does not include a specific patch. Users are advised to check the D-Link End-of-Life (EOL) policy [1] for the DIR-879 model; if the device is EOL, no fix will be provided. Mitigation steps include restricting network access to the router's management interface, disabling remote administration, and considering replacement with a supported device.