D-Link Routers Haunted by Remote Command Injection Bug

Some D-Link routers contain a vulnerability that leaves them open to remote attacks that can give an attacker root access, allow DNS hijacking and other attacks.

The vulnerability affects affects a number of D-Link’s home routers and the key details of the flaw have been made public by one of the researchers who discovered it. Peter Adkins discovered the bug in January and began communicating with D-Link about the problem, but the company stopped responding to inquiries a few weeks later. Meanwhile, another researcher, Tiago Caetano Henriques of Swisscom, had discovered the vulnerability back in November and begun the reporting process, too.

“The D-Link DIR636L (possibly others) incorrectly filters input on the ‘ping’ tool which allows to inject arbitrary commands into the router. Secondly, authentication is not being performed correctly. This enables a remote attacker to gain full control of the router, for example to attack other networks in a DDoS style attack, or even expose computers behind these devices to the internet as you are able to change firewall/nat rules on this router,” the advisory from Swisscom says.

The vulnerability advisory from Adkins says that several other versions of D-Link’s routers are vulnerable, as well as one router from TRENDnet, including:

  • D-Link DIR-820L (Rev A) – v1.02B10
  • D-Link DIR-820L (Rev A) – v1.05B03
  • D-Link DIR-820L (Rev B) – v2.01b02
  • TRENDnet TEW-731BR (Rev 2) – v2.01b01

“Due to the nature of the the ping.ccp vulnerability, an attacker can gain root access, hijack DNS settings or execute arbitrary commands on these devices with the user simply visiting a webpage with a malicious HTTP form embedded (via CSRF),” Adkins said in a description of the issue on GitHub

There are no patches available for the vulnerability right now. Adkins said that his communication with the vendor broke down more than a month ago.

“D-Link initially responded on their security contact within a week. However, after I had provided write ups of these vulnerabilities it went quiet. In over a month I have been unable to get any sort of response from D-Link, including as to whether they have managed to replicate these issues or when there will be a fix. I contacted D-Link support as a last ditch effort to reestablish contact, however I was linked back to the same security reporting process I had followed initially,” he said in the GitHub

 

Suggested articles