D-Link home routers affected by remote command injection flaw

D-Link routers contain a vulnerability that could be exploited by attackers to get root access remotely and run several attacks.

Once again security experts have found security vulnerabilities in home routers, these devices are a privileged target of cyber criminals that exploit the flaws in the software they run for several purposes. This time the flawed routers are manufactured by D-Link and contain a security vulnerability that expose them to remote attacks.

The attackers can get root access to the D-Link router by exploiting the flaw, this allows them to change setting to run various attacks like traffic redirection through DNS hijacking. Exactly one month ago,  a similar flaw was discovered by the Bulgarian security expert Todor Donev, member of the Ethical Hacker research team in other devices. The expert discovered a critical vulnerability the ZynOS firmware, which is used by D-Link and many other devices from other vendors, including TP-Link and ZTE.

This new vulnerability affecting a number of D-Link home routers was discovered by the security researcher Peter Adkins which reported it to the vendor in January without success.

“Due to the nature of the the ping.ccp vulnerability, an attacker can gain root access, hijack DNS settings or execute arbitrary commands on these devices with the user simply visiting a webpage with a malicious HTTP form embedded (via CSRF),” Adkins said in a description of the issue on GitHub. 

According to the advisory published on the SecLists.org, the vulnerability was discovered also by the researcher Tiago Caetano Henriques of Swisscom in November, also in this case the researcher reported it to D-Link company..

“The D-Link DIR636L (possibly others) incorrectly filters input on the ‘ping’ tool which allows to inject arbitrary commands into the router. Secondly, authentication is not being performed correctly. This enables a remote attacker to gain full control of the router, for example to attack other networks in a DDoS style attack, or even expose computers behind these devices to the internet as you are able to change firewall/nat rules on this router,” states the description of the flaw from Swisscom.

Adkins explained that other versions of D-Link routers and one router from TRENDnet are affected by the same vulnerability. The flawed version of D-Link routers are:

• D-Link DIR-820L (Rev A) – v1.02B10
• D-Link DIR-820L (Rev A) – v1.05B03
• D-Link DIR-820L (Rev B) – v2.01b02
• TRENDnet TEW-731BR (Rev 2) – v2.01b01

There are no patches available for the vulnerability right now. A

Pierluigi Paganini

(Security Affairs –  D-Link home routers, hacking)