what you don't know can hurt you

Davolink DV-2051 Missing Access Control

Davolink DV-2051 Missing Access Control
Posted Aug 5, 2016
Authored by Eric Flokstra

Davolink DV-2051 suffers from a missing access control vulnerability.

tags | exploit, bypass
MD5 | f0b6086c98ead51572093a1cf0bd004c

Davolink DV-2051 Missing Access Control

Change Mirror Download
===================================================================
Title: Unauthenticated admin password change
Product: Davolink modem
Tested model: DV-2051
Vulnerability Type: Missing Function Level Access Control [CWE-306]
Risk Level: High
Solution Status: No fix available
Discovered and Provided: Eric Flokstra
===================================================================

[-] About the Product:

The Davolink DV-2051 is an ADSL modem with 4 Fast Ethernet ports,
Wireless Access Point and VoIP (2 times FXS).

[-] Advisory Details:

Basic authentication is in place to authenticate the administrative user
against the web application. To change the administrator password the
old password must be provided, which is validated by JavaScript. By
intercepting a successful password reset request the JavaScript
validation can be bypassed. It was also noticed authorisation checks are
missing on the password reset functionality. Combining these
vulnerabilities enable unauthenticated users to change the admin
password with a single request.

[-] Proof of Concept:

The following request can be used to change the admin password to the
value aFooBara:

192.168.1.1/password.cgi?usrPassword=FooBar

========================================================
Title: Lack of CSRF protection
Product: Davolink modem
Tested model: DV-2051
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
Risk Level: Medium
Solution Status: No fix available
Discovered and Provided: Eric Flokstra
========================================================

[-] About the Product:

The Davolink DV-2051 is a an ADSL modem with 4 Fast Ethernet ports,
Wireless Access Point and VoIP (2 times FXS).

[-] Advisory Details:

The web application enables users to set a password in order for clients
to connect to the SSID. Currently no measures against Cross-Site Request
Forgery have been implemented and therefore users can be tricked into
submitting requests without their knowledge or consent. From the
application's point of view these requests are legitimate requests from
the user and they will be processed as such. This can result in for
example changing the WPA2 password.

[-] Proof of Concept:

The following link can be used to trick a logged in user to set the WPA2
Pre Shared Key to aFooBar01a.

192.168.1.1/wlsecurity.wl?wlAuthMode=psk2&wlAuth=0&wlWpaPsk=FooBar01&wlWpaGtkRekey=0&wlNetReauth=36000&wlWep=disabled&wlWpa=tkip+aes&wlKeyBit=0&wlPreauth=0

===============================================================
Title: Multiple persistent Cross-Site Scripting vulnerabilities
Product: Davolink modem
Tested model: DV-2051
Vulnerability Type: Cross-Site Scripting [CWE-79]
Risk Level: Medium
Solution Status: No fix available
Discovered and Provided: Eric Flokstra
===============================================================

[-] About the Product:

The Davolink DV-2051 is a an ADSL modem with 4 Fast Ethernet ports,
Wireless Access Point and VoIP (2 times FXS).

[-] Advisory Details:

The web application enables users to add virtual servers to direct
incoming traffic from WAN side to an internal server with a private IP
address on the LAN side. It was noticed insufficient validation is
performed on several places such as the asrvNamea parameter which is
sent with the request when adding a new virtual server. This
vulnerability makes it possible to remotely execute arbitrary scripting
code in the target user's web browser by adding a persistent JavaScript
payload to the application.

[-] Proof of Concept:

The following request can be used as POC, it opens port 4444 to an
internal IP address. An iframe is added to the asrvNamea field and
displays a pop-up box.

192.168.1.1/scvrtsrv.cmd?action=add&srvName=FooBar<iframe%20onload=alert(0)>&srvAddr=192.168.1.100&proto=1,&eStart=4444,&eEnd=4444,iStart=4444,&iEnd=4444,

[-] Disclosure Timeline:

[04 06 2016]: Vendor notification
[07 06 2016]: Vulnerability confirmed. No fix will be released.
[16 07 2016]: Public Disclosure

Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    11 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close