Researcher discloses 10 D-Link zero-day router flaws

The security researcher says the general public should immediately disconnect their router until patches are available.







When a zero-day vulnerability becomes public, of which by its nature no patches or fixes are available at the time, one is enough for vendors to come to terms with in order to rapidly devise a solution.

D-Link now has 10 such previously-unknown bugs on its plate to fix.

Last week, security researcher Pierre Kim chose to publicly disclose his findings related to D-Link 850L routers due to “difficulties” working with the vendor on a coordinated disclosure.

In a blog post, Kim said the flaws were found in the D-Link 850L, a wireless AC1200 dual-band gigabit cloud router, which also enables users to use Mydlink Cloud Services to access their home networks remotely.

Kim describes the product as a “router overall badly designed with a lot of vulnerabilities,” and says that he was able to compromise everything, from the LAN to the WAN, as well as the custom MyDlink cloud protocol.

There are two different versions of the router, revA and revB, available and the vulnerabilities below impact both.

•Firmware “protection”: The latest firmware for version A is not protected and firmware images can be forged by attackers. Version B firmware is password-protected with a hardcoded password — in other words, extremely poorly.

•WAN & LAN – revA – XSS: PHP files found within the router system can be exploited and if attackers use a number of XSS flaws within, they can steal authentication cookies.

•WAN & LAN – revB – Retrieving admin password, gaining full access using the custom mydlink Cloud protocol: Without breaking D-Link’s terms of use, Kim found vulnerabilities which could allow attackers to abuse the MyDLink cloud protocol and register the router to their own accounts to gain full, unfettered access.

•WAN – revA and revB – Weak Cloud protocol: The MyDlink Cloud protocol is little more than a basic TCP relay system and has no encryption by default. Traffic is sent over TCP to Amazon servers without encryption. To make matters worse, the router interface allows users to enter credentials for their email accounts, which are then sent from the router to server without encryption or suitable verification. Passwords are also stored in cleartext.

•LAN – revB – Backdoor access: The router model has a backdoor which can be accessed by logging in with Alphanetworks and a supplied password, granting an attacker root access and control.

•WAN & LAN – revA and revB – Stunnel private keys: The router’s stunnel private keys are hardcoded, which paves the way for SSL Man-in-The-Middle (MiTM) attacks.

•WAN & LAN – revA – Nonce bruteforcing for DNS configuration: DNS configuration can be changed without admin user authentication checks, allowing for routing and bruteforce attacks.

•Local – revA and revB – Weak files permission and credentials stored in cleartext: Some files have weak permission setups and store credentials in cleartext.

•WAN – revB – Pre-Auth RCEs as root (L2): The DCHP client running on the router is vulnerable to a number of command injections as root, leading to potential remote code execution. If a vulnerable router is connected to an internal network, the attack will also make the network vulnerable to exploit.

•LAN – revA and revB – DoS against some daemons: A number of daemons can be crashed remotely.

The bugs were discovered in June this year, the advisory was written up in July, and the public advisory appearing on security mailing lists last week.

“Due to difficulties in previous exchange[s] with D-Link, Full-disclosure is applied,” Kim says. “Their previous lack of consideration about security made me publish this research without coordinated disclosure.”

“I advise to immediately disconnect vulnerable routers from the Internet,” the researcher added.

According to the security researcher, he has chosen full disclosure even though no patches have been issued to fix all of the issues.

Kim has apparently experienced trouble with D-Link in the past, with a disclosure last February resulting in no acknowledgment from the vendor, but rather just the silent issue of a patch which fixed only one problem of many.

Rather than contact the researcher, D-Link apparently downplayed the findings, claiming the security researcher found the issues “by chance.”

ZDNet has reached out to D-Link and will update if we hear back.