Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

D-Link remote access vulnerabilities remain unpatched

Jeremy Kirk | March 2, 2015
D-Link routers have several unpatched vulnerabilities, the worst of which could allow an attacker to gain total control over a device, according to a systems engineer in Canada.

D-Link routers have several unpatched vulnerabilities, the worst of which could allow an attacker to gain total control over a device, according to a systems engineer in Canada.

Peter Adkins, who does security research in his free time, released details of the flaws on Thursday. Adkins said in a phone interview that he has been in intermittent contact with D-Link since Jan. 11 on the issues, but the company has not indicated when it might patch.

"I believe it's probably better for the end user to know that these exist than be completely in the dark for months on end while the vendor prepares patches," he said.

D-Link officials did not have an immediate comment.

Adkins published an extensive writeup of his findings on Github. The most serious problem is a cross-site request forgery vulnerability (CSRF), a type of Web application flaw, Adkins said.

The flaw can be exploited if an attacker can lure a user into visiting a specially-crafted malicious Web page that delivers a html form using Javascript, he said.

The form accesses a service running on the router called ncc/ncc2 which does not filter out malicious commands. The ncc/ncc2 service appears to handle dynamic requests, such as updating usernames and passwords, Adkins said.

As a result, an attacker can gain full access to the router, and perform actions such as launching a telnet service or changing a router's DNS (Domain Name System) settings, an attack know as pharming.

Changing DNS settings is particularly dangerous, as it means a victim who types in the correct domain name for a website in a Web browser can end up on a fraudulent one.

Many routers have a defensive mechanism that is designed to block CSRF requests. But Adkins said the D-Link models he tested do not have that capability.

Adkins also found other problems in the ncc/ncc2 service that involved accepting remote requests without authentication.

For example, he found he could access some diagnostic functions through the ncc/ncc2 service, which also could be abused to launch telnet. Adkins said he thinks that functionality might have been left in place so ISPs could run diagnostic tests on a router. But it still has nasty security consequences.

 

He also found it is possible to upload files to the file systems of the routers. That again is due to a fault in the ncc/ncc2 service, which allows for firmware upgrades to be uploaded using a HTTP POST request.

If a person tries to do that but isn't logged into the router, the device will display a warning. However, Adkins found that an uploaded file is written to the file system anyway before that warning is displayed.

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.