Search This Blog

Showing posts with label CSRF vulnerability. Show all posts

Six New Vulnerabilities Found in DIR-865L Model of D-Link Routers


Over the last few months, the cyber world witnessed an alarming spike in the number of malicious attacks, it's seen as a direct result of more and more people working from home. As organizations have been experiencing unprecedented cybersecurity challenges, it has become even more crucial for users to keep their networks updated and hence secured.

DIR-865L model of D-Link routers, designed for monitoring home network from anywhere, was found to be containing six vulnerabilities as follows:

1. CVE-2020-13782 [Improper Neutralization of Special Elements used in a Command (Command Injection)]: A backend engine known as cgibin.exe controls the web interface for this router; attackers can place arbitrary code to be executed with administrative privileges.

2. CVE-2020-13786 [Cross-Site Request Forgery (CSRF)]: Threat actors can intercept data present on sections under password protection by capturing the network traffic; the router's web interface consists of various pages that are vulnerable to this security flaw.

3. CVE-2020-13785 (Inadequate Encryption Strength): The attackers can learn a user's password via a brute force attack carried offline on the basis of information that's sent to the client from the router when the user logs into the SharePort Web Access portal in port 8181.

4. CVE-2020-13784 (Predictable Seed in Pseudo-Random Number Generator): By exploiting this vulnerability, the attackers can deduce the information required to perform CSRF attacks even if the router is encrypting session information using HTTPS.

5. CVE-2020-13783 (Cleartext Storage of Sensitive Information): When an attacker attempts to acquire the admin password stored in the tools_admin.php page, he requires physical access to a logged-on machine as credentials sent over the wire are not clear. Once the attacker acquires physical access, he can view the password via the HTML source of the page.

6. CVE-2020-13787 (Cleartext transmission of sensitive information): Attackers capturing network traffic and stealing data can access the password used for guest wifi network, it's done via an option 'Wired Equivalent Privacy' (WEP).

These 6 newly discovered vulnerabilities by Palo Alto Networks' Unit 42 researchers in the D-Link DIR-865L home wireless router can be exploited all at once to run arbitrary commands, delete information, upload malware, exfiltrate data or intercept information and obtain user credentials illicitly.

To stay protected against the session hijacking attacks, users are advised to default all traffic to HTTPS and stay updated with the latest available version of the firmware with fixes, one can find the firmware on the D-Link's website. The website also provides a 'how-to' tutorial for changing the time zone on the router for the users to further defend themselves from possible malicious attacks.

Namecheap CSRF Vulnerability could lead to DNS Hijacking

A Security researcher Henry Hoggard has discovered a cross site request forgery(CSRF) vulnerability in the Namecheap website that could lead attackers to hijack the DNS records.

An attacker could have exploited this vulnerability and redirect the websites to fake website.  The attacker could also have managed to display defacement message.

In his blog post, the researcher said the vulnerability could allowed hackers to redirect MX records and intercept email.

Screenshot of POC code


In an email sent to ThreatPost, the researcher said "This would have impacted all customers, which I’m sure is a lot of high profile websites, as Namecheap is one of the most popular domain registrars"

Henry informed namecheap about the bug in June 2013.  However, they took several months to fix the vulnerability(23th December), finally implemented the CSRF token.

Source: ThreatPost

Vulnerabilities in RunKeeper website could allow hackers to run XSS worm

A security researcher David Sopas has discovered a Cross site scripting and Cross Site Request Forgery(CSRF) vulnerabilities in the RunKeeper website, official site of popular GPS fitness-tracking application.

The POST request in the "Account Setting" page failed to use security token to validate the request results in CSRF vulnerability.  It could allowed cybercriminals to modify information of an authenticated user by tricking them into clicking a crafted link that will send a malicious request.

The Persistent XSS vulnerability on user Account Settings and on the profile page poses a potential security risk.  The cybercriminals could have launched a malicious cyber attack and infect millions of users.


Creating Hybrid attack that take advantage of XSS and CSRF vulnerabilities results in hijacking user profile. Hackers also could have modified POC little bit and run an XSS worm.

Runkeeper fixed these security issues immediately after got a notification from Sopas.

D-Link Routers vulnerability allows Hackers to redirect Your Internet traffic to target server


A Security Researcher Michael Messner has identified multiple vulnerabilities in D'Link DIR-600 and DIR-300 routers that allows hackers to execute arbitrary shell commands.

According to researcher blog post, the vulnerability is caused by missing access restrictions and missing input validation in the cmd parameter .

The OS Command Injection vulnerability allows attacker to start telnetd to compromise the device.

CSRF vulnerability: For changing the password, there is no request to the current password. So, a hacker can change the password without knowing the current password, by sending malicious script to victim that sends request to change the password.

The researcher identified that there is no password hashing implemented and saves root password in plain text in the var/passwd file.

According to H-online report, a hacker can exploit the vulnerability for redirecting a router's entire internet traffic to a third-party server.

Messner send notification about the vulnerability to D-Link but they responded that the issue is browser related and they will not provide a fix.

Multiple Vulnerabilities in BitDefender website

A Security Researcher from crackhackforum.com, Rynaldo, has discovered multiple Vulnerabilities in one of the Biggest Antivirus company called "BitDefender".

The researcher claimed that he sent several emails to BitDenfender's team, butthey haven't responded nor fixed the vulnerabilities neither.

"The website is having several reflected XXS vulnerabilities and the CSRF
vulnerability. Also I have found a way to cause DOS attack on the local
server to take BitDefender temporarely down." Rynaldo said.

