Security expert Michael Messner has identified several holes in D-Link's DIR-300 and DIR-600 routers that allow potential attackers to execute arbitrary commands with little effort. Although current firmware versions are also affected, the router manufacturer does not appear to be planning to close the hole.

Messner describes on his blog how a simple POST parameter allows Linux commands to be executed at root level on vulnerable routers. No password or other authentication is required to do so. In a short test, The H's associates at heise Security found that many of the devices can even be accessed from the internet and managed to inject a harmless command into such a router. A real attacker could randomly exploit systems, for example to divert a router's entire internet traffic to a third-party server.

Even if a router is not directly accessible via the internet, the hole poses a significant security risk: an attacker could use a specially crafted page to trick router owners into sending the script call to their routers through their local network (Cross-Site Request Forgery, CSRF). Messner said that he also discovered further security issues: among other things, the router saves the root password in plain text in the var/passwd file. Together with the previously described hole, this turns the task of extracting the root password into child's play – not that it is necessary, as potential attackers can already execute commands at root level anyway.

The security expert says that he informed D-Link of his discoveries in mid-December 2012. However, it appears that the manufacturer misjudged the scope of the vulnerability – apparently, D-Link said that the issue is browser-related, and that the company doesn't plan to release a firmware update to fix it. Messner writes that he sent further details to D-Link to emphasise the seriousness of the situation, but never received a reply. A clarification request by heise Security has so far also remained unanswered by D-Link.

Messner was able to reproduce the holes in the following firmware versions:

DIR-300:

Version 2.12, released 18 January 2012

Version 2.13, released 7 November 2012 (current version)

DIR-600:

Version 2.12b02, released 17 January 2012

Version 2.13b01, released 07 November 2012

Version 2.14b01, released 22 January 2013 (current version)

As there is virtually no way of preventing an attack at present, the most sensible solution is to decommission the affected routers – and hope that D-Link will provide security updates one day.

A port scan can be used to confirm whether a router is accessible from the internet. If it is not accessible, there is no immediate danger, but the risk that commands could be injected via CSRF remains. This can also be tested by calling

http://<router IP>/command.php

in a fresh browser session. If neither an error message nor a request to enter a password is displayed, there is a high risk that the system is, in fact, vulnerable. Users of Linux systems can also check this directly by entering a command such as

curl --data "cmd=ls" http://<router IP>/command.php

On some devices, the admin front-end runs on port 8080; in this case, something like 192.169.0.1:8080 must be entered as the router IP.

(fab)