D-Link Home Routers Open to Remote Takeover Will Remain Unpatched

d-link home router CVE-2019-16920

CVE-2019-16920 allows remote unauthenticated attackers to execute code on a target device.

D-Link won’t patch a critical unauthenticated command-injection vulnerability in its routers that could allow an attacker to remotely take over the devices and execute code.

The vulnerability (CVE-2019-16920) exists in the latest firmware for the DIR-655, DIR-866L, DIR-652 and DHP-1565 products, which are Wi-Fi routers for the home market. D-Link last week told Fortinet’s FortiGuard Labs, which first discovered the issue in September, that all four of them are end-of-life and no longer sold or supported by the vendor (however, the models are still available as new via third-party sellers).

The root cause of the vulnerability, according to Fortinet, is a lack of a sanity check for arbitrary commands that are executed by the native command-execution function.

Fortinet describes this as a “typical security pitfall suffered by many firmware manufacturers.”

Exploiting the issue starts with the log-in functionality on the admin page for the router. The log-in function is performed using the  URI /apply_sec.cgi function – it extracts the value of “current_user” and “user_username” from the Non-Volatile Random Access Memory (NVRAM), which is a type of RAM that retains data after a device’s power is turned off.

The function then compares the value of the current_user with the value of the variable acStack160.

“The current_user value in NVRAM will be set only after a successful user login, so by default its value is not initialized,” Fortinet researcher Thanh Nguyen Nguyen explained in a recent write-up. “The value of acStack160 is the result of base64encode(user_username), and by default the user_username is set to ‘user,’ so there is no way the iVar2 can return a value of 0, so it won’t return to the error.asp page.”

Ultimately, an attacker can perform any action in the SSC_SEC_OBJS array under the “/apply_sec.cgi” path, according to Nguyen.

For successful exploitation, “we implement the POST HTTP Request to ‘apply_sec.cgi’ with the action ping_test,” he said. “We then perform the command injection in ping_ipaddr. Even if it returns the login page, the action ping_test is still performed – the value of ping_ipaddr will execute the “echo 1234″ command in the router server and then send the result back to our server.”

At this point, attackers could retrieve the admin password, or install their own backdoor onto the server – which would allow them to install malware, snoop on traffic flowing through the router and potentially move through the home network to reach and infect other devices.

With no patch available, affected users should upgrade their devices as soon as possible.

D-Link is no stranger to vulnerabilities; in September, researchers discovered vulnerabilities in D-Link routers that can leak passwords for the devices, and which have the potential to affect every user on networks that use them for access. And in May, a researcher found attackers using the Google Cloud Platform to carry out three separate waves of DNS hijacking attacks against vulnerable D-Link and other consumer routers.

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles


  • David Alarcon on

    Cheap routers means Cheap IT systems. You have to pay for quality, that is the only truth !
  • shiblu khan on

    This is the new normal, folks. Consumer technology is manufactured for six to twelve months, but live in our homes for three to five years. Today's manufacturers cannot afford to update software for hardware devices they have already moved on from. Changing that requires a significant upheaval in their business models. This applies to every "connected device:" printers, cell phones, home routers, refrigerators, thermostats -- you name it. Michael DeGusta did a great infographic demonstrating this for Android phones in 2011 [1, 2]. Sadly, this hasn't materially changed in the eight years since. Just this year, Google added new terms to the Android license requiring security patches, but even then only for "popular devices." [3] Imagine those dynamics in the secondary and tertiary markets of printers and refrigerators. As an industry, we've been to this rodeo before. The advancements we've made in operating system and core applications security over the last 20 years have more about patching speed and agility than shipping fewer bugs. However, those areas have backing and control from Apple and Microsoft, managing the end to end ecosystem. There is not a similarly equipped manufacturer of embedded operating systems with the scale to provide post-sale/post-deployment patching infrastructure. Since this is Hacker News, I'll point out the enormous opportunity to anyone who can address that problem. Can you provide an "enterprise class embedded OS" to device manufacturers and address post-deployment updates? livehd4k.com Can you provide infrastructure device manufacturers can use to manage post-deployment updates themselves? Do you have a better approach to it? There's a burgeoning multi-billion dollar market waiting for a few leaders to take it over.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.