dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
22246

Hofbrau
@rr.com

Hofbrau

Anon

Remotely Exploitable Vulnerability In All D-Link Gateways

»www.eeye.com/html/Resear ··· dex.html

Vendor: D-Link
Severity: High (Remote Code Execution)
Date Reported: February 27, 2006
Days Since Initial Report: 109

Date Reported:
February 27, 2006

Vendor: D-Link

Description: A vulnerability in D-Link routers allows for code execution and the compromise of the router.

Severity: High (Remote Code Execution)

Software Affected: D-Link firmware

D-Link were notificd back in February, and nary a word or firmware update has been made available to address this issue.

This vulnerability apparently affects all (or several) gateway models.

It does allow remote code execution, which means complete control over the gateway (and any/all network traffic/data).

Due to eEye's adherence to "responsible disclosure" protocols for security vulnerabilities, specific details are not available, and, therefore, users and admins networks/connections are left completely at risk.

That means that aside from replacing (permanently or temporarily) the D-Link gateway, nothing can be knowingly done to prevent exploitation.

Users should be aware continued usage of any/all D-Link gateways models puts their networks/internet connections at risk of complete compromise, until such time as firmware updates are released thart specifically address this critical vulnerability.

Cogitate,
Hofbrau
latinuser_uy
join:2004-07-15
UY

latinuser_uy

Member

I saw this one about the DWL-2100ap (havent tested it myself):

»www.intruders.com.br/adv ··· 6en.html
»www.securitytracker.com/ ··· 234.html

SecurityTracker Alert ID: 1016234
SecurityTracker URL: »securitytracker.com/id?1016234
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Jun 6 2006
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes
Version(s): D-Link DWL-2100ap; firmware version 2.10na
Description: A vulnerability was reported in the D-Link DWL-2100ap wireless router. A remote user can obtain sensitive information from the target device.

A remote user can directly request files in the '/cgi-bin/' directory with a '.cfg' file extension to obtain the device configuration.

A demonstration exploit URL is provided:

»[target]/cgi-bin/Intruders.cfg

Wendel Guglielmetti Henrique and the Intruders Tiger Team Security discovered this vulnerability.

The original advisory is available at:

»www.intruders.com.br/adv ··· 6en.html
Impact: A remote user can obtain the device configuration, including password information.
Solution: The vendor has reportedly issued a firmware patch, available at:

»www.dlink.com.br/interne ··· 0343.tfp
Vendor URL: www.dlink.com/ (Links to External Site)
Cause: Access control error

Message History: None.

DLinkSupprt3
join:2002-10-02
Fountain Valley, CA

DLinkSupprt3 to Hofbrau

Member

to Hofbrau
Although there has been no official notification, we have released firmware for a few of the affected router models that fixes this vulnerability. The models with firmware posted on our support site are the DI-604, DI-784, and EBR-2310. For the models that a fix has not yet been released, we are currently in the process of testing firmwares and will be releasing them as soon as they are ready.
michaelr7
join:2004-03-26
Tucson, AZ

michaelr7 to Hofbrau

Member

to Hofbrau
DLinkSupprt3,

Is a list of affected router models available so that users may take precautions until a firmware with the fix is available? If not the only recourse is to pull all D-Link devices from our/our clients networks.

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
·Comcast XFINITY
Asus GT-AX6000
Asus RT-AC66U B1

jbob to DLinkSupprt3

Premium Member

to DLinkSupprt3
said by DLinkSupprt3:

Although there has been no official notification, we have released firmware for a few of the affected router models that fixes this vulnerability. The models with firmware posted on our support site are the DI-604, DI-784, and EBR-2310. For the models that a fix has not yet been released, we are currently in the process of testing firmwares and will be releasing them as soon as they are ready.
I have a DI-784 but the current firmware on the site hasn't changed since v2.40, 3/22/2006. Surely this is not a release for the 784 that fixes the vulnerability. Unless the fixed firmware is at another location on the site...Beta??
joe_dude
join:2005-06-17
Winnipeg, MB

joe_dude to Hofbrau

Member

to Hofbrau
Woah! How did this fly under the radar?!?

So would someone from D-Link please list the affected gateway/routers!!!!!

