Support Announcements
(non-US) DWR-113 Rev. Ax - FW v. 2.02 or older :: CVE-2014-3136 :: CSRF causing Denial of Service

 

Overview

 

The DWR-113 Rev. Ax firmware 2.02 and older is susceptible to CSRF vulnerability, which allow an attacker to forge HTML forms and execute actions in an authorized (logged in) browser session. These vulnerabilities allows an attacker to perform denail of service exploits that may cause the device to be unreliable

 

D-Link Security Incident Reponse Policy

 

All public communication on this issue will be offered at https://support.dlink.com

Our security response team can be contacted for incident information or to report incidents at security@dlink.com

Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.

 

Reference

 

Author - Blessen Thomas - blessenthomas75@gmail.com

CVE-2014-3136

 

General Disclosure

 

Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.  We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link product.

 

Immediate Recommendations for all D-Link router customers

     

  • Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet.  Remote Management is default disabled on all D-Link Routers and is included for customer care troubleshooting if useful and the customer enables it.
  • If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
  • Make sure that your wireless network is secure.
  • Do not provide your admin password to anyone. If required we suggest updating the password frequently.

 

Description

 

We encourage you to contact the author for further infomation at blessenthomas75@gmail.com. The other can provide furhter details.

 

In order to avoid miscommunication  the following is taken directly from the authors report:

 

It was observed that the D-link DWR-113 wireless router is vulnerable to denial of service attack via CSRF(Cross-Site Request Forgery) vulnerability.

An attacker could craft a malicious CSRF exploit to change the password in the password functionality when the user(admin) is logged in to the application ,as the user interface (admin panel) lacks the csrf token or nonce to prevent an attacker to change the password.

Attacker can manipulate user data via sending him malicious crafted url.

As a result, as soon as the crafted malicious exploit is executed the router is rebooted and the user is forced to wait for a few minutes so that the changes could be made in the settings of the router.

Now it is observed that even though the attacker’s password doesn’t work , neither does the user’s current password work and the user tries a lot to get logged to the interface admin panel of the router using the user’s current password.

Finally the user is forced to reset the router’s device physically, thus leading to a denial of service condition.

Every time the user is forced to reset the device manually which is a cumbersome process.



Proof of Concept code (exploit)

Restart Router by CSRF

<html>
  <!-- CSRF PoC --->
  <body>
    <form action="http://192.168.0.1/rebo.htm">
      <input type="hidden" name="S00010002" value="test" />
      <input type="hidden" name="np2" value="test" />
      <input type="hidden" name="N00150004" value="0" />
      <input type="hidden" name="N00150001" value="" />
      <input type="hidden" name="N00150003" value="1080" />
      <input type="hidden" name="&#95;cce" value="0x80150002" />
      <input type="hidden" name="&#95;sce" value="&#37;Ssc" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

 

Affected Products

 

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DWR-113

Ax

v. 2.02 and older

Firmware: v. 2.03b02

Release Notes

 

Security patch for your D-Link router

 

These firmware updates address the security vulnerabilities in affected D-Link routers. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.

 

To update the firmware please log-in to the Web-GUI interface of your device, from the menu select Maintanence -> System -> Upgrade Firmware. If you require help please contact your regional D-Link customer care website for options.