Taking over the D-Link DIR865L
- The DIR865L can be taken over by a remote adversary through CSRF attack.
The DIR865L router is susceptible to several CSRF attacks, which allow an attacker to forge HTML forms and execute actions on behalf of a legitimate user. ISE created a proof of concept that when executed by an unsuspecting device administrator, changes the administrator credentials and enables remote management services.
- The victim must have an active management session with the router.
- The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.
All HTML forms present in the D-Link DIR865L are susceptible to Cross-Site Request Forgery.
- Vulnerable Firmware is 1.03.
- Other versions of the firmware were not tested.
A successful attack exploiting this vulnerability can give a remote adversary full control of the victim router.
Recommendations to the vendor
- Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form delivered contain a unique token.
- In addition to HTML form tokens, HTTP referrer checking should be enabled.
- Validate HTTP Basic Authentication Header for all HTTP requests.
- Additional information for vendors regarding immediate and long term fixes for these issues can be found on our summary page here.
Recommendations to device administrators
- (4/13/2013) There is not currently an available firmware upgrade that will remedy this vulnerability.
- Take additional preventative measures and precautions by following the steps outlined on our summary page here.
Proof of Concept
In the following proof of concept attack, we assume that a device administrator with an active management session established with the router has browsed to a malicious web page. Once there, a series of automatic form submissions take place, one after the other, to the administrator's router, from the administrator's browser. Since the administrator has a current session established with the router, the form submissions are processed.
The first form (Figure 1) is pre-filled out with the information required to set the administrator password to "ISE" and enable remote management on port 1337. The second form completes the action, by instructing the D-Link to save the settings it has been given.
At this point, the attacker can remotely administer, and thereby remotely control the router.
- CVE-2013-3095: Cross-Site Request Forgery
- CVE-2013-3096: Unauthenticated Hardware Linking
- Discovered By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
- Exploited By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
- For more information on this particular Belkin hack, you can contact us at email@example.com
- Alternatively, for more general information on ISE, you can reach us using firstname.lastname@example.org