• Home Support Forums Security Advisories Shop     English | French
Security Announcement
Announcement > SAP10048
DIR-655 - Rev. Bx - Multiple Vulnerabilities - FW 2.11NA
Publication ID: SAP10048
Resolved Status: Partial
Published on: 22 December 2014 7:29 GMT
Last updated on: 22 December 2014 9:20 GMT

Overview

 

The DIR-655 contains four (4) vulnerabilities accessible from the LAN-side of the device presenting potential security risks. First vulnerability allows a malicious user to bypass authentication to gain administrative level access to the router’s web management console. The vulnerability is only exposed when an authenticated user session is logged-in on the device and that authenticated user's address is used, shortening the window of opportunity for the attacker. A second vulnerability was discovered that script injection can be performed on some input fields resulting in Cross-Site Scripting (XSS) vulnerabilities to the device configuration interface.  Next, a third vulnerability, discloses log-in credentials and WiFi Encryption key of an authorized user by sending cleartext data between the device's web configruation interface and the authorized user's browser.  Last, a fourth vulnerability found a cgi command, regardless of authentication, will provide device configuration information.

 

References

 

 Keven Jiang :: Contact  :: November 1, 2014
 

Description

 

A request can be made to security@dlink.com for further information.

 

Please note these vulnerabilities present LAN-Side or in-home risks.  The devices has a feature, which is default off/disabled, that allows remote adminstrative access. If the user turns this feature on/enabled they will potentially put the device at risk to these attacks from the outside/internet.

 

In addition, many of these vulnerabilities, require observing a LAN-Side user logged into the device to gain access. To observe a user configuring the device, requires access to your home network or the use of other security exploits of other home network devices, like your personal computer, tablets, mobile phones, not related to the device.

 

1) Authentication Bypass in Management Console

 

If a legitimate admin or user logs in to the management console, any other device on the network can bypass the management console authentication by navigating directly to the various .asp pages. The web configuration inteface  checks that the IP address matches that of the authenticating request. D-Link still qualifies this as an authentication bypass issue--there is no guarantee that two requests from the same IP address come from the same user. Multiple computers behind a NAT will appear to have the same IP address to the management server. In addition, IP address leases are transient and can switch between computers.

The effects of this are amplified by vulnerability #3 below, which allows the attacker to obtain the admin password by navigating directly to http://192.168.0.1/tools_admin.asp

 

2)  Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

 

Input is not properly sanitized by several cgi resources, and can result in cross site scripting. In particular, we can inject arbitrary javascript into login.cgi *without* any admin or user session:

 

<form action="http://192.168.0.1/login.cgi" method="post">

<input type="text" name="html_response_page" value="'}alert('hi')//" />

<input type="submit">

</form>

 

 

3) Cleartext Storage of Sensitive Information in GUI

 

By monitoring an authenticated user password can be viewed in the html source returned by the router. The admin password is obfuscated, but the code to deobfuscate it is in javascript that loads with the page. In fact, the deobfuscation code runs on page load to populate the admin password form field; so an attacker could simply use the browser DOM inspector to retrieve the admin password.

 

The same goes for the symmetric wireless key. It can be easily obtained from the management GUI at http://192.168.0.1/wireless.asp. At first glance, this may seem unimportant because if the user is already on the network, they must already have the wireless key. However, this may not be the case--ther user could be on the guest wireless network or the wired network. It's reasonable in both these scenarios to want to keep the wireless key private.

 

4) Information Disclosure

 

Several resources on the management console reveal information about the router and devices on the router. These endpoints are not protected by any type of authentication (even when admin/user passwords are set and neither has logged in, these urls return device data).

 

http://192.168.0.1/device.xml=ddns_status

http://192.168.0.1/device.xml=device_status

http://192.168.0.1/device.xml=ipv6_status

http://192.168.0.1/device.xml=ipv6_wizard_status

http://192.168.0.1/device.xml=wan_detect_status

http://192.168.0.1/device.xml=wan_detect_status_init

http://192.168.0.1/device.xml=wireless_list

.

 

Recommendations

 

All devices on your network should have log-in credentials and if your network has WiFi, please make sure WiFi encryptiion-keys are enabled. Also for devices that cannot notify the owner of a new software updates, check for updates from the devices manufacture.

 

Immediately update to the fixed firmware referenced in the table below as they are made available. Please continue to monior this page for further updates and disclousres.

 

D-Link recommend your D-Link router remote network management feature disabled (factory default is disabled) to mitigate a malicious remote user using this vulnerability to exploit your router.  If remote network mangement is disabled, a malicious user would require to be on the local network side of the router or have compromised another device on the network that could be used to attack the router.

 

D-Link recommends all PCs (Window or Mac) are up-to-date and scanned for virus, bots, or other damaging software that could compromise the network they are connected.

 

WiFi encryption reduces the risk to this vulnerabilty if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption, or PC using the Web-GUI utility, in order to monitor the traffice and intercept the cookie. 

 

The default configuration of D-Link's routers are to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems (D-Link US) reminds customers to configure their devices specifically to the for security concerns with in their network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enable WiFi encrytion, monitor the routers log files, and access-lists for your devices so security risks for your entire network are minimized.

 

 

Affected Product

   

Model Name

HW Version

Vulnerability Issue Number        (Description Section)

 Vulnerability Discovered

Vulnerable FW Versions

Current FW Versions   (include fixes)
DIR-655 Bx

1, 2, 4  (corrected)

Issue 3 - Under Dev (Jan. 2015)

 11/1/2014

v. 2.11NA (08/14/13

 v2.12b01 (11/19/2014)

 

Security patch for your D-Link Devices

 

These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.