Overview
The D-Link DIR-645 Whole Home Router 1000 IEEE 802.11n Wired/Wireless Router has multiple vulnerabilities present that allow malicious users to exploit it's system software. These vulnerabilities used in a specific manner allows an attacker to get access to system configuration, which can cause unreliable operation or malfunction.
D-Link Security Incident Response Policy
All public communication on this issue will be offered at http://securityadvisories.dlink.com/security/
Our security response team can be contacted for incident information or to report incidents at security@dlink.com
Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.
Reference
Roberto Paleari - roberto@greyhats.it or @rpaleari [:twitter] - Disclosure 03//06/2013 - http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt
Exploit Database - http://www.exploit-db.com/exploits/27283/
Michael Messner - Multiple Vulnerabilities in D-Link devices - http://www.s3cur1ty.de/m1adv2013-017
General Disclosure
Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed. We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link product.
Immediate Recommendations for all D-Link router customers
· Regardless the Remote Management which exposes configuration services to the WAN/Internet should be in default setting off to limit possible malicious attacks. Ensuring Remote Management is off does not mitigate exposure to these vulnerabilities, but it will minimize the exposure till the owner can upgrade to the new firmware offered below.
· If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorized persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
· Make sure that your wireless network is secure.
· Do not provide your admin password to anyone. If required we suggest updating the password frequently.
Details
The DIR-645 is susceptible to multiple vulnerabilities that may allow a malicious user access to the device and modify it's configuration. This router model is affected by multiple security vulnerabilities. All of them are exploitable by remote, unauthenticated attackers. Further information can be found in the original disclosures posted above. Fur
Buffer overflow on post_login.xml
Invoking the "post_login.xml" server-side script, attackers can specify a "hash" password value that is used to authenticate the user. This hash value is eventually processed by the "/usr/sbin/widget" local binary. However, the latter copies the user-controlled hash into a statically-allocated buffer, allowing attackers to overwrite adjacent memory locations.
Buffer overflow on hedwig.cgi
Another buffer overflow affects the "hedwig.cgi" CGI script. Unauthenticated remote attackers can invoke this CGI with an overly-long cookie value that can overflow a program buffer and overwrite the saved program address.
Buffer overflow on authentication.cgi
The third buffers overflow vulnerability affects the "authentication.cgi" CGI script. This time the issue affects the HTTP POST parameter name "password". Again, this vulnerability can be abused to achieve remote code execution. As for all the previous issues, no authentication is required.
Cross-Site Scripting (XSS)
Cross-site scripting (XSS), a exploit that has many different types, is an exploit in which the attacker inserts malicious coding into a link that appears to be from a trustworthy source, in this case the DIR-645. If a user located behind the DIR-645 clicks on the untrusted link, the embedded malicious code is submitted as part of the user's request and can execute on the router allowing the attacker to read or change configuration. The result of an XSS attack can leave the DIR-645 malfunctioning and/or instable for the user.
· Cross-site (XSS) scripting on bind.php
· Cross-site (XSS) scripting on info.php
· Cross-site (XSS) scripting on bsc_sms_send.php
In order to comply and close these vulnerabilities D-Link has released new firmware.
Effected Products
|
Model Name
|
HW Version
|
Current FW Version
|
New FW Version
|
|
DIR-645
|
A1
|
v. 1.03B08 and lower
|
Firmware v. 1.04B11
Release Notes: Below
|
Security patches for your D-Link Product
These firmware updates address the security vulnerabilities in affected D-Link products. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.
To update the firmware please log-in to the Web-GUI interface of your DIR-645, from the menu select Maintenance -> System -> Upgrade Firmware. If you require help please contact your regional D-Link customer care website for options.
DIR-645 Revision A1
Firmware: v.1.04B11
Release Notes:
Vulnerabilities Addressed
- Fix Admin Password will accepting and saving complex password, then not allow the user to use new complex password
- Fix Buffer overflow on "post_login.xml"
- Fix Buffer overflow on "hedwig.cgi"
- Fix Buffer overflow on "authentication.cgi"
- Fix (XSS) Cross-site scripting on "bind.php"
- Fix (XSS) Cross-site scripting on "info.php"
- Fix (XSS) Cross-site scripting on "bsc_sms_send.php"
- Fix Web file access api getfile path could not include ../
- Fix bypass authentication before scan direction in the router. (__ajax_explorer.sgi)
- Fix curl -H "Cookie: uid=9gIdu6X6nF" -d "EVENT=%26%20telnetd%26" http://192.168.0.1/service.cgi would cause script injection issue to execute telentd.
- Fix bypass authentication on version.php show too much router information
- Fix widget functions and remove the relative files like router_info.xml from unauthorized access
- Fix issue that disables telnetd after the router is not longer factory default
- Fix unauthorized post execute commands in the router by command.php
- Fix Vulnerabilities Discovered and Disclosure by Roberto Paleari <"roberto@greyhats.it">