Several router models from D-Link are vulnerable to three security bugs that could help an attacker get full control over them.
Taken separately, the vulnerabilities are a path traversal, securing passwords in plain text and shell command execution; but by chaining them together an attacker could run code of their own on the devices.
Cascade of bugs lead to code execution
First on the list is the path traversal security gap, identified as CVE-2018-10822, which permits a remote attacker to read arbitrary files. This issue emerged because of an incorrect repair of a different bug reported last year.
A flaw like this can get the attacker in the passwords folder, where the administrator credentials reside.
This leads to the second vulnerability, passwords stored in plain text, tracked as CVE-2018-10824. Using the path traversal flaw one can access the password folder and check the configuration file containing the sensitive information.
Third on the list of bugs affecting some D-Link models is CVE-2018-10823 – a shell command injection that gives an authenticated attacker the possibility to execute arbitrary code on the device.
“An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals,” explains the advisory.
The vulnerabilities have been reported by Błażej Adamczyk of the Silesian University of Technology in Poland, who also provided proof-of-concept (PoC) code. He also made a video demonstrating the chained attack over a vulnerable router.
Eight models affected, only two get patches
The router models affected by the vulnerability trio are DWR-116, DIR-140L, DIR-640L, DWR-512, DWR-712, DWR-912, DWR-921, DWR-111.
Adamczyk notified D-Link about the vulnerabilities back in May, and he received the response that patches would be available for only two of the device models (DWR-116 and DWR-111) because the rest of them reached end of life.
Although the vendor no longer supports them, there is a good chance that the vulnerable variants are still active. They may not be reachable over the internet, but hackers can still get to them.
The PoC code demonstrating the glitches is simple enough to be delivered through malvertising. This way, all the user has to do to get their router compromised is load the wrong web page.