Looking at the description of the new DI-604 firmware, it's a fix for a DoS attack? I thought it was more serious than that....

funchords
Hello
MVM
join:2001-03-11
Yarmouth Port, MA

funchords to Hofbrau

MVM

to Hofbrau
I could not reproduce this on my DI-624 using the steps in »www.intruders.com.br/adv ··· 6en.html ...

The alledged output file format is also very usual for that type of router.

Can anyone?
ozzy_0
join:2002-12-04
Kingston, ON

ozzy_0 to jbob

Member

to jbob
I am also at a loss in finding the patched firmware for the DI-784 anywhere on the Dlink site. Please advise where we can obtain it.

Hofbrau
@rr.com

Hofbrau to joe_dude

Anon

to joe_dude
"So would someone from D-Link please list the affected gateway/routers!!!!!"

Notice the supposed D-Link tech didn't list the affected gateway models - only the ones (3..with no qualifications for different revisions for the same model such as the 604) with supposedly "patched" firmware updates.

Considering the lack of communication from D-Link preceding this posting, and from D-Link within this thread, you must assume that every current/recent gateway model is vulnerable.

"Looking at the description of the new DI-604 firmware, it's a fix for a DoS attack? I thought it was more serious than that...."

D-Link is minimizing the extent and nature of the remotely exploitable vulnerability that allows for complete system subjugation of every gateway model they produce/produced?

This would be the same flaw that they have yet to officially and publicly acknowledge of their own accord in any significant and specific and detailed manner, right? (That might be considered minimization as well..perhaps?)

They are clearly taking this seriously, what with the way they have considerately allowed their users to continue to use their extremely vulnerable insecure gateway products none-the-wiser, with no workarounds or mitigation steps being provided or offered.

You can see how seriously they are taking this what with the way they offered a patched firmware for Revision E 604s, but not for any of the earlier revisions. Hey, I know, only the E revision of the 604 is affected, you can read the details about it in their security advisory...oops...what advisory? Never mind.

Nothing like issuing a patch for some revisions of some gateway models for a security vulnerability that exists (apparently) in all revisions of all gateway models, without a security advisory to accompany it to explain the details.

Who says they dont care about or take seriously security?

Surprised?

I know I am.

Cogitate,
Hofbrau
Hofbrau

Hofbrau to funchords

Anon

to funchords
"I could not reproduce this on my DI-624 using the steps in »www.intruders.com.br/adv0206en.html ...

The alledged output file format is also very usual for that type of router.

Can anyone?"

I sure hope no one can, since the vulnerability listed there was pretty specific to the DWL-2100 AP.

I know I cant.

Perhaps because they are two different vulnerabilities, with two different advisories?

Reading works - really.

Perhaps more time should be spent honing up the reading skills rather than apologism and minimization skills, but, that would probably only result in more time spent ambiguously and ignorantly (and amusingly) naysaying the "NAT Traversal" aspect of the UPnP IGD 1.0 specification under the general idea of "UPnP is insecure".

Cogitate,
Hofbrau
Hofbrau

Hofbrau to ozzy_0

Anon

to ozzy_0
"I am also at a loss in finding the patched firmware for the DI-784 anywhere on the Dlink site. Please advise where we can obtain it."

The D-Link tech may be implying that the 2.40 firmware dated as of 3/22/06 fixes the vulnerability.

»support.dlink.com/produc ··· DI%2D784

It does in fact list as the first item "Fixed DOS issue".

(They meant "DoS issue", though, if they took this seriously at all, they would have typed out "Denial-of-Service Security Issue" to be a little more clear. However, thats a minimization of the actual vulnerability which is in fact remotely exploitable and allows for complete system takeover, assuming its the same security issue at all that its referring to. Its not like they have provided any specific documentation or details about the problem/patch.)

Surely, you didnt expect him to come right out and tell you which firmware version for which model/revision addresses the issue, did you?

I mean, that would be like, useful support, like, and stuff.

If they were like to do like that, you might like get the idea like that they like take this security stuff like seriously dude.

