lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 2 Feb 2012 19:04:16 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: AoF and CSRF vulnerabilities in D-Link DAP 1150

Hello list!

I want to warn you about new security vulnerabilities in D-Link DAP 1150
(Wi-Fi Access Point and Router).

These are Abuse of Functionality and Cross-Site Request Forgery
vulnerabilities. This is my third advisory from series of advisories about
vulnerabilities in D-Link products.

SecurityVulns ID: 12076.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This
model with other firmware versions also must be vulnerable.

D-Link decided not to fix these vulnerabilities, the same as they still
haven't fixed many vulnerabilities in DSL-500T (form 2005).

----------
Details:
----------

Abuse of Functionality (WASC-42):

The login of administrator is fixed (it's login "admin"), which can't be
changed, only password. Which makes Brute Force attacks easier.

CSRF (WASC-09):

All functionality in admin panel is vulnerable to CSRF. Here are two
examples.

Changing of admin's password:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_config_action=3&res_config_id=69&res_struct_size=1&res_buf=password|

In section Wi-Fi / Common settings via CSRF it's possible to turn on/off
Wi-Fi, and also to change MBSSID and BSSID.

The next request will turn off Wi-Fi:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=39&res_struct_size=0&res_buf={%22Radio%22:false,%20%22mbssidNum%22:1,%20%22mbssidCur%22:1}

------------
Timeline:
------------

2011.11.17 - found vulnerabilities.
2011.12.10 - announced at my site.
2011.12.12 - informed developers.
2011.01.31 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5561/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