Expert disclosed 10 zero-day vulnerabilities in D-Link DIR 850L wireless routers

Pierluigi Paganini September 11, 2017

The security researcher Pierre Kim has discovered ten critical zero-day vulnerabilities in D-Link DIR 850L routers and invites users to stop using them.

The security researcher Pierre Kim has discovered ten critical zero-day vulnerabilities in routers from networking equipment manufacturer D-Link that open owners to cyber attacks.

The flawed devices are the D-Link DIR 850L wireless AC1200 dual-band gigabit cloud routers, the list of vulnerabilities includes the lack of proper firmware protection, backdoor access, command injection attacks resulting in root access and several cross-site scripting (XSS) flaws.

An attacker could exploit the vulnerabilities to intercept traffic, upload malicious firmware, and get full control over the affected routers.

Kim sustains that  “the D-Link DIR 850L is a router overall badly designed with a lot of vulnerabilities. Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused.”

“Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused.” wrote Kim in a blog post.

This isn’t the first time Kim spots flaws in D-Link products, in October 2016 he reported multiple vulnerabilities in D-Link DWR-932B LTE router, but the Taiwan-based firm ignored them.

For this reason, the experts this time decided to publicly disclose the zero-day vulnerabilities hoping that the company will fix them.

At the time, users are invited avoid using the affected D-Link router in order to be safe from such attacks.

I advise to IMMEDIATELY DISCONNECT vulnerable routers from the Internet.” Kim wrote.

D-Link DIR 850L router

Below the list of zero-day vulnerabilities disclosed by Kim that affect D-Link DIR 850L revision A and revision B:

  1. Lack of proper firmware protection—the firmware images are not protected, an attacker could upload a malicious firmware version to the device and compromise it. While firmware for D-Link 850L RevA has no protection, the firmware for D-Link 850L RevB is protected with a hardcoded password.
  2. Cross-site scripting (XSS) Flaws—both LAN and WAN of D-Link 850L RevA is vulnerable to “several trivial” XSS vulnerability, allowing an attacker “to use the XSS to target an authenticated user in order to steal the authentication cookies.”
  3. Retrieve admin passwords—both LAN and WAN of D-Link 850L RevB are vulnerable, an attacker can retrieve the admin password and use the MyDLink cloud protocol to add the user’s router to the attacker’s account to gain full access to the device.
  4. Weak cloud protocol— both D-Link 850L RevA and RevB. are vulnerable. MyDLink protocol works via a TCP tunnel that use no encryption at all to protect communications between the victim’s router and the MyDLink account.
  5. Backdoor Access—D-Link 850L RevB routers have backdoor access via Alphanetworks, an attacker can get a root shell on the device.
  6. Private keys hardcoded in the firmware—the private encryption keys are hardcoded in the firmware of both D-Link 850L RevA and RevB. An attacker could extract them to perform man-in-the-middle attacks.
  7. No authentication check—An attacker could alter the DNS settings of a D-Link 850L RevA router via non-authenticated HTTP requests and hijack the traffic.
  8. Weak files permission and credentials stored in cleartext—local files are exposed in both D-Link 850L RevA and RevB.  Credentials are stored in clear text.
  9. Pre-Authentication RCEs as root—the internal DHCP client running on D-Link 850L RevB routers is vulnerable to several command injection attacks, allowing attackers to gain root access on the affected devices.
  10. Denial of Service (DoS) Flaw—An attacker could crash some daemons running in both D-Link 850L RevA and RevB remotely via LAN triggering DoS conditions.
Below the report timeline:
  • Jun 15, 2017: Vulnerabilities found.
  • Jul 03, 2017: This advisory is written.
  • Sep 08, 2017: A public advisory is sent to security mailing lists.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – D-Link 850L Wireless Routers. zero-day)

[adrotate banner=”12″]



you might also like

leave a comment