DNS hijacking vulnerability affects D-Link DSL router, possibly other devices

A vulnerability in ZynOS could spell trouble for users of routers from D-Link, TP-Link, ZTE and other manufacturers, a researcher said

A vulnerability found in a DSL router model from D-Link allows remote hackers to change its DNS (Domain Name System) settings and hijack users' traffic. The issue might also affect other devices because it is located in a popular firmware used by different manufacturers, according to a security researcher.

A proof-of-concept exploit was published Tuesday for the D-Link DSL-2740R model, a dual-function ADSL modem/wireless router device, which according to the D-Link support site has been phased out. This means the device is no longer being sold, but might still receive support if covered by warranty.

The exploit was created by Todor Donev, member of a Bulgarian security research outfit called Ethical Hacker, who claims that more devices from D-Link and other manufacturers might be affected.

The vulnerability is actually in ZynOS, a router firmware developed by ZyXEL Communications that's used in products from multiple networking equipment manufacturers, including D-Link, TP-Link Technologies and ZTE, Donev said via email.

Attackers don't need to have access credentials for the affected devices in order to exploit the vulnerability, but do need to be able to reach their Web-based administration interfaces, he said.

If the administration interface is exposed to the Internet -- routers are sometimes configured in this way for remote administration -- the risk of exploitation is higher. But even if it's only accessible from within the local area network, hackers can still use cross-site request forgery (CSRF) techniques to reach a router's interface.

CSRF attacks hijack users' browsers to perform unauthorized actions when they visit compromised sites or click on malicious links. Rogue code loaded from a website can instruct a browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with routers.

Large scale CSRF attacks against router owners that were designed to replace DNS servers configured on their devices with servers controlled by attackers were observed on the Internet in the past.

DNS servers have an important role. They translate website names that humans can understand into numerical IP addresses that computers use to speak with each other. If a router uses a malicious DNS server, attackers can direct computers served by that router to rogue servers when they attempt to access legitimate websites.

In March 2014, Internet security research organization Team Cymru uncovered a global attack campaign that compromised over 300,000 home routers and changed their DNS settings. A different vulnerability in ZynOS was exploited in that attack and one of the techniques used was likely CSRF.

Donev did not report the vulnerability to D-Link and as far as he knows it is currently a zero-day -- a name given to publicly disclosed, but unpatched vulnerabilities.

D-Link did not immediately respond to a request for comment sent Tuesday.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Ethical HackerTp-link Technologiesonline safetysecurityAccess control and authenticationZTEZyXEL CommunicationsD-LinkExploits / vulnerabilitiesintrusion

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?