From CSRF to Unauthorized Remote Admin Access
The intention of this article is to show how dangerous a cross-site request forgery (CSRF) vulnerability can be. It will be presented for the D-Link DIR-600 router (Hardware Version: Bx; Firmware Version: 2.16, which was the latest version at the moment of writing this article).
The CSRF vulnerability is a known issue for D-Link routers (just enter D-Link CSRF in Google). I decided to take a look at this problem and finally present how the CSRF vulnerability in three places of admin panel can be used to get unauthorized remote admin access to this device.
2. CSRF and Attack Description
Let’s briefly describe CSRF first. This vulnerability allows the attacker to forge a request of the logged-in user. As a consequence, the user does what the attacker wants to be done. It is possible, when there is no CSRF token in the request or the authorization password is not required, to perform an action. From the perspective of the receiver, everything is fine (valid authentication cookie of the user).
Due to CSRF vulnerabilities in the admin panel of the aforementioned router the attacker can:
1. add a new admin account (R/W access)
2. enable remote management of the router
3. send a ping to a machine controlled by the attacker (this way the attacker learns WAN IP of the router).
At this point, the attacker can just log in to the router. Let’s analyze the proof of concept composed of Part I and Part II (with comments).
3. Part I: Adding New Admin Account and Enabling Remote Management
Two requests are needed (REQUEST1 first, REQUEST2 second)
Comments for REQUEST1 and REQUEST2: LAN IP is 192.168.0.1 on default. Name of the admin is admin on default and can’t be changed in the GUI. The password of the admin is not changed when ==OoXxGgYy== is sent in the request. That’s why the request doesn’t change the password of admin and adds a new admin account (admin2, pass2) with R/W access. Remote management was enabled (port 2228).
Now the attacker needs to know the WAN IP of the router (described in Part II).
4. Part II: Sending Ping to Machine Controlled by the Attacker
One request is needed.
Comment: Please change X.Y.Z.W to the IP to which you want to send the ping.
At this point the attacker can just log in to the router.
It was show how severe consequences can happen as a result of the CSRF vulnerability. Due to CSRF vulnerabilities in the admin panel of the D-Link DIR-600 router (Hardware Version: Bx; Firmware Version: 2.16, the latest version at the moment of writing this article) the attacker can get unauthorized remote admin access to the device (three requests are needed to make it happen).