Select Page

Does anyone use a D-Link router? In eight models, there are several security vulnerabilities that can be used to completely compromise the devices.

Vulnerabilities in D-Link routers

I’ve seen it recently on seclists.org, but only now I’m getting to the point of editing it in a post. In an entry Multiple vulnerabilities in D-Link routers, dated October 12, 2018, Błażej Adamczyk describes a whole collection of vulnerabilities.

Directory Traversal-Lücke in httpd Server

The vulnerability CVE-2018-10822 (Directory traversal vulnerability) exists in the web interface of the following D-Link routers:

– DWR-116 bis 1.06,
– DIR-140L bis 1.02,
– DIR-640L bis 1.02,
– DWR-512 bis 2.02,
– DWR-712 bis 2.02,
– DWR-912 bis 2.02,
– DWR-921 bis 2.02,
– DWR-111 bis 1.01

It is suspected that other models may also be vulnerable with the same type of firmware. The vulnerability allows an attacker to remotely read arbitrary files using information of the type /… or //. This vulnerability exists due to an incorrect fix of the CVE-2017-6190 vulnerability.

The vulnerability can be used with the CVE-2018-10824 vulnerability to query the administrator password using this command:

$ curl http://routerip/uir//etc/passwd

Password stored in plain text

In several models of D-Link routers, the password is stored in plain text. The CVE: CVE-2018-1082424 vulnerability affects the following router models:

– DWR-116 bis 1.06,
– DIR-140L bis 1.02,
– DIR-640L bis 1.02,
– DWR-512 bis 2.02,
– DWR-712 bis 2.02,
– DWR-912 bis 2.02,
– DWR-921 bis 2.02,
– DWR-111 bis 1.01

and probably also other routers with the same type of firmware. The administrative password is stored in plain text in the file /tmp/XXX/0 (xxx is a placeholder). An attacker can easily gain full access to the router with a directory traversal (or LFI). The Proof of Concept (PoC) command (using the simultaneously exposed Directory Traversal vulnerability CVE-2018-10822) is:

$ curl http://routerip/uir//tmp/XXX/0

This command returns a binary configuration file that contains the user name and password of the admin and many other router configurations and settings. By using the Directory Traversal vulnerability, it is possible to read the file without authentication. The manufacturer does not want to fix this vulnerability with devices that have reached end of support.

Shell Command Injection in httpd Server

A shell command injection in the httpd server is possible in a number of D-Link routers. The following devices are affected by CVE-2018-10823:

– DWR-116 bis 1.06,
– DWR-512 bis 2.02,
– DWR-712 bis 2.02,
– DWR-912 bis 2.02,
– DWR-921 bis 2.02,
– DWR-111 bis 1.01

and probably other devices with the same type of firmware. An authenticated attacker can execute arbitrary code by injecting the shell command into the chkisg.htm page. This allows full control over the devices.

Combination of vulnerabilities

By combining these vulnerabilities, the devices become as perforated as a Swiss cheese. Taking all three vulnerabilities together, it is easy to gain full control over the router. This includes the execution of arbitrary code.

A description with video can be found at http://sploit.tech/2018/10/12/D-Link.html. The timeline of notification of the manufacturer is also interesting:

– 09.05.2018 – Notification to dLink
– 06.06.2018 – Demand for status
– 22.06.2018 – Answer that a patch will be released, but only for DWR-116 and DWR-111, for the other devices that are EOL there will only be an ‘announcement
– 09.09.2018 – still no reply from the provider about the patches or an announcement. Warning to D-Link that if there is no response, disclosure will take place in one month.
– 12.10.2018 – Disclosure of vulnerabilities