This article is more than 1 year old
Last year, D-Link flubbed a router bug-fix, so it's back with total pwnage
Plain text password storage? Check. Directory traversal? Check. SOHOpeless? Check
Eight D-Link router variants are vulnerable to complete pwnage via a combination of security screwups, and only two are going to get patched.
Błażej Adamczyk of the Silesian University of Technology in Poland posted this month to Full Disclosure that he discovered the bugs in May of this year and notified D-Link. Despite insisting patches would be released four months ago from now, D-Link hasn't addressed the issue, so Adamczyk has gone public with the security holes.
For some of the affected devices, he wrote, there won't be patches. The vulnerable units are all in D-Link's DWR range: the DWR-116, DWR-140, DWR-512, DWR-640, DWR-712, DWR-912, DWR-921, and DWR-111. Most of these, Adamczyk claimed, will be left unpatched because D-Link told him they're end-of-life; only the DWR-116 and 111 would be fixed.
So far, in a complaint that all-too-often follows disclosures of vulnerabilities in home and SOHO-grade kit, fixes for even those two model have yet to land.
As demonstrated in the video below, the full compromise arises from a cascade of several vulnerabilities. They require access to the device's web-based settings panel, either on the local network or from the internet, depending on the configuration.
First, there's CVE-2018-10822, a directory traversal bug in the web-based configuration interface, which lets an attacker retrieve arbitrary files. Adamczyk wrote that this arose from a bug in a fix for an earlier vulnerability, CVE-2017-6190, and like the older bug, it allows the attacker to use
// in their
GET /uri request to fetch files they shouldn't.
Data that can be accessed in this way include password files, and guess what? – yes, there are passwords stored in plaintext, a bug that's received the designation CVE-2018-10824. The administrative password can be found in cleartext form in a temporary file.
Finally, CVE-2018-10823 allows an attacker able to log into the router to inject shell commands into the routers' HTTP web server: “An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.”
Keep an eye out for patches, if they ever turn up. We've pinged D-Link for comment. ®