Today, the majority of the world is working from home due to the current pandemic. The un-interrupted work culture is proving the technical capabilities of the present generation. But, at the same time, this situation is also questioning the safety of our home networks in terms of safeguarding sensitive and confidential information.

Our recent studies also revealed that attackers are mainly targeting home or small office routers in the current scenario.

So, in order to alert the work from home community during this pandemic, Loginsoft Research Team has disclosed the vulnerabilities which were found earlier to bring awareness about the malicious attacks.

In this regard, we have found that the D-Link Wireless Routers are prone to the following vulnerabilities, which can result in high risk.

  • CVE-2020-15893: Command Injection in Universal Plug and Play (UPnP) service on D-Link – DIR-816L
  • CVE-2020-15892: Classic Stack Based Buffer Overflow on D-Link – DAP 1520
  • CVE-2020-15896: Authentication Bypass on D-Link – DAP-1522
  • CVE-2020-15894: Sensitive Information Disclosure on D-Link – DIR-816L
  • CVE-2020-15895: Cross-Site Scripting on D-Link – DIR-816L

These vulnerabilities pave the ways for attackers to cleverly procure the required sensitive information and perform unauthorized actions.

CVE-2020-15893: Command injection in Universal Plug and Play (UPnP) service on D-Link – DIR-816L

This vulnerability helps the attacker connected to the network to send a request to the UPnP port.

By writing a simple python script, a crafted packet can be sent to the specific Universal Plug and Play (UPnP) port. UPnP is always enabled by default in DIR-816L, on the port 1900. This, in turn, executes the supplied command as a part of the crafted request. 

Here, an attacker can perform command injection by injecting the payload into the `Search Target` (ST) field of the SSDP M-SEARCH discover packet. 

Find more about this vulnerability here

CVE-2020-15892: Classic Stack Based Buffer Overflow on D-Link – DAP 1520

A classic stack-based buffer overflow exists in D-Link DAP 1520 access point, in the `SSI` binary, leading to an arbitrary command execution.  

Whenever a user performs a login action from the web interface, the requested values are forwarded to the `SSI` binary. On the login page, the web interface restricts the password input field to a fixed length of 15 characters.  

As this validation is being done on the client-side, it can be bypassed when an attacker manages to intercept the login request (POST based) & tampers the vulnerable parameter (`log_pass`), to a larger length, the request will be forwarded to the webserver. The same weakness can be taken as an advantage to carry out a stack-based overflow. 

Few other POST Variables, being transferred as part of the login request are also vulnerable, which are `html_response_page` & `log_user`.  

Payload:  ‘a’* 256

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 

Request:

URL – http://192.168.0.1/apply.cgi

POST Data
html_response_page=post_result.xml&login_name=YWRtaW4%3D&html_response_message=just_login&log_pass=$Payload&login_n=admin&action=do_graph_auth&tkn=1748304150&tmp_log_pass=ss&tmp_log_pass_auth=&graph_code=&session_id=4372&gcode_base64=

In a regular scenario, an attacker can be anyone connected to the network and able to access the router login page. He can inject the payload into the vulnerable fields from the web interface & perform command execution.  

This attack can also be carried out remotely, by enticing the victim to visit a crafted URL, triggering the request along with the injected payload via CSRF attack.

Find more about this vulnerability here

CVE-2020-15896: Authentication Bypass on D-Link – DAP-1522

Authentication bypass vulnerability exists in D-Link DAP 1522 access point, allowing an attacker to gain unauthorized access to the web interface. There are a few pages, which are directly accessible by any unauthorized user like logout.php, login.php, etc. The same is accomplished by checking the value of NO_NEED_AUTH. If the value of `NO_NEED_AUTH` is 1, the user is directly authenticated to the web page without any authentication. 

Unfortunately, the same is applicable for other protected pages too. By appending a query string `NO_NEED_AUTH` with the value of 1 to any protected URL, an unauthorized user can access the application directly. Here, an attacker is the person who is connected to the network and able to access the router login page.

The above-mentioned payload needs to be appended to any protected web page to gain unauthorized access to the interface, affecting all the elements of via triad.

Find more about this vulnerability here

CVE-2020-15894: Sensitive Information Disclosure on D-Link – DIR-816L

There exists an exposed administration function in getcfg.php, allowing an attacker to gain unauthorized access to sensitive information, which can be further used to call various services. 

The same function is utilized by an attacker to retrieve the sensitive information such as admin login credentials, by setting the value of `_POST_SERVICES` in the query string parameter to `DEVICE.ACCOUNT`.

  • By setting the value in the query string `_POSTSERVICES%3DDEVICE.ACCOUNT`

Find more about this vulnerability here

CVE-2020-15895: Cross-Site Scripting on D-Link – DIR-816L

A Reflected Cross-Site Scripting vulnerability exists in DIR-816L, due to an unescaped `RESULT` value being printed on the web page. 

In filewebinc/js/info.php, there exists no output filtration applied to the `RESULT` parameter, before it is printed on the web page. So, an attacker can be remote or local, connected to the network & needs to entice the victim to visit a crafted link, which in turn will send the victim’s current cookie to the attacker’s server. 

  • By setting the value of RESULT `RESULT=”,msgArray);alert(document.cookie);//`

The attacker can fully exploit this vulnerability by residing on the local network to hijack the victim’s session.

Find more about this vulnerability here…

Recommendations

Conclusion

D-Link is a renowned router which is widely used; hence it is very important to watch out the vulnerable areas and patch them as soon as possible for a secure home working environment.

Logisoft’s Research Team always focuses on increasing the security standards of widely used open-source software and firmware by intense Vulnerability Research, Firmware Analysis, Malware Detection, and Threat Analysis. Our dedicated security team makes sure to adhere to the industry best practices and assures the customers, vendors and global clients in terms of cyber safety and security. 

Stay Safe, Stay Secure,
Loginsoft Research Team