D-Link remote access vulnerabilities remain unpatched

The worst one could allow a remote attacker to change DNS settings

D-Link routers have several unpatched vulnerabilities, the worst of which could allow an attacker to gain total control over a device, according to a systems engineer in Canada.

Peter Adkins, who does security research in his free time, released details of the flaws on Thursday. Adkins said in a phone interview that he has been in intermittent contact with D-Link since Jan. 11 on the issues, but the company has not indicated when it might patch.

"I believe it's probably better for the end user to know that these exist than be completely in the dark for months on end while the vendor prepares patches," he said.

D-Link officials did not have an immediate comment.

Adkins published an extensive writeup of his findings on Github. The most serious problem is a cross-site request forgery vulnerability (CSRF), a type of Web application flaw, Adkins said.

The flaw can be exploited if an attacker can lure a user into visiting a specially-crafted malicious Web page that delivers a html form using Javascript, he said.

The form accesses a service running on the router called ncc/ncc2 which does not filter out malicious commands. The ncc/ncc2 service appears to handle dynamic requests, such as updating usernames and passwords, Adkins said.

As a result, an attacker can gain full access to the router, and perform actions such as launching a telnet service or changing a router's DNS (Domain Name System) settings, an attack know as pharming.

Changing DNS settings is particularly dangerous, as it means a victim who types in the correct domain name for a website in a Web browser can end up on a fraudulent one.

Many routers have a defensive mechanism that is designed to block CSRF requests. But Adkins said the D-Link models he tested do not have that capability.

Adkins also found other problems in the ncc/ncc2 service that involved accepting remote requests without authentication.

For example, he found he could access some diagnostic functions through the ncc/ncc2 service, which also could be abused to launch telnet. Adkins said he thinks that functionality might have been left in place so ISPs could run diagnostic tests on a router. But it still has nasty security consequences.

He also found it is possible to upload files to the file systems of the routers. That again is due to a fault in the ncc/ncc2 service, which allows for firmware upgrades to be uploaded using a HTTP POST request.

If a person tries to do that but isn't logged into the router, the device will display a warning. However, Adkins found that an uploaded file is written to the file system anyway before that warning is displayed.

Also, an uploaded file is stored in the same place where the system configurations are kept, which means an attacker could overwrite DNS settings.

"Although it will pop back and say you are not authorized, it will go ahead and write that to the file system anyway," he said.

Adkins said this attack will only work if WAN management is enabled, which allows someone to remotely log into a router and change its settings, he said.

Most users don't need that enabled and should shut it off, he said. But some router manufacturers have incorporated that capability as part of storage services they offer, Adkins said. Some routers have USB ports that allow consumers to plug in a hard drive to it and access content from it remotely.

Many D-Link routers could be affected by all of the flaws. Adkins confirmed D-Link's DIR-820L running firmware versions 1.02B10, 1.05B03 and 2.01b02 are vulnerable. He suspects other models of D-Link routers could be affected, which he lists in his advisory, but he has not tested them.

A router from Trendnet, the TEW-731BR, was also affected, but that vendor has patched, Adkins said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityTRENDnetD-Link

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?