Second Researcher Drops Router Exploit Code After D-Link Mishandles Bug Reports

Share this…

Embedi, a hardware security firm, has published details about two vulnerabilities that have yet to be patched in the firmware of D-Link routers. This marks the second incident of this sort in the last five days.

Last Friday, South Korean security researcher Pierre Kim also published public detailsabout ten unpatched vulnerabilities in D-Link routers.

The researcher published the details without giving D-Link the chance to fix the flaws. Kim says he took this step after reporting similar issues in D-Link products in February that the company ignored.

Embedi: Interaction with the developer has brought no results

Embedi says it contacted D-Link about the vulnerabilities it found, but its “interaction with the developer […] has brought no results,” albeit D-Link fixed one of the three vulnerabilities researchers reported.

After three months during which D-Link has failed to fix the other two flaws, the security firm has now decided to release details about the three vulnerabilities it reported, along with proof-of-concept exploit code for each, including the two flaws that D-Link has yet to fix.

According to Embedi, the reported flaws affect DIR890L, DIR885L, and DIR895L router models, but they suspect that other DIR8xx D-Link routers may be affected as well.

The reported flaws are as follows. More in-depth details about each flaw are available on Embedi’s blog.

1) Attackers can retrieve login credentials by sending maliciously crafted HTTP requests to the D-Link router’s built-in web server [exploit code]
2) A stack overflow vulnerability in the HNAP protocol allows attackers to execute code on remote routers and gain root level privileges via an HTTP request [exploit code]
3) Attackers can update the router’s framework [exploit code]

Flaws allow contamination with Mirai malware

It is unclear which of the three reported bugs has been patched. Embedi researchers say all three flaws are extremely dangerous as they expose routers to botnet herders.

To prove their point, researchers say they easily modified the Mirai IoT DDoS malware source code to run on affected routers.

Victor Gevers, a security researcher who searches the Internet for exposed devices and reports flaws to device owners and ISPs, says he identified 98,513 D-Link routers that are exposed online and running affected versions.

Most of the affected routers are located in South Korea (25,000), Singapore (15,600), and Canada (11,600).

Top 10 countries with exposed D-Link routers

“We are contacting ISP again with an update,” Gevers told Bleeping Computer today. “Some of them are really getting fed up with these vulnerabilities made public with weaponized (PoC) code which drastically narrows the window to inform their customers and to take action.”

“I am already receiving confirmations from ISPs that they are investigating [D-Link] devices and warning their users/customers about the known vulnerabilities published last week,” Gevers added. “Now more vulnerabilities are becoming public.”

Bleeping Computer has reached out to D-Link for comment on this second set of unpatched vulnerabilities dumped online yesterday.

In January, the FTC took D-Link to court because the Taiwanese hardware manufacturer failed to take action and secure devices when security flaws were reported.