exploit the possibilities

D-Link DAP 1150 Cross Site Request Forgery

D-Link DAP 1150 Cross Site Request Forgery
Posted Dec 12, 2011
Authored by MustLive

The D-Link DAP 1150 wifi access point and router suffers from cross site request forgery vulnerability, predictable resource location and brute force vulnerabilities.

tags | advisory, vulnerability, csrf
MD5 | d2c5c2b66ef034962c1b571c230ab0c5

D-Link DAP 1150 Cross Site Request Forgery

Change Mirror Download
Hello list!

I want to warn you about security vulnerabilities in D-Link DAP 1150 (WiFi
Access Point and Router).

These are Predictable Resource Location, Brute Force and Cross-Site Request
Forgery vulnerabilities. This is my second advisory from series of
advisories about vulnerabilities in D-Link products.

SecurityVulns ID: 12076.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This
model with other firmware versions also must be vulnerable.

----------
Details:
----------

Predictable Resource Location (WASC-34):

http://192.168.0.50

The control panel of device is placed at default path with default login and
password (admin:admin). Which allows for local users (which have access to
PC or via LAN) and also for remote users via Internet (via CSRF) to get
access to control panel and change router's settings.

Default above-mentioned settings - it's standard practice of developers of
ADSL routers and other network devices, but D-Link became changing this
situation in their new devices.

For protecting against problems with default password, D-Link made the next
in admin panel: at the first enter to admin panel it's obligatory needed to
change a password. I.e. before changing settings it's needed to change
default password. And all developers of network devices should use such
approach. But Windows-application for configuration of the device, which is
bundled on CD, doesn't change a password, only change other settings of
access point. Thus it's possible to configure the device with leaving of
default password, which will leave the device vulnerable to attacks.

Brute Force (WASC-11):

In login form http://192.168.0.50 there is no protection against Brute Force
attacks. Which allows to pick up password (if it was changed from default),
particularly at local attack. E.g. via LAN malicious users or virus at some
computer can conduct attack for picking up the password, if it was changed.

CSRF (WASC-09):

Lack of protection against Brute Force (such as captcha) also leads to
possibility of conducting of CSRF attacks, which I wrote about in the
article Attacks on unprotected login forms
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html).
It allows to conduct remote login. Which will be in handy at conducting of
attacks on different CSRF vulnerabilities in control panel, which I'll tell
you about later.

------------
Timeline:
------------

2011.11.17 - found vulnerabilities.
2011.12.09 - disclosed at my site.
2011.12.11 - informed developers.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5558/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    1 Files
  • 2
    Dec 2nd
    16 Files
  • 3
    Dec 3rd
    17 Files
  • 4
    Dec 4th
    23 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close