via heise Security - 06 February 2013
Security expert Michael Messner has identified several holes in D-Link's DIR-300 and DIR-600 routers that allow potential attackers to execute arbitrary commands with little effort. Although current firmware versions are also affected, the router manufacturer does not appear to be planning to close the hole.
Messner describes on his blog how a simple POST parameter allows Linux commands to be executed at root level on vulnerable routers. No password or other authentication is required to do so. In a short test, The H's associates at heise Security found that many of the devices can even be accessed from the internet and managed to inject a harmless command into such a router. A real attacker could randomly exploit systems, for example to divert a router's entire internet traffic to a third-party server.
reproduce the holes in the following firmware versions:DIR-300:
Version 2.12, released 18 January 2012
Version 2.13, released 7 November 2012 (current version)DIR-600:
Version 2.12b02, released 17 January 2012
Version 2.13b01, released 07 November 2012
Version 2.14b01, released 22 January 2013 (current version)As there is virtually no way of preventing an attack at present, the most sensible solution is to decommission the affected routers – and hope that D-Link will provide security updates one day
A port scan can be used to confirm whether a router is accessible from the internet. If it is not accessible, there is no immediate danger, but the risk that commands could be injected via CSRF remains. This can also be tested by calling
in a fresh browser session. If neither an error message nor a request to enter a password is displayed, there is a high risk that the system is, in fact, vulnerable. Users of Linux systems can also check this directly by entering a command such as
curl --data "cmd=ls" http://<router IP>/command.phpOn some devices, the admin front-end runs on port 8080; in this case, something like 22.214.171.124:8080 must be entered as the router IP.Michael Messner blogheise