In this article we will learn about how to get reach From CSRF to Unauthorized Remote Admin Access.
Introduction[CSRF to Unauthorized Remote Admin Access]
The purpose of this article is to show how dangerous a cross-site request forgery (CSRF) vulnerability can be. It will be introduced for the D-Link DIR-600 router (hardware version: Bx; firmware version: 2.16, which was the latest version at the time of writing).
The CSRF vulnerability is a known issue with D-Link routers (just type D-Link CSRF into Google). I decided to look into this issue and finally present how a CSRF vulnerability in three places in the admin panel can be used to gain unauthorized remote admin access to this device.
CSRF and attack description
First, let’s briefly describe CSRF. This vulnerability allows an attacker to spoof a logged-in user’s request. As a result, the user does what the attacker wants. If there is no CSRF token in the request or no authorization password is required, the action can be performed. Everything is fine from the recipient’s point of view (valid user authentication cookie).
Due to CSRF vulnerabilities in the admin panel of the above router, an attacker can:
- add a new administrator account (R/W access)
- enable remote management of the router
- send a ping to the machine controlled by the attacker (this way the attacker learns the WAN IP of the router).
At this point, the attacker can only log into the router. Let’s analyze the proof of concept composed of Part I and Part II (with comments).
- Part I: Adding a new administrator account and enabling remote administration
Two requests are needed (REQUEST1 first, REQUEST2 second)
Comments for REQUEST1 and REQUEST2: LAN IP is 192.168.0.1 by default. The admin name defaults to admin and cannot be changed in the GUI. The admin password is not changed when ==OoXxGgYy== is sent in the request. Therefore, the request does not change the admin password and adds a new admin account (admin2, pass2) with R/W access. Remote administration (port 2228) has been enabled.
Now the attacker needs to know the router’s WAN IP (described in Part II).
- Part II: Sending a Ping to a Machine Controlled by the Attacker
One application is required.
Comment: Please change X.Y.Z.W to the IP to which you want to send the ping.
At this point the attacker can just log in to the router.
It has been shown how serious the consequences can be as a result of a CSRF vulnerability. Due to CSRF vulnerabilities in the admin panel of the D-Link DIR-600 router (hardware version: Bx; firmware version: 2.16, the latest version at the time of writing), an attacker can gain unauthorized remote administrative access to the device (three requests are needed to do it) .