Pierluigi Paganini January 03, 2020

Experts disclosed PoC exploits for remote command execution and information disclosure vulnerabilities affecting many D-Link routers.

Security researchers Miguel Méndez Zúñiga and Pablo Pollanco from Telefónica Chile recently published Proof-of-concept (PoC) exploits for remote command execution and information disclosure vulnerabilities affecting many D-Link routers.

The security duo published on Medium the technical details of the vulnerabilities in two posts along with PoC videos for their exploitation.

One of the flaws is a remote command execution flaw, tracked as CVE-2019-17621, that resides in the code used to manage UPnP requests.  The vulnerability could be exploited by an unauthenticated attacker to take control of vulnerable devices. The vulnerability could be only exploited by an attacker with access to the same local area network segment of the vulnerable device.

“The remote code execution vulnerability was found in the code used to manage UPnP requests.” reads the post published by the experts.

The experts published the analysis and the Metasploit exploit code on GitHub (Router D-LINK RCE).

“The original security vulnerability, filed under CVE-2019-17621 and CVE-2019-20213 with D-Link original response found here, allowed a malicious user an unathenticated remote command execution on the LAN-Side (in-home).” reads the advisory published by D-Link.

“In order for this security exploit to be done a malicious user would have to get access to the LAN-side or in-home access to the device which narrows the risk of an attack considerably. Regardless we appreicate the 3rd parties report, confirmmed and released patches to close this issue.””

D-Link, was informed about the flaw by a third-party company in mid-October, but its initial security advisory only identified the DIR-859 router family as being vulnerable. Later, the vendor updated the advisory and included tens of D-Link DIR models in the list of vulnerable devices.

The other vulnerability is an information disclosure issue that could be exploited by an attacker to obtain a device’s VPN configuration file, potentially exposing sensitive information.

“The phpcgi_main() function is executed as the entry point of the phpcgi binary (which, in reality, is a symbolic link to the binary /htdocs/cgibin). This function processes all HTTP requests of type HEAD, GET or POST, whose file extension requested are php, asp, etc. Also, it obtains and processes the parameters set in the URL, creating strings (in the form “KEY=value”) and passing them to the PHP interpreter.” reads the post published by the experts.

“Due to a mistake in the processing of the request body, it is possible to bypass the authentication required by the device when accessing certain PHP files, by sending a specially crafted HTTP request”

The advisory published by the vendor is available here.

D-Link has already released firmware updates that should address the vulnerabilities for some of the impacted devices and should soon release the fixes for the remaining ones. Some of the vulnerable models that have reached end of life will not receive patches.

Pierluigi Paganini

(SecurityAffairs – D-Link, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]