D-Link DIR-600 Firmware 2.10 Vulnerabilites

The D-Link router model DIR-600 had a bunch of vulnerabilities that allowed an attack to gain either knowledge about internal device and network details without being authenticated, or allowing for remote shell access1. The latter is however restricted to firmware versions 2.12-2.14, as it depends on unauthenticated access to a command.php script that allows for shell command execution.

Firmware version 2.10 does not yet possess that feature/vulnerability. However, a router feature used to test the availability of a remote host (ping) allows for shell script access through unescaped user input in the input field for the target hostname. The fact that this script is also accessible by an unauthenticated user, opens it up for exploitation.
curl http://<router ip>/diagnostic.php -d "act=ping&dst=google.com;telnetd"
will execute telnetd on the router, consequently allowing telnet access on port 23 without any login credentials. Following that, an attacker can read the contents of the /var/etc/passwd file and retrieve the unencrypted plaintext login credentials for the web interface.

In addition to that, the firmware leaks a lot of internal information, such as WPA PSK and WPS PIN, to an unauthenticated user through the getcfg.php script.

  1. http://www.s3cur1ty.de/node/672 

Leave a Reply

Your email address will not be published. Required fields are marked *