Support Announcements
DIR-100 Rev D1 /DIR-300 Rev Ax / DIR-320 Rev Ax / DIR-615 Rev D3 - Multiple Vulnerabilities - CVE-2013-7051 / 7052 / 7053 / 7054 / 7055 - Command Injection, CSRF, XSS, Information Disclosure

Overview

 

The DIR-615 Rev. D3 / DIR-300 Rev. A using f/w 1.05 and older ontains multiple vulnerabilities that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. CSRF attacks allow an malicous user to forge HTML forms and execute actions in an authorized (logged in) browser session. This vulnerability allows anyone with access to the Web interface to view and edit administrative router settings. Further, even if remote administration is disabled on the router, a remote attack can still exploit via a cross site request forgery attack.

 

Region

 

These products were sold outside North America.

 

References

 

Michael Messner - http://www.s3cur1ty.de/ - Disclosure - Link

Craig Heffner - Disclosure - Link - Detailed PDF

Karol Celin - Disclosure - Link

Felix Richter - Disclosures

     - http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt

     - https://www.securityfocus.com/bid/65290

     - https://exchange.xforce.ibmcloud.com/vulnerabilities/90904

     - https://www.exploit-db.com/exploits/31425

     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7051

     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7052

     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7053

     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7054

     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7055


Immediate Recommendations for all D-Link device customers

 

  • If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
  • Make sure that your wireless network is secure.
  • Do not provide your admin password to anyone. If required we suggest updating the password frequently.

 

Description

 

We encourge you to read the author orginal text to avoid misinterpretation and duplicating their work:

 

 

The authors describe the vulnerabilities different and their conclusions are independent of one another.  Our conclusion is that the cause of these issues are similar and have group our disclosure accordingly.

 

Authentication Bypass 

 

A misconfiguration in the PHP web-configuration pages allows pages to be accessed with out user credentials.

 

CSRF Vulnerabilities

 

The web-configuration pages are suseptible to CSRF vulnerabilites that would allow access and changing  device's user credentials.

 

OS Command Injection Vulnerability

 

Some fields in the web-configuration pages lack validation to protect form invalid or malicious code being enter.  As a result, configuration information can be changed and access to the devices

operating system  for further exploitation can be executed

 

Insecure Storage of Device's User Access Credentials

 

Storage of device's user credentials are stored in plain-text with in the devices local storage system.

 

XSS Vulnerabilites

 

Some scripts that perform services and control configuration information are susceptible to input (malicious scripts or otherwise) due to lack of proper validation.

 

HTTP Header Injection Vulnerability

 

The device was found to respond to script injected into the common HTTP parameters of the header due to lack of validation on the incomming requests by the user.
 

Affected Products

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DIR-615

D3

V4.13 and lower

DIR-100 D1 V4.02 and lower

(Must select correct revision)

DIR-300 Ax V1.05 and lower
DIR-320 Ax V1.05 and lower

 

Security patches for your D-Link Product

 

These firmware updates address the security vulnerabilities in affected D-Link products. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.