D-Link remote access vulnerabilities remain unpatched
Peter Adkins, who does security research in his free time, released details of the flaws on Thursday. Adkins said in a phone interview that he has been in intermittent contact with D-Link since Jan. 11 on the issues, but the company has not indicated when it might patch.
"I believe it's probably better for the end user to know that these exist than be completely in the dark for months on end while the vendor prepares patches," he said.
D-Link officials did not have an immediate comment.
Adkins published an extensive writeup of his findings on Github. The most serious problem is a cross-site request forgery vulnerability (CSRF), a type of Web application flaw, Adkins said.
The flaw can be exploited if an attacker can lure a user into visiting a specially-crafted malicious Web page that delivers a html form using Javascript, he said.
The form accesses a service running on the router called ncc/ncc2 which does not filter out malicious commands. The ncc/ncc2 service appears to handle dynamic requests, such as updating usernames and passwords, Adkins said.
As a result, an attacker can gain full access to the router, and perform actions such as launching a telnet service or changing a router's DNS (Domain Name System) settings, an attack know as pharming.
Changing DNS settings is particularly dangerous, as it means a victim who types in the correct domain name for a website in a Web browser can end up on a fraudulent one.
Many routers have a defensive mechanism that is designed to block CSRF requests. But Adkins said the D-Link models he tested do not have that capability.
Adkins also found other problems in the ncc/ncc2 service that involved accepting remote requests without authentication.
For example, he found he could access some diagnostic functions through the ncc/ncc2 service, which also could be abused to launch telnet. Adkins said he thinks that functionality might have been left in place so ISPs could run diagnostic tests on a router. But it still has nasty security consequences.
He also found it is possible to upload files to the file systems of the routers. That again is due to a fault in the ncc/ncc2 service, which allows for firmware upgrades to be uploaded using a HTTP POST request.
If a person tries to do that but isn't logged into the router, the device will display a warning. However, Adkins found that an uploaded file is written to the file system anyway before that warning is displayed.
Also, an uploaded file is stored in the same place where the system configurations are kept, which means an attacker could overwrite DNS settings.
"Although it will pop back and say you are not authorized, it will go ahead and write that to the file system anyway," he said.
Adkins said this attack will only work if WAN management is enabled, which allows someone to remotely log into a router and change its settings, he said.
Most users don't need that enabled and should shut it off, he said. But some router manufacturers have incorporated that capability as part of storage services they offer, Adkins said. Some routers have USB ports that allow consumers to plug in a hard drive to it and access content from it remotely.
Many D-Link routers could be affected by all of the flaws. Adkins confirmed D-Link's DIR-820L running firmware versions 1.02B10, 1.05B03 and 2.01b02 are vulnerable. He suspects other models of D-Link routers could be affected, which he lists in his advisory, but he has not tested them.
A router from Trendnet, the TEW-731BR, was also affected, but that vendor has patched, Adkins said.
Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk