A security flaw in D-Link’s DIR-300 and DIR-600 routers could allow remote attackers to inject execute arbitrary shell commands via a simple POST request without being authenticated to the device or by tricking the routers’ owners into sending the request themselves, warns security researcher Michael Messner.
The first mode of attack is open to hackers targeting routers via the Internet, while the second can be used when they aren’t able to access them directly. In this second case, all they need is to set up a specially crafted webpage that, when the router owners’ land on it, makes the request be sent automatically to the router via the local network.
According to the timeline he shared in his blog post, he notified D-Link about the existence of the flaw back in December 2012. The company responded a little less than two weeks ago, claiming that the problem is browser-related and that they are not planning on providing a fix.
Not satisfied with the answer, Messner sent them more details and input about the vulnerability with the hope that they would evaluate its severity again and change their minds about patching it. Having received no response in the meantime, he decided to go public with the discovery.
His findings have been confirmed by the heise Security, and the list of affected devices and firmware versions includes the DIR-300 router (firmware version 2.12 and 2.13) and the DIR-600 router (firmware version 2.12b02, 2.13b01 and 2.14b01).
Since there are no current mitigations for the attacks, they advise decommissioning the affected routers until D-Link offers a fix.