Multiple D-Link routers are vulnerable to unauthenticated remote command execution.
|Several D-Link routers contain CGI capability that is exposed to users as /apply_sec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws:|
Any arguments after a newline character sent as ping_ipaddr in a POST to /apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable:
We have made a proof-of-concept exploit available, which will disable network connectivity for one minute on affected devices.
|By performing an HTTP POST request to a vulnerable router’s /apply_sec.cgi page, a remote, unauthenticated attacker may be able to execute commands with root privileges on an affected device. This action can happen as the result of viewing a specially-crafted web page.|
|The CERT/CC is currently unaware of a practical solution to this problem. The devices listed above are no longer supported by D-Link.|
|Replace affected devices|
Because D-Link is not providing updates to the devices listed above, it is important to replace any affected device with one that is currently supported by the vendor.
This vulnerability was coordinated and publicly disclosed by Fortinet’s FortiGuard Labs.
This document was written by Will Dormann.