Cogitate,
Hofbrau
latinuser_uy
join:2004-07-15
UY

1 edit

latinuser_uy to Hofbrau

Member

to Hofbrau
HI,
I tested the dwl-2100ap vulnerability, from an unauthenticated browser, tried the url »ip-of-my-dwl2100ap/cgi-b ··· nfig.cfg

I got a config file for download. It contained the wireless key in plain text format, plus the "admin" key in plain text, among other configuration stuff.

Then I tried »ip-of-my-dwl2100ap/cgi-b ··· nada.cfg and toto.cfg : same results.

HW DWL-2100AP
FW 2.00

I'm using the DWL-2100ap in AP mode, WPA-PSK. From the PC I was running the browser from, I had another browser which had an expired session (up from yesterday night) to the DWL-2100ap (the 2100ap would ask me for user/password as soon as I click on any option). I'll try again doing this first thing after rebooting my computer. I guess that's going to be after I come back from the office.

There seems to be a 2.2 fw for the dwl2100ap from some non-us site, has anyone tried that one?

Regards.
joe_dude
join:2005-06-17
Winnipeg, MB

joe_dude to Hofbrau

Member

to Hofbrau
So what happens to other users that have older versions of routers or in different countries?

This could be seriously bad...!

DLinkSupprt3
join:2002-10-02
Fountain Valley, CA

DLinkSupprt3

Member

The routers that could be affected by this are:

DI-524
DI-604
DI-624
DI-784
EBR-2310
WBR-1310
WBR-2310

We have released firmware for the following models:

DI-604 - 3.52
DI-784 - 2.40
EBR-2310 - 1.04

Firmware for the other models is currently being tested. We're not trying to make light of the subject, but the problem found has to do with UPnP, which is a LAN side protocol, so the routers will not be susceptible to WAN side attacks because of it.

Anonymous_
Anonymous
Premium Member
join:2004-06-21
127.0.0.1

Anonymous_ to Hofbrau

Premium Member

to Hofbrau
um glade to have my linksys
joe_dude
join:2005-06-17
Winnipeg, MB

joe_dude to Hofbrau

Member

to Hofbrau
Linksys? Not!
Foxbat121
join:2001-04-25
Ashburn, VA

Foxbat121 to Hofbrau

Member

to Hofbrau
Glad to see good old Hofbrau hasn't changed a bit.
joe_dude
join:2005-06-17
Winnipeg, MB

joe_dude to DLinkSupprt3

Member

to DLinkSupprt3
DLinkSupprt3, thanks for the update.

IMHO, unlike regular users, I think it helps to let us know what's going on, so we all don't switch to another brand tomorrow.
JTS33
join:2003-05-03
USA

JTS33 to DLinkSupprt3

Member

to DLinkSupprt3
said by DLinkSupprt3:

the problem found has to do with UPnP
Ironically, disabling UPnP in the router control panel is what causes many DI-624 Rev. C3 to randomly reboot.

funchords
Hello
MVM
join:2001-03-11
Yarmouth Port, MA

funchords to DLinkSupprt3

MVM

to DLinkSupprt3
said by DLinkSupprt3:

The routers that could be affected by this are:

DI-524
DI-604
DI-624
DI-784
EBR-2310
WBR-1310
WBR-2310

We have released firmware for the following models:

DI-604 - 3.52
DI-784 - 2.40
EBR-2310 - 1.04

Firmware for the other models is currently being tested. We're not trying to make light of the subject, but the problem found has to do with UPnP, which is a LAN side protocol, so the routers will not be susceptible to WAN side attacks because of it.
I'm sorry, but this is making no sense to me at all.

First, D-Link does not list the 2100ap above.

Second, the exploit mentioned seems to have nothing to do with UPnP.

I'm perfectly willing to end up with egg on my face -- but is D-Link sure that we're talking about the same vulnerability?

-- Robb the Very Confused
JimF
Premium Member
join:2003-06-15
Allentown, PA

JimF

Premium Member

It looks like the eEye report, and the reply from DLinkSupprt3 refers to "routers". The post from latinuser_uy refers to the DWL-2100ap, which is of course an access point, though it seems to be loosely referred to as a router also in some of the security reports. So there may be two different vulnerabilities. At any rate, they don't list the DI-634M as being affected, and you can turn off UPnP on that without a problem. So I am hoping that the fix will allow UPnP to be turned off on the DI-524 as well. We can always hope.

