Hacking

From CSRF to Unauthorized Remote Admin Access

Dawid Czagan
January 21, 2014 by
Dawid Czagan

1. Introduction

The intention of this article is to show how dangerous a cross-site request forgery (CSRF) vulnerability can be. It will be presented for the D-Link DIR-600 router (Hardware Version: Bx; Firmware Version: 2.16, which was the latest version at the moment of writing this article).

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

The CSRF vulnerability is a known issue for D-Link routers (just enter D-Link CSRF in Google). I decided to take a look at this problem and finally present how the CSRF vulnerability in three places of admin panel can be used to get unauthorized remote admin access to this device.

2. CSRF and Attack Description

Let's briefly describe CSRF first. This vulnerability allows the attacker to forge a request of the logged-in user. As a consequence, the user does what the attacker wants to be done. It is possible, when there is no CSRF token in the request or the authorization password is not required, to perform an action. From the perspective of the receiver, everything is fine (valid authentication cookie of the user).

Due to CSRF vulnerabilities in the admin panel of the aforementioned router the attacker can:

1. add a new admin account (R/W access)

2. enable remote management of the router

3. send a ping to a machine controlled by the attacker (this way the attacker learns WAN IP of the router).

At this point, the attacker can just log in to the router. Let's analyze the proof of concept composed of Part I and Part II (with comments).

3. Part I: Adding New Admin Account and Enabling Remote Management

Two requests are needed (REQUEST1 first, REQUEST2 second)

REQUEST1:

[html]






[/html]

REQUEST2:

[html]






[/html]

Comments for REQUEST1 and REQUEST2: LAN IP is 192.168.0.1 on default. Name of the admin is admin on default and can't be changed in the GUI. The password of the admin is not changed when ==OoXxGgYy== is sent in the request. That's why the request doesn't change the password of admin and adds a new admin account (admin2, pass2) with R/W access. Remote management was enabled (port 2228).

Now the attacker needs to know the WAN IP of the router (described in Part II).

4. Part II: Sending Ping to Machine Controlled by the Attacker

One request is needed.

REQUEST3:

[html]






[/html]

Comment: Please change X.Y.Z.W to the IP to which you want to send the ping.

At this point the attacker can just log in to the router.

5. Summary

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

It was show how severe consequences can happen as a result of the CSRF vulnerability. Due to CSRF vulnerabilities in the admin panel of the D-Link DIR-600 router (Hardware Version: Bx; Firmware Version: 2.16, the latest version at the moment of writing this article) the attacker can get unauthorized remote admin access to the device (three requests are needed to make it happen).

Dawid Czagan
Dawid Czagan

Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing services with a results-driven approach. He also works as Security Architect at Future Processing.

Dawid shares his bug hunting experience in his workshop entitled "Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more". To find out about the latest in Dawid's work, you are invited to visit his blog (https://silesiasecuritylab.com/blog) and follow him on Twitter (@dawidczagan).