D-Link Home Routers Open to Remote Takeover Will Remain Unpatched

D-Link won't patch a critical unauthenticated command-injection vulnerability in its routers that could allow an attacker to remotely take over the devices and execute code.

The vulnerability exists in the latest firmware for the DIR-655, DIR-866L, DIR-652 and DHP-1565 products, which are Wi-Fi routers for the home market.

Cgi function - it extracts the value of "Current user" and "User username" from the Non-Volatile Random Access Memory, which is a type of RAM that retains data after a device's power is turned off.

"The current user value in NVRAM will be set only after a successful user login, so by default its value is not initialized," Fortinet researcher Thanh Nguyen Nguyen explained in a recent write-up.

"The value of acStack160 is the result of base64encode(user username), and by default the user username is set to 'user,' so there is no way the iVar2 can return a value of 0, so it won't return to the error.asp page."

D-Link is no stranger to vulnerabilities; in September, researchers discovered vulnerabilities in D-Link routers that can leak passwords for the devices, and which have the potential to affect every user on networks that use them for access.

In May, a researcher found attackers using the Google Cloud Platform to carry out three separate waves of DNS hijacking attacks against vulnerable D-Link and other consumer routers.

No Replies Yet