A vulnerability in the firmware of two models of D-Link routers could allow attackers to gain root access with authentication and execute arbitrary commands, according to a recent announcement by security researcher Michael Messner. After repeatedly alerting the company of the flaw and being told it would not be fixed, Messner publicly disclosed it on his personal blog.
The vulnerability affects recent firmware versions in the DIR-300 and DIR-600 models of D-Link routers, Messner reported. He explained that missing access restrictions and missing input validation in the cmd parameter allow for the injection and execution of arbitrary shell commands.
“You do not need to be authenticated to the device for executing the malicious commands,” Messner wrote. “You could prepare the whole request and execute it without any authentication details. For example you could start the telnetd on other ports and interfaces. So with this you are able to get a full shell.”
Other flaws include settings that allow an attacker to change the device password without using the current one, that store the password in plain text and that disclose information about the device settings and paths. According to the The H Security, the vulnerabilities are particularly dangerous, since many of the devices can be accessed and injected with commands from the internet.
“A real attacker could randomly exploit systems, for example to divert a router’s entire internet traffic to a third-party server,” the publication explained.
Upon disclosing the software security issue to D-Link multiple times, Messner was informed that the security problem stemmed from the user and/or browser and would not be fixed. Without any way of preventing the problem, users are advised to decommission affected routers, The H Security reported.
To avoid this type of flaw and any ensuing tangle over responsibility, device manufacturers can adopt stronger development processes and make use of tools such as source code analysis to catch exploits before they are released.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.