A group of researchers from the Silesian University of Technology in Poland has discovered three vulnerabilities in some models of D-Link routers that could be chained to take full control over the devices.
The flaws are a Directory Traversal (CVE-2018-10822), Password stored in plaintext (CVE-2018-10824), and a Shell command injection (CVE-2018-10823).
“I have found multiple vulnerabilities in D-Link router httpd server. These vulnerabilities are present in multiple D-Link types of routers. All three taken together allow to take a full control over the router including code execution.” reads the security advisory.
The vulnerabilities reside in the httpd server of some D-Link routers, including DWR-116, DWR-111, DIR-140L, DIR-640L, DWR-512, DWR-712, DWR-912, and DWR-921.
Researchers found a directory traversal vulnerability, tracked as CVE-2018-10822, that could be exploited by remote attackers to read arbitrary files using an HTTP request.
The issue was initially reported to D-Link as CVE-2017-6190, but the vendor did not correctly fix the flaw.
This flaw could be exploited to gain access to a file that stores the admin password for the device in clear text.
The storage of password in clear text is tracked as CVE-2018-10824, to avoid abuses the experts did not reveal the path of the files
Researchers also reported another flaw, tracked as CVE-2018-10823, that could be exploited by an authenticated attacker to execute arbitrary commands and take over the device.
Below a video that shows how the flaws could be chained to takeover a device:
The experts reported the flaws to D-Link in May but the vendor still hasn’t addressed them, then the experts publicly disclosed the vulnerabilities.
Waiting for a patch to address the vulnerabilities, users can make their devices not accessible from the Internet.
(Security Affairs – D-Link, hacking)