Security news that informs and inspires

Trio of Bugs in D-Link Routers Allows Device Takeover


A number of popular D-Link home routers have a trio of vulnerabilities in their firmware that, when used together, can allow an attacker to take complete control of a vulnerable device.

The vulnerabilities affect a variety of D-Link wireless routers, and not all of them will be patched, according to the researcher who discovered the flaws. The weaknesses include a directory traversal flaw, a plaintext password, and the ability to inject shell commands to get total control of a target router. An attacker who is able to exploit the directory traversal flaw would then be able to access the stored password in plaintext and use that to authenticate on the router, at which point the router is completely compromised.

All of the vulnerabilities are in the httpd server in the D-Link firmware and they’re present in various D-Link routers. Not all of the affected devices are vulnerable to all three bugs, but many of them are, including the DWR-116, DWR-111, DWR-921, DWR-912, and DWR-712.

The first vulnerability is a directory traversal bug in the D-Link routers’ web interface, which allows users to manage various features of their devices. This bug is the result of an incomplete patch for a separate bug that was disclosed last year. Using this vulnerability, an attacker can jump into a directory where the plaintext password is stored on a vulnerable router.

“The administrative password is stored in plaintext."

“The administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access,” the advisory from researcher Blazej Adamczyk says.

Running a simple command “returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.”

Once the attacker has the username and password and is able to authenticate, he can then inject a shell command into a specific page and get full access to the device. Adamczyk said he notified D-Link of the vulnerabilities in May and received a response more than a month later saying that patches would be released for the DWR-116 and DWR-111 routers. The other affected routers won’t be patched because they’re at end-of-life, Adamczyk said.