CSRF attack : https://my.bitdefender.com/en_us/my/#page=account.index hacker is able to perform CSRF attack to change the details on the user's profile.CSRF tokens aren't implemented and password isn't required to change information on the profile.

Reflected XSS

XSS attack :
"my.bitdefender.com/en_us/", this page will set the language specifications on the URL (en_us), but haven't secured it very well. That means by removing the language specification with our XSS payload then our XSS script will be executed. Language specifications are being forced on the URL on every page and that means we can inject our XSS in every page on "my.bitdefender.com".

CSRF Vulnerability in 160By2 and Way2Sms allows hacker to send sms from victim account

I have discovered Cross Site Request Forgery (CSRF) Vulnerability in Top Online-based SMS sending service websites 160By2.com and Way2SMS.com.  Let me start with security flaw in the 160By2 because it is critical one.

CSRF  in 160By2:
The vulnerability allows hackers to send SMS from the target victim account to any mobile. I've discovered this flaw when i was sending New Year wishes to my friends.

The vulnerability resides in the "SMS alerts" page.  This page allows user to send Schedule SMS. Unfortunately, this page fails to check whether the request is coming from the user or not with the help of CSRF token.

So It is easy for an attacker to lure victim into click a crafted-link that sends malicious request to server.
CSRF Vulnerability in 160BY2
Hackers can modify the request such that it can send sms to anyone at any time.

Solution:
While sending the above request, include and verify "action" value that you have used in the main sms sending page.


CSRF in Way2SMS:
This vulnerability just allows hacker to change the name of the victim with a crafted-request.



Solution:
While sending the above request, include and verify "action" value that you have used in the main sms sending page.

I tried to notify both websites regarding the issue with solution to fix the vulnerability.  But there is no response from their side.  So i planned to publish the details .

Note: Previously, i discovered Persistent XSS vulnerability and notified 160By2 . But they failed to respond that time also.

U.S Department of Transportation vulnerable to CSRF,SQLi and XSS

wiki boat brazil

The Hacker group called as 'The Wiki Boat Brazil' has discovered three critical vulnerabilities in the official websites of U.S Department of Transportation(dot.gov).

Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request to the server. 

The site found to be vulnerable to Cross-site request forgery(CSRF) attack. The hackers provided us the POC for the CSRF attack. This vulnerability allows attackers CSRF to change user to admin , if admin user click the specially-crafted link .

They've also discovered SQL Injection vulnerability in the ITS Deployment Statistics sub domain of U.S. Department of Transportation (www.itsdeployment.its.dot.gov).

Environmental Review Toolkit page(www.environment.fhwa.dot.gov) vulnerable to Non-persistent Cross site scripting(XSS) attack.

They've also leaked some data compromised from Federal Highway Administration(www.fhwa.dot.gov).

Few days back, they have attacked the  Ministry of Finance and Federal Police sites in Brazil.

The details can be found here:
http://thewikiboatbrazil.com.br/DOT

CSRF Vulnerability in Twitter Translation Center

csrf vulnerability exploit

A Security Researcher, Prakhar Prasad , has dicovered a Cross-site request forgery(CSRF) Vulnerability in the Twitter Translation Center (translate.twttr.com) that allows attacker to Change Badge and Notification Settings.

The "Account Settings" page of Twitter Translation center has two options; First one toggles the Twitter Badge setting on Twitter.com and second one  toggles the badge related notification.

When a user click the Save changes button, it will send a post request to server.  In the post content, there is parameter 'authenticity_token'.

Normally, to prevent CSRF attacks, authenticity_token needs to be verified on server-side but twitter team failed to verify the authenticity_token.  It results in CSRF vulnerability..

Researcher sent notification to Twitter Security Team with a proof-of-concept. The Twitter immediately replied and said the team is investigating the issue.

The vulnerability has been fixed on 16th october; Now authenticity_token gets checked on the server-side . Any modification to the token results in an error page.

AMol NAik earned $5000 after finding CSRF vulnerability in Facebook


An Indian Security Researcher, AMol NAi, has discovered a critical vulnerability in the Social network giant Facebook. He earned $5000 for notifying Facebook about the vulnerability.

He has discovered a cross-site request forgery (CSRF) vulnerability that allows an attacker to execute actions as a logged-in user by accessing specific URLs.

After Facebook introduced its App Center functionality, AMol NAik discovered that the anti-CSRF tokens in HTTP requests are apparently not validated on the server side and that an attacker is therefore able to add applications on the platform as another user.
"There are many new parameters added in this new feature. Parameter 'fb_dtsg' is like token and 'perm' are the permissions required by the apps. Parameters 'redirect_url','app_id' are app specific values. Remaining parameters seems static except 'new_perms' & 'orig_perms'. I started to play with these two dynamic params and after few attempts, I knew that these params no longer needed to add an app." Researcher said in his blog.

"Anti-CSRF tokens like 'fb_dtsg' supposed to get validated at server-side. I was shocked to see that in this new feature, somehow developer missed this point and it was possible to add app without 'fb_dtsg'. Bang!!"

To execute this attack, the attacker merely needs the victim to visit a specially crafted web site, after which malicious applications can be planted on the App Center.

Anti-CSRF measures like the ones employed by Facebook are supposed to prevent this kind of attack by generating a token with every valid session that has to be sent by the client with every request. Scripts on other web sites have no access to this token and therefore can not generate valid requests. In Facebook's case, the App Center pages did not actually check the token for validity, which allowed anyone to send bogus requests and have them accepted.


The Facebook Security team fixed the vulnerability within one day of being contacted by AMol NAik.