D-Link Home Routers Open to Remote Takeover Will Remain Unpatched

d-link home router CVE-2019-16920

CVE-2019-16920 allows remote unauthenticated attackers to execute code on a target device.

D-Link won’t patch a critical unauthenticated command-injection vulnerability in its routers that could allow an attacker to remotely take over the devices and execute code.

The vulnerability (CVE-2019-16920) exists in the latest firmware for the DIR-655, DIR-866L, DIR-652 and DHP-1565 products, which are Wi-Fi routers for the home market. D-Link last week told Fortinet’s FortiGuard Labs, which first discovered the issue in September, that all four of them are end-of-life and no longer sold or supported by the vendor (however, the models are still available as new via third-party sellers).

The root cause of the vulnerability, according to Fortinet, is a lack of a sanity check for arbitrary commands that are executed by the native command-execution function.

Fortinet describes this as a “typical security pitfall suffered by many firmware manufacturers.”

Exploiting the issue starts with the log-in functionality on the admin page for the router. The log-in function is performed using the  URI /apply_sec.cgi function – it extracts the value of “current_user” and “user_username” from the Non-Volatile Random Access Memory (NVRAM), which is a type of RAM that retains data after a device’s power is turned off.

The function then compares the value of the current_user with the value of the variable acStack160.

“The current_user value in NVRAM will be set only after a successful user login, so by default its value is not initialized,” Fortinet researcher Thanh Nguyen Nguyen explained in a recent write-up. “The value of acStack160 is the result of base64encode(user_username), and by default the user_username is set to ‘user,’ so there is no way the iVar2 can return a value of 0, so it won’t return to the error.asp page.”

Ultimately, an attacker can perform any action in the SSC_SEC_OBJS array under the “/apply_sec.cgi” path, according to Nguyen.

For successful exploitation, “we implement the POST HTTP Request to ‘apply_sec.cgi’ with the action ping_test,” he said. “We then perform the command injection in ping_ipaddr. Even if it returns the login page, the action ping_test is still performed – the value of ping_ipaddr will execute the “echo 1234″ command in the router server and then send the result back to our server.”

At this point, attackers could retrieve the admin password, or install their own backdoor onto the server – which would allow them to install malware, snoop on traffic flowing through the router and potentially move through the home network to reach and infect other devices.

With no patch available, affected users should upgrade their devices as soon as possible.

D-Link is no stranger to vulnerabilities; in September, researchers discovered vulnerabilities in D-Link routers that can leak passwords for the devices, and which have the potential to affect every user on networks that use them for access. And in May, a researcher found attackers using the Google Cloud Platform to carry out three separate waves of DNS hijacking attacks against vulnerable D-Link and other consumer routers.

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles