Security researchers Miguel Mendez Zuniga and Pablo Pollanco from Telefonica Chile disclosed Proof-of-concept (PoC) exploits for remote code execution and information disclosure vulnerabilities affecting many D-Link routers.
The remote command execution vulnerability tracked as CVE-2019-17621, is found in the code used to handle UPnP requests and it can allow an unauthenticated attacker to take control of vulnerable devices. The vulnerability could only be exploited by an attacker with access to the same local area network segment of the vulnerable device.
In mid-October, D-Link was informed about the flaw by a third party company. Initial security advisory only identified DIR-859 router as being vulnerable, later on, tens of D-Link DIR models were updated in the list of vulnerable devices.
“In order for this security exploit to be done a malicious user would have to get access to the LAN-side or in-home access to the device which narrows the risk of an attack considerably. Regardless we appreciate the third parties report, confirmed and released patches to close this issue.” States the advisory published by D-Link.
The unauthenticated Information disclosure issue
The other vulnerability is an information disclosure issue, where an attacker exploits in order to obtain the device’s VPN configuration file, potentially exposing sensitive information.
“The phpcgi_main() function is executed as the entry point of the phpcgi binary (which, in reality, is a symbolic link to the binary /hotdogs/cgibin). This function processes all HTTP requests of type HEAD, GET or POST, whose file extension requested are php, asp, etc. Also, it obtains and processes the parameters set in the URL, creating strings (in the form “KEY=value”) and passing them to the PHP interpreter.” reads the post.
“Due to a mistake in the processing of the request body, it is possible to bypass the authentication required by the device when accessing certain PHP files, by sending a specially crafted HTTP request .”
Advisory published by the vendor
D-Link has already released firmware updates that should address the vulnerabilities for some of the impacted devices and should soon release the fixes for the remaining ones. Some of the vulnerable models that have reached the end of life will not receive patches.
You may be interested in reading: ASP.NET Hit by Ransomware