Chaining three critical vulnerabilities allows takeover of D-Link routers

Researchers from the Silesian University of Technology in Poland discovered several flaws that could be exploited to take over some D-Link routers.

A group of researchers from the Silesian University of Technology in Poland has discovered three vulnerabilities in some models of D-Link routers that could be chained to take full control over the devices.

The flaws are a Directory Traversal (CVE-2018-10822), Password stored in plaintext (CVE-2018-10824), and a Shell command injection (CVE-2018-10823).

“I have found multiple vulnerabilities in D-Link router httpd server. These vulnerabilities are present in multiple D-Link types of routers. All three taken together allow to take a full control over the router including code execution.” reads the security advisory.

The vulnerabilities reside in the httpd server of some D-Link routers, including DWR-116, DWR-111, DIR-140L, DIR-640L, DWR-512, DWR-712, DWR-912, and DWR-921.

Researchers found a directory traversal vulnerability, tracked as CVE-2018-10822, that could be exploited by remote attackers to read arbitrary files using an HTTP request.

The issue was initially reported to D-Link as CVE-2017-6190, but the vendor did not correctly fix the flaw.

This flaw could be exploited to gain access to a file that stores the admin password for the device in clear text.

The storage of password in clear text is tracked as CVE-2018-10824, to avoid abuses the experts did not reveal the path of the files

Researchers also reported another flaw, tracked as CVE-2018-10823, that could be exploited by an authenticated attacker to execute arbitrary commands and take over the device.

Below a video that shows how the flaws could be chained to takeover a device:

The experts reported the flaws to D-Link in May but the vendor still hasn’t addressed them, then the experts publicly disclosed the vulnerabilities.

Waiting for a patch to address the vulnerabilities, users can make their devices not accessible from the Internet.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – D-Link, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.