Vulnerabilities that leave some D-Link routers open to remote attacks has been discovered. An exploit could give an attacker root access, allow DNS hijacking and more.
D-Link said that it is looking into the problems, and noted in an advisory that there are three reported flaws. The first vulnerability relates to a malicious user who might be connected to the LAN-side of the device to use the device's upload utility to load malicious code without authentication. A second vulnerability relates to the device’s ping utility that might permit command injection without authentication. And a third vulnerability may exploit certain chipset utilities in firmware to potentially permit a malicious user an attack that discloses information about the devices configuration.
“The D-Link DIR636L (possibly others) incorrectly filters input on the ‘ping’ tool which allows to inject arbitrary commands into the router,” said Tiago Caetano Henriques of Swisscom, who discovered the main issue back in November. “Secondly, authentication is not being performed correctly. This enables a remote attacker to gain full control of the router, for example to attack other networks in a DDoS style attack, or even expose computers behind these devices to the internet as you are able to change firewall/NAT rules on this router.”
The flaw was also discovered independently by researcher Peter Adkins in January, who said that the flaw has yet to be patched by the vendor. Adkins said that D-Link stopped communicating with him a few weeks after he started the notification process.
“D-Link initially responded on their security contact within a week,” he said in a posting on GitHub. “However, after I had provided write-ups of these vulnerabilities it went quiet. In over a month I have been unable to get any sort of response from D-Link, including as to whether they have managed to replicate these issues or when there will be a fix. I contacted D-Link support as a last-ditch effort to reestablish contact; however, I was linked back to the same security-reporting process I had followed initially.”
The issue is not trivial: “Due to the nature of the the ping.ccp vulnerability, an attacker can gain root access, hijack DNS settings or execute arbitrary commands on these devices with the user simply visiting a webpage with a malicious HTTP form embedded (via CSRF),” Adkins explained.