Categories: Hacking

Critical DNS hijacking flaw affects D-Link DSL router

Critical DNS hijacking flaw affects D-Link DSL router, the flaw affects the ZynOS firmware that is used also by other vendors, including TP-Link and ZTE.

A security vulnerability affects DSL router model from D-Link, the flaw could be exploited by a remote attacker to change device DNS settings and hijack users’ traffic. The Bulgarian security expert Todor Donev, member of the Ethical Hacker research team, explained that vulnerability is found in the ZynOS firmware, which is present in many other devices from other vendors, including D-Link, TP-Link, ZTE.

At least one D-Link router is affected by the flaw, the D-Link’s DSL-2740R ADSL modem/wireless router, but every manufacturer using the same firmware is potentially exposed to remote hacking.

Todor Donev published a proof-of-concept exploit for the D-Link DSL-2740R model, which has been already phased out, but might still receive support if covered by warranty.

By exploiting the flaw, the attacker can access the D-Link device’s Web administration interface without authentication. The attacker can then modify the DNS settings to redirect users to phishing websites or domain used to serve malware. Even if the Web administration, it’s not exposed on the Internet, the attacker can access the router’s interface from within the local area network with a cross-site request forgery (CSRF) technique.

“If the administration interface is exposed to the Internet — routers are sometimes configured in this way for remote administration — the risk of exploitation is higher. But even if it’s only accessible from within the local area network, hackers can still use cross-site request forgery (CSRF) techniques to reach a router’s interface. CSRF attacks hijack users’ browsers to perform unauthorized actions when they visit compromised sites or click on malicious links. Rogue code loaded from a website can instruct a browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with routers. Large scale CSRF attacks against router owners that were designed to replace DNS servers configured on their devices with servers controlled by attackers were observed on the Internet in the past.” reported ComputerWord.

Donev hasn’t notified D-Link of the vulnerability, but the availability of the exploit in the wild urges all vendors that adopt the flawed firmware to check if their products suffering the same security issue.

Pierluigi Paganini

(Security Affairs – D-Link, ZynOS firmware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.