524DJunk
@rr.com

524DJunk

Anon

Quote Dlink Support
"The routers that could be affected by this are:

DI-524
DI-604
DI-624
DI-784
EBR-2310
WBR-1310
WBR-2310

We have released firmware for the following models:

DI-604 - 3.52
DI-784 - 2.40
EBR-2310 - 1.04

Firmware for the other models is currently being tested. We're not trying to make light of the subject, but the problem found has to do with UPnP, which is a LAN side protocol, so the routers will not be susceptible to WAN side attacks because of it.
----------------------------------------------------------

Does this mean there is a possiblity that Dlink will update the DI524 Rev d firmware. It is utter garbage your own tech told me so.

braynes
Premium Member
join:2005-03-14
Waterville, ME

braynes to DLinkSupprt3

Premium Member

to DLinkSupprt3
When you say DI-604's does that include the DI-LB604?
Thank you
Bruce

funchords
Hello
MVM
join:2001-03-11
Yarmouth Port, MA

funchords

MVM

Off topic --- question

said by braynes:

When you say DI-604's does that include the DI-LB604?
Thank you
Bruce
What is this and where did you obtain it?

braynes
Premium Member
join:2005-03-14
Waterville, ME

braynes

Premium Member

It is a Dual wan router and I obtain it from amazon. It works very well.
Bruce

funchords
Hello
MVM
join:2001-03-11
Yarmouth Port, MA

funchords

MVM

said by braynes:

It is a Dual wan router and I obtain it from amazon. It works very well.
Bruce
Thanks! That's a new model# to me.
CdTriX
join:2005-04-25
Oakville, ON

CdTriX

Member

Yeah, there's a lot of models that aren't sold in the typical "bestbuy" and "Circuit City" main stores... most are special order or even only available through the D-Link shop.. Someone called about the DSM-520RD... which is the HD version of the DSM-320.. we weren't even briefed on it and someone already called in... DI-624S, and a whole bunch of stuff.... DSM-600 ( the network storage device ), none of these were released to the retail stores yet people have them... but that'd D-Stink for you =)

and trust me.. if there is a vulnerability and you guys on dslreports knows about it.. D-Link is just finding out about it now after reading the forums... i don't think we even get emails about this stuff... same thing goes for the DSM600.. where you needed level 3 for the firmware... level 1 and 2 would be... what firmware? and will deny you the transfer to level 3 for that firmware. they don't tell techs anything....

anyways...

funchords
Hello
MVM
join:2001-03-11
Yarmouth Port, MA

funchords

MVM

D-Link Support (the corporate guys, not the Level-X techs) seems to have the attitude that ... "hey, it's a low-dollar item, what kind of support to they expect for free."

What they fail to realize is that great support begets brand loyalty in spades. Likewise, bad support creates brand avoidance.

Personally, I'm glad the good Techs read this board. This has to be one of the best resources covering the very products they support.
CdTriX
join:2005-04-25
Oakville, ON

CdTriX

Member

BTW i'm no longer with D-Link =) woo hoo =)

yeah.. i've seen a few techs browse the DSLreports website and this forum actually... it's a lot more informative when someone smart actually calls...

I was one of the good techs... i always solved cases.. and i knew what i was doing...

i got a lot of.. thank god you speak english.. wow someone that knows what's going on.. stuff like that...

trust me... once you've done the training.. you hit a brick wall.. on d-link products.. you come here when you want specific info.. people that actually do the testing and is accessible by everyone... and we don't get info on new stuff.

back when before we could send links to people... i use to remember a specific fix for a specific issue and send the customer to the link.

but you guys don't need my help... i'm level 1 and 2 support and most of you guys are beyond that... i just help the joe shomes that can't setup their stuff
JimF
Premium Member
join:2003-06-15
Allentown, PA

JimF to Hofbrau

Premium Member

to Hofbrau

Re: Remotely Exploitable Vulnerability In All D-Link Gateways

What I find curious is that a lot of the problems continue from one generation of hardware to the next. The UPNP stability issue is one well-known example. They obviously reuse as much of the code as possible. There is nothing wrong with that when it works. But they are only generating more support calls for themselves when the same problems reoccur time after time.