Overview
Multiple D-Link routers are vulnerable to unauthenticated remote command execution.
Description
Several D-Link routers contain CGI capability that is exposed to users as /apply_sec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws:
The /apply_sec.cgi code is exposed to unauthenticated users.
The ping_ipaddr argument of the ping_test action fails to properly handle newline characters.
Any arguments after a newline character sent as ping_ipaddr in a POST to /apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable:
DIR-655
DIR-866L
DIR-652
DHP-1565
DIR-855L
DAP-1533
DIR-862L
DIR-615
DIR-835
DIR-825
We have made a proof-of-concept exploit available, which will disable network connectivity for one minute on affected devices.
Bollettino sicurezza
Soluzione, comprare un nuovo modem, non è una battuta, i router sopra non sono più supportati
Multiple D-Link routers are vulnerable to unauthenticated remote command execution.
Description
Several D-Link routers contain CGI capability that is exposed to users as /apply_sec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws:
The /apply_sec.cgi code is exposed to unauthenticated users.
The ping_ipaddr argument of the ping_test action fails to properly handle newline characters.
Any arguments after a newline character sent as ping_ipaddr in a POST to /apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable:
DIR-655
DIR-866L
DIR-652
DHP-1565
DIR-855L
DAP-1533
DIR-862L
DIR-615
DIR-835
DIR-825
We have made a proof-of-concept exploit available, which will disable network connectivity for one minute on affected devices.
Bollettino sicurezza
Soluzione, comprare un nuovo modem, non è una battuta, i router sopra non sono più supportati