Multiple D-Link Routers Open to Complete Takeover with Simple Attack

The vendor only plans to patch two of the eight impacted devices, according to a researcher.

Eight D-Link routers in the company’s small/home office “DWR” range are vulnerable to complete takeover – but the vendor said it is planning on only patching two, according to a researcher.

Błażej Adamczyk of the Silesian University of Technology in Poland discovered the vulnerabilities in May, uncovering that they affect the DWR-111, DWR-116, DWR-140, DWR-512, DWR-640, DWR-712, DWR-912 and DWR-921 models. However, he claims that D-Link told him that only the DWR-116 and 111 would be patched, because the rest have reached end-of-life and will no longer be supported.

However, D-Link hasn’t issued the two promised patches, so after warning the vendor in September that he would publicly disclose the flaws if they weren’t addressed within a month, Adamczyk has published his findings, along with a proof-of-concept video.

A full compromise including remote command-injection can be achieved by linking three cascading vulnerabilities together to attack the router’s web-based settings panel. This can be done from a local network device or from the internet, depending on the configuration of the network. Most small/home office (SOHO) users have a fairly simple set-up, with the routers connecting directly to an internet connection to feed bandwidth to multiple WiFi devices inside the home or office. That presents a pretty straightforward attack surface for an attacker.

First, a directory-traversal bug (CVE-2018-10822) exists in the web interface for the D-Link routers, which allows remote attackers to read arbitrary files via a /.. or // after a “GET /uir” in an HTTP request. This allows the bad guys to move laterally and read files in other directories, including password files.

That’s where a second vulnerability (CVE-2018-10824) comes in: Passwords are stored in plaintext, including the administrative password, which can be found in a temporary file.

In a proof-of-concept, a basic command returns a binary configuration file which contains administrative username and password in cleartext as well as many other router configuration settings. Thus, by using the directory traversal vulnerability, it is possible to read the file without authentication.

“The attack is too simple,” Adamczyk said in a recent posting. “An attacker having a directory traversal (or local file inclusion) can easily get full router access.”

A third vulnerability (CVE-2018-10823) meanwhile is what opens the door for remote code-injection. This is a shell command-injection bug in the httpd server for several series of D-Link routers.

“An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter,” Adamczyk explained. “This allows for full control over the device internals.”

To exploit this, an adversary would log into the router using the credentials he or she lifted using the first two vulnerabilities, request a certain URL as laid out in the researcher’s PoC, and then be able to see the passwd file contents in the response.

“Taking all the three together it is easy to gain full router control, including arbitrary code-execution,” Adamczyk said.

Adding insult to injury, the researcher explained that the first vulnerability was actually introduced in a flawed patch for an older vulnerability, CVE-2017-6190. The older flaw also contained the plaintext password issue, CVE-2018-10824 – but it wasn’t addressed for all releases, according to Adamczyk.

D-Link did not immediately respond to Threatpost’s request for comment, but we’ll update the story if it does.

The vendor is no stranger to remote code-execution flaws; earlier in October it patched four vulnerabilities in the software controller tool used in its enterprise-class wireless network access points that would allow RCE. And, last year it was uncovered that its D-Link router model 850L wireless AC1200 dual-band gigabit cloud router was riddled with vulnerabilities that could allow a hacker to gain remote access and control of device.

Earlier this month a report came out showing that a staggering 83 percent of home and office routers have vulnerabilities that could be exploited by attackers. Of those vulnerable, over a quarter harbor high-risk and critical vulnerabilities, according to the American Consumer Institute on router safety.

The potential ramifications aren’t just about putting SOHO users themselves at risk, given that in many cases remote users rely on these routers to connect to corporate networks.

“While protecting the network will always be a challenge, it becomes even more so with remote employees joining the organization’s ranks,” said Justin Jett, director of audit and compliance for Plixer, via email. “Because these employees will be connecting to the office from their home router, IT professionals should monitor every conversation coming from these remote employees into the business. Three-quarters of the workforce [works remotely or on a mobile basis, and that] is a large surface area for malware to enter the organization, especially with 83 percent of home routers already giving access to hackers.”

Suggested articles