Multiple D-Link routers vulnerable to remote command execution

Overview

Multiple D-Link routers are vulnerable to unauthenticated remote command execution.

Description

Several D-Link routers contain CGI capability that is exposed to users as /apply_sec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws:
  1. The /apply_sec.cgi code is exposed to unauthenticated users.
  2. The ping_ipaddr argument of the ping_test action fails to properly handle newline characters.

Any arguments after a newline character sent as ping_ipaddr in a POST to /apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable:

    • DIR-655
    • DIR-866L
    • DIR-652
    • DHP-1565
    • DIR-855L
    • DAP-1533
    • DIR-862L
    • DIR-615
    • DIR-835
              DIR-825

We have made a proof-of-concept exploit available, which will disable network connectivity for one minute on affected devices.

Impact

By performing an HTTP POST request to a vulnerable router’s /apply_sec.cgi page, a remote, unauthenticated attacker may be able to execute commands with root privileges on an affected device. This action can happen as the result of viewing a specially-crafted web page.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. The devices listed above are no longer supported by D-Link.
Replace affected devices

Because D-Link is not providing updates to the devices listed above, it is important to replace any affected device with one that is currently supported by the vendor.

References

Acknowledgements

This vulnerability was coordinated and publicly disclosed by Fortinet’s FortiGuard Labs.

This document was written by Will Dormann.

Other Information

CVE IDs:CVE-2019-16920
Date Public:2019-10-03
Date First Published:2019-10-23
Date Last Updated:2019-10-25 11:45 UTC
Document Revision:12

Leave a Reply

Your email address will not be published. Required fields are marked *