Researcher warns about critical flaw in D-Link routers
Posted on 06 February 2013.
A security flaw in D-Link's DIR-300 and DIR-600 routers could allow remote attackers to inject execute arbitrary shell commands via a simple POST request without being authenticated to the device or by tricking the routers' owners into sending the request themselves, warns security researcher Michael Messner.

The first mode of attack is open to hackers targeting routers via the Internet, while the second can be used when they aren't able to access them directly. In this second case, all they need is to set up a specially crafted webpage that, when the router owners' land on it, makes the request be sent automatically to the router via the local network.

According to the timeline he shared in his blog post, he notified D-Link about the existence of the flaw back in December 2012. The company responded a little less than two weeks ago, claiming that the problem is browser-related and that they are not planning on providing a fix.

Not satisfied with the answer, Messner sent them more details and input about the vulnerability with the hope that they would evaluate its severