Unauthenticated Command Injection bug opens D-Link VPN routers to hack

An unauthenticated command injection vulnerability could be exploited by threat actors to compromise D-Link VPN routers.

Security researchers at Digital Defense discovered three vulnerabilities in D-Link VPN routers, including command injection flaws, and an authenticated crontab injection flaw.

The experts initially discovered the flaws in DSR-250 router family running firmware version 3.17, further investigation allowed the experts to determine that these vulnerabilities also affect other devices, including D-Link DSR-150, DSR-250, DSR-500, and DSR-1000AC VPN routers running firmware versions 3.17 and earlier.

The most severe flaw is an unauthenticated command injection issue that could be exploited by an attacker to access the “Unified Services Router” web interface over LAN or WAN to execute commands with root privileges. The issue could be easily triggered by attackers by sending specially crafted requests to vulnerable devices.

“Unauthenticated users with access to the “Unified Services Router” web interface, either on LAN or WAN, can inject arbitrary commands via crafted requests, which will be executed with root privileges.” reads the advisory published by D-Link.

“The following lua cgi actions, which are accessible without authentication, execute a lua library function which passes user-supplied data to a call to os.popen() as part of a command intended to calculate a hash: /platform.cgi?action=duaAuth, /platform.cgi?action=duaLogout”

The exploitation of this flaw could allow an unauthenticated attacker to take over the router. Then the attacker could intercept and modify traffic, trigger a denial of service (DoS) condition, or carry out other malicious activities.

The second flaw is an authenticated Root Command Injection that could be exploited by authenticated users with access to the “Unified Services Router” web interface, either on LAN or WAN, to inject arbitrary commands via crafted requests, which will be executed with root privileges.

“The Lua CGI, which handles requests from the “Package Management” form in the “Unified Services Router” web interface, has no server-side filtering for the multi-part POST parameters payload, which are passed to os. execute () functions intended to move the uploaded file to another directory.” continues the report.

The third flaw is an Authenticated Crontab Injection that could allow an authenticated user to inject arbitrary CRON entries that will then be executed as root.

D-Link confirmed that it is working to address the first two flaws, the vendor plans to release security updates to fix them in the Mid-December 2020.

D-Link will not release any fix for the third flaw for the following reason;

“D-Link declined recognition of this report. For this generation of product, the device uses a plain text config, which is the design to directly edit and upload the config to the same DSR devices accordingly. If D-Link mitigates issue #1 and #2, as well as other, recently reported issues, the malicious user would need to engineer a way of gaining access to the device to upload a configuration file, so we understand the report but classify the report as low-threat once the patched firmware is available.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, D-Link)

[adrotate banner=”5″]

[adrotate banner=”13″]