Researcher publicly discloses 10 zero-day flaws in D-Link 850L routers

Citing previous vulnerability disclosure problems with D-Link, a security researcher went public with 10 zero-day flaws in D-Link 850L routers and advised the masses to immediately disconnect affected routers.

Researcher publicly discloses 10 zero-day flaws in D-Link 850L routers
Kacper Pempel, Reuters

Peeved about previous vulnerability disclosures experiences with D-Link, a security researcher has publicly disclosed 10 zero-day vulnerabilities in D-Link DIR 850L wireless AC1200 dual-band gigabit cloud routers.

Security researcher Pierre Kim opted to publicly disclose the vulnerabilities this time, citing a “very badly coordinated” disclosure with D-Link in February. That time around he had reported nine vulnerabilities, but he said it took D-Link five months to release new firmware that ended up patching only one of the flaws he found.

Overall, Kim says D-Link 850L routers are “badly designed” as “basically, everything was pwned, from the LAN to the WAN. Even the custom MyDLink cloud protocol was abused.”

The 10 publicly disclosed D-Link 850L zero-day flaws

Kim said the 10 zero-day flaws affect both D-Link 850L revision A and revision B. Without further ado, let’s jump right to the zero-days.

1. Firmware “protection” — Kim says “protection of the firmware images is non-existent;” an attacker could upload firmware to the router. Firmware for D-Link RevA has no protection at all, while firmware for D-Link RevB is protected but with a hardcoded password.

2. Both LAN and WAN of D-Link 850L RevA are vulnerable to “several trivial” cross-site scripting (XSS) flaws. Kim gives examples of four XSS vulnerabilities in the PHP code of the router admin panel. “An attacker could use the XSS to target an authenticated user in order to steal the authentication cookies,” he said.

3. Both LAN and WAN of D-Link 850L RevB are also vulnerable. Kim said an attacker could retrieve the admin password and use the MyDLink cloud protocol to add the device to the attacker’s account in order to gain full access to the router.

He gives a rather detailed attack scenario but added a disclaimer that his findings “were discovered without exceeding D-Link terms of use. This simply demonstrates how much broken this service is at the time of writing (run away!).”

4. Weak cloud protocol affects both D-Link 850L RevA and RevB. Kim noted that not only does D-Link store the passwords of all devices using the MyDLink service in cleartext, but the TCP relay system uses no encryption at all to protect communications between the user and MyDLink.

The MyDLink interface allows users to enter credentials such as for a Gmail account, which “doesn’t seem to be a good idea, as the traffic between the router and the cloud platform is not encrypted or encrypted using a self-signed certificate without verification and the passwords are sent over this tunnel using the Internet.”

Kim added, “These vulnerabilities may affect some D-Link NAS/routers/cameras (every device that supports the MyDLink cloud protocol).”

5. D-Link 850L RevB routers have backdoor access. Kim said logging into Alphanetworks (with the supplied password) would allow an attacker to get root shell on the device.

6. The stunnel private keys are hardcoded in the firmware of both D-Link 850L RevA and RevB, allowing for man-in-the-middle (MitM) attacks.

7. Since there is no authentication check, an attacker could change the DNS configuration of a D-Link 850L RevA router, forward the traffic to his or her server, and take control of the device.

8. Local files are exposed in both D-Link 850L RevA and RevB; weak file permissions and weak credentials are stored in cleartext.

9. The DHCP client running on D-Link 850L RevB routers is vulnerable to several command injection attacks that result in root access. Kim again gives a detailed description before adding a “bonus point” and noting, “This attack will be relayed to internal clients using the DHCP server running inside the router. So if you connect a vulnerable D-Link router to the internal network, it will be pwned too.”

10. Some daemons running in both D-Link 850L RevA and RevB have DoS flaws and can be crashed remotely via LAN.

Kim again noted, “Due to difficulties in previous exchange with D-Link, full-disclosure is applied. Their previous lack of consideration about security made me publish this research without coordinated disclosure.”

He added:

I advise to IMMEDIATELY DISCONNECT vulnerable routers from the Internet.

Full details of the vulnerabilities can be found on Kim's site, as well as on security mailing lists.

Related:
NEW! Download the Winter 2018 issue of Security Smart