Overview
The DIR-626L / DIR-636L / DIR-826L / DIR-836L contain five (5) vulnerabilities that present potential security risks. First, one allows a malicious user to bypass authentication to gain administrative level access to the router’s web management console. The vulnerability is only exposed when an authenticated user session is logged-in on the device, shortening the window of opportunity for the attacker. A second vulnerability was discovered that the USB storage feature allows logged-in users to access restricted content on shared media and the router’s filesystem. Next, a third vulnerability affected the Universal Plug and Play (UPnP) protocol that could allow remote, unauthenticated attackers to execute system commands on the router. A fourth vulnerability was discovered that could be leveraged by a remote,unauthenticated attacker to cause a user’s Web browser that was logged-in to the device to perform unwanted actions on the router’s web management console. Last, a fifth vulnerability that discloses log-in credentials to an authorized user could be utilized by one of the other vulnerabilities to determine further ways to exploit the devices.
References www.osvdb.org/89624
D-Link Corporation - Internal Research on DIR-826L - Below are the official references for the vulnerabillities found in the devices.
OWASP - Authentication Bypass - Reference - Link
OWASP - Directory Traversal - Reference - Link
Rapid7 - UPnP Vulnerability Buffer Overflow (MiniUPnPd) - Link / CVE-2014-3985 - Link / OSVDB - Link / Security Focus - BID-57608 - Link
OWASP - Unauthenticated Command Bypass by CSRF - Reference - Link
OWASP - Username Enumeration - Reference - Information Disclosure Link and Error Handling Link
theHackerNews - Link
Description
A request can be made to security@dlink.com for the complete report including proof of concept attacks.
Please Note: The iniitial discover was for DIR-826L later it was found the DIR-626L, DIR-636L, and DIR-836L share some of these vulnerabiliteis based on research reported from 01/18/2014 - http://thehackernews.com/2014/01/asus-wireless-router-leaves-usb-storage.html#
1) Authentication Bypass in Management Console
It was possible to bypass authentication to gain administrative level access to the management console through forced browsing when a legitimate session is still active. Meaning, it is not required for an attacker to first login to the homepage before navigating directly to an administrative web page anonymously if a legitimate administrator logged in recently.
An attacker could leverage this vulnerability to view and/or change all configurtion.
2) Directory Traversal in Web Access
As an authenticated user, it was possible to access files above the shared media’s root path as well as that of the user’s configured access path through directory traversal. For example, if the user’s access path was set for ‘/usb_dev/usb_A1/user/’, the user could access higher level directories and files such as ‘/usb_dev/usb_A1/secret.txt’ by sending the following HTTP GET request:
GET /usb_A1/user/../secret.txt
Leveraging this vulnerability it was also possible to download the root CA’s private SSL certificate key using the following HTTP GET request:
GET /usb_A1/user/../../caKey.pem
An authenticated user could leverage this vulnerability to access unauthorized files on the shared media or the router’s filesystem itself.able settings on the device. For example, by navigating directly to /Storage.asp, an attacker could add a new user account granting privileges to shared media via the Web Access interface.
3) Buffer Overflow in MiniUPnP
The router uses a vulnerable version of the MiniUPnP library which could allow an attacker to execute arbitrary system commands on the router to compromise sensitive data, such as account usernames and passwords from the running configuration.
4) Cross-Site Request Forgery (CSRF)
It’s possible for an unauthenticated remote attacker to cause a user’s Web browser to perform unwanted actions on the router’s web management console when the user is actively authenticated, such as changing the admin account password. This attack may be executed in social engineering scenarios where an attacker can lure an authenticated user to click on a maliciously crafted hyperlink which instantaneously triggers the unauthorized action upon clicking.
The example URL would change the admin account password to ‘password’ if an authenticated user clicked on it:
http://X.X.X.X/get_set.ccp?ccp_act=set&loginInfo_Username_1.1.1.0.0=admin&loginInfo_Password_1.1.1.0.0=password
Several sensitive server-side operations supported by the router’s web interface are vulnerable to CSRF attacks.
5) Username Enumeration in Web Access
User authentication logic on the router disclosed the existence and status of user accounts.
A remote, unauthenticated attacker could perform automated username guessing against the user account logic to enumerate existing, active user accounts. Subsequently, this information could be used to launch automated password guessing attacks in an attempt to compromise accounts and access the shared media.
Recommendations
All devices on your network should have log-in credentials and if your network has WiFi, please make sure WiFi encryptiion-keys are enabled. Also for devices that cannot notify the owner of a new software updates, check for updates from the devices manufacture.
Immediately update to the fixed firmware referenced in the table below as they are made available. Please continue to monior this page for further updates and disclousres.
D-Link recommend your D-Link router remote network management feature disabled (factory default is disabled) to mitigate a malicious remote user using this vulnerability to exploit your router. If remote network mangement is disabled, a malicious user would require to be on the local network side of the router or have compromised another device on the network that could be used to attack the router.
D-Link recommends all PCs (Window or Mac) are up-to-date and scanned for virus, bots, or other damaging software that could compromise the network they are connected.
WiFi encryption reduces the risk to this vulnerabilty if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption, or PC using the Web-GUI utility, in order to monitor the traffice and intercept the cookie.
The default configuration of D-Link's routers are to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems (D-Link US) reminds customers to configure their devices specifically to the for security concerns with in their network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enable WiFi encrytion, monitor the routers log files, and access-lists for your devices so security risks for your entire network are minimized.
Affected Product
|
Model Name
|
HW Version
|
Vulnerability Issue Number (Description Section)
|
Vulnerability Discovered |
Vulnerable FW Versions
|
Current FW Versions (include fixes)
|
| DIR-626L |
Ax |
2, 3, 5 |
01/18/2014 |
v. 1.03 (06/13/2013)
|
v. 1.04b04 (01/20/2014) |
|
DIR-636L
|
Ax
|
2, 3, 5 |
01/18/2014 |
v. 1.03 (02/11/2013)
|
v. 1.05b07 (01//20/2014) |
| DIR-826L |
Ax |
1, 2, 3, 4, 5 |
04/16/2013 |
v.1.04b05 (03/22/2013) |
v. 1.05b06 (03/21/2014) |
| DIR-836L |
Ax |
2, 3, 5 |
01/18/2014 |
v. 1.03 (02/11/2013) |
v. 1.04b09 (01/20/2014) |
Security patch for your D-Link Devices
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.