Researchers have identified dozens of vulnerabilities in several D-Link products, some of which allow attackers to bypass authentication requirements or upload arbitrary files to target devices.
The vulnerabilities lie in a variety of D-Link network storage devices and the company has produced updated firmware to address some of the problems. Researchers at Search-Lab discovered the vulnerabilities and said that there are a number of different D-Link devices open to the authentication bypass, as well as command injection and arbitrary file upload.
The affected devices include the D-Link DNS-320, 320L, 326, 327L, 320B, 345, 325, and 322L. Not all of the affected devices are susceptible to all of the vulnerabilities, though. One of the more widespread vulnerabilities the researchers discovered was the authentication bypass.
“The login_mgr.cgi performed the authentication based on the OS credentials stored in the /etc/shadow file. Since the shadow file was used directly, every valid user and password could be used as credentials,” the advisory says.
That default shadow file contains information for several users, including root, nobody, and admin.
“From the above list the admin, nobody and the root users’ default passwords were empty. Because every user could be used to login to the system, the user should be able to change every corresponding password – however, the user interface allowed changing only the password of the admin user,” the advisory says.
The Search-Lab researchers also found what they termed a backdoor on some of the D-Link devices. That vulnerability affects the DNS-320L, the 327L, the 320B, the 345, the 325, the 322L, and the DNR-326.
“We found in the system_mgr.cgi and in the wizard_mgr.cgi that before the session check (login_check) would be performed, the CGI checked whether the received command (cmd parameter) was the cgi_set_wto. If the check was successful, a new session was created with the current time and with the requester’s remote address,” the advisory says.
“So a new admin session was created without requiring username and password. After it, the attacker had to do only to set the Cookie to username=admin and full access to the device was obtained.”