D-Link Vulnerability Allows Remote Hacking

Introduction

In the past post we introduced you to NetUSB bug which made millions of routers vulnerable to a simple buffer overflow. Today Search-Lab team has uncovered a D-Link vulnerability allowing hackers to conduct remote hacking. D-Link products are affected with more than 50 vulnerabilities including NAS (Network Attached Storage) and Network Video Recorder (NVR). These vulnerabilities reside in latest official patch dated 30-07-2014. According to Search-Lab, these devices are affected with remote exploitation vulnerability which allows attackers to run arbitrary code on a device and gain full control.

Affected Devices

Main targeted devices during the assessment:
DNS-320, Revision A: 2.03, 13/05/2013
DNS-320L, 1.03b04, 11/11/2013
DNS-327L, 1.02, 02/07/2014
DNR-326, 1.40b03, 7/19/2013

Other devices were influenced by one or more vulnerabilities:
DNS-320B, 1,02b01, 23/04/2014
DNS-345, 1.03b06, 30/07/2014
DNS-325, 1.05b03, 30/12/2013
DNS-322L, 2.00b07

Short Details

  • Attackers can use default user name such as root/nobody for authentication, so that administrator is not able to change default password for these users.
  • Authentication bypass bug can be used to take full control without exploitation or programming needs.
  • The session management part of the code allows cyber attacker to perform unauthenticated file upload to desired location

CVE

There are following CVEs available concerning vulnerabilities:

CVE-2014-7858: Check_login bypass vulnerability in DNR-326

CVE-2014-7859: Buffer overflow in login_mgr.cgi and in file_sharing.cgi

CVE-2014-7860: Unauthenticated photo publish

 

Recommendations

Most of the vulnerabilities were fixed in:
– DNS-320L 1.04.B12
– DNS-327L 1.03.B04

Some of the vulnerabilities were fixed in:
– DNR-326 2.10.B03
– DNR-322L 2.10.B03

Don’t expose your devices web interface to the internet and disable UPnP in the router.

Leave a Reply