[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] AoF and CSRF vulnerabilities in D-Link DAP 1150

To: <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] AoF and CSRF vulnerabilities in D-Link DAP 1150
From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
Date: Thu, 2 Feb 2012 19:04:16 +0200

Hello list!

I want to warn you about new security vulnerabilities in D-Link DAP 1150
(Wi-Fi Access Point and Router).

These are Abuse of Functionality and Cross-Site Request Forgery
vulnerabilities. This is my third advisory from series of advisories about
vulnerabilities in D-Link products.

SecurityVulns ID: 12076.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This
model with other firmware versions also must be vulnerable.

D-Link decided not to fix these vulnerabilities, the same as they still
haven't fixed many vulnerabilities in DSL-500T (form 2005).

----------
Details:
----------

Abuse of Functionality (WASC-42):

The login of administrator is fixed (it's login "admin"), which can't be
changed, only password. Which makes Brute Force attacks easier.

CSRF (WASC-09):

All functionality in admin panel is vulnerable to CSRF. Here are two
examples.

Changing of admin's password:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_config_action=3&res_config_id=69&res_struct_size=1&res_buf=password|

In section Wi-Fi / Common settings via CSRF it's possible to turn on/off
Wi-Fi, and also to change MBSSID and BSSID.

The next request will turn off Wi-Fi:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=39&res_struct_size=0&res_buf={%22Radio%22:false,%20%22mbssidNum%22:1,%20%22mbssidCur%22:1}

------------
Timeline:
------------

2011.11.17 - found vulnerabilities.
2011.12.10 - announced at my site.
2011.12.12 - informed developers.
2011.01.31 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5561/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [ MDVSA-2012:012 ] apache
Next by Date: Re: [Full-disclosure] hackers.it disappeared from google search results
Previous by thread: [Full-disclosure] [ MDVSA-2012:012 ] apache
Next by thread: [Full-disclosure] [SECURITY] [DSA 2401-1] tomcat6 security update
Index(es):
- Date
- Thread