Security Advisories
Security Advisories > SAP10001
DI-524/524UP/604+/604UP/624S, DIR-100/120, and TM-G524G authenticate administrative access using specific User-Agent string resulting in a stack-overflow vulnerability
Publication ID: SAP10001
Resolved Status:
Published on: 6 November 2013 10:13 GMT
Last updated on: 27 February 2014 10:21 GMT

Overview

 

Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string. This backdoor allows an attacker to bypass password authentication and access the router's administrative web interface. Exlploiting these vulnerability may cause the device to become unstable and unreliable. Planex and Alpha Networks devices may also be affected, please contact these vendors directly at their regional websites.

 

D-Link Security Incident Reponse Policy

 

All public communication on this issue will be offered at http://securityadvisories.dlink.com/security/

Our security response team can be contacted for incident information or to report incidents at security@dlink.com

Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.

 

 

Reference

 

US-Cert - VU# 248083 - http://bit.ly/17w4qzK 
CVE-2013-6026 - Craig Heffner - http://1.usa.gov/Ha5DG4
CVE-2013-6027 - Craig Heffner - http://1.usa.gov/Ha5DG0

Craig Heffner, Tactical Network Solutions & Independent Security Professional - http://bit.ly/1bOtb1F

 

General Disclosure

 

Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.  We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link router.

 

Immediate Recommendations for all D-Link router customers

     

  • Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet.  Remote Management is default disabled on all D-Link Routers and is included for customer care troubleshooting if useful and the customer enables it.
  • If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
  • Make sure that your wireless network is secure.

 

Details

 

If device owner has enabled the 'Remote Management' feature on the effected device, or malicious attacker has found a way to enable this feature. This exploit allows remote attackers to bypass authentication and modify settings via an xmlset_roodkcableoj28840ybtide User-Agent HTTP header. Should an effected device be exploited under CVE-2013-6026 (http://1.usa.gov/Ha5DG0 ) the user runs the risk of attacks presented in CVE-2013-6027. CVE-2013-2027 (http://1.usa.gov/Ha5DG0) describes a stack-based buffer overflow in the RuntimeDiagnosticPing function in /bin/webs on D-Link DIR-100 routers might allow remote authenticated administrators to execute arbitrary commands via a long set/runtime/diagnostic/pingIp parameter to Tools/tools_misc.xgi.

 

Effected Products

 

WW= Worldwide English Version - Used in North America     CN=China          EU=Europe          FR=France
                                                                                                 DE=Gernany      KR=Korea           TW=Taiwan     RU=Russia

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DIR-100

A1

1.13

1.14B02 (WW)

1.14B02 Regional (CN, EU, FR, DE, KR, TW)

DIR-120

A1

1.03

1.04RU

1.05B02 (WW)

1.05B02 (RU)

DI-524

E3/E4

5.12

5.13B01 (WW)

DI-524UP

A1/A2

1.07

1.08B02 (WW)

DI-604UP A1 1.03 1.04B02 (WW)

DI-604+

A1

1.10

1.11B03 (WW)

DI-624S

B1/B2

1.11

1.12B02 (WW)

1.12B02 (TW)

TM-G5240

A1

4.00B29

4.01B02 (WW)

 

Security patch for your D-Link router

 

These firmware updates address the security vulnerabilities in affected D-Link routers. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.

 

Please make sure you follow the firmware install guide provided within the ZIP firmware package.

 

DIR-100 Revision A1
The new firmware 1.14B02 that fixes the security vulnerabilities

1.14B02 Worldwide (1.14B02 (WW))

1.14B02 Regional (CN, EU, FR, DE, KR, TW)

WW= Worldwide English Version - Used in North America     CN=China    EU=Europe    FR=France   DE=Gernany  KR=Korea   TW=Taiwan     RU=Russia

 

DIR-120 Revision A1
The new firmware 1.05B02 that fixes the security vulnerabilities

1.05B02 (WW)

1.05B02 (RU)

WW= Worldwide English Version - Used in North America   RU=Russia

 

DI-524 Revision E3/E4
The new firmware 5.13B01 that fixes the security vulnerabilities
5.13B01 (WW)

WW= Worldwide English Version - Used in North America

 

DI-524UP Revision A1/A2
The new firmware 1.08B02 that fixes the security vulnerabilities
1.08B02 (WW)

WW= Worldwide English Version - Used in North America

 

DI-604UP Revision A1
The new firmware 1.04B02 that fixes the security vulnerabilities
1.04B02 (WW)

WW= Worldwide English Version - Used in North America

 

DI-604+ Revision A1
The new firmware 1.11B03 that fixes the security vulnerabilities
1.11B03 (WW)

WW= Worldwide English Version - Used in North America 

DI-624S Revision B1/B2
The new firmware 1.12B02 that fixes the security vulnerabilities

1.12B02 (WW)

1.12B02 (TW)

WW= Worldwide English Version - Used in North America     TW=Taiwan 

 

TM-G5240 Revision A1
The new firmware 4.01B02 that fixes the security vulnerabilities

 4.01B02 (WW)

WW= Worldwide English Version - Used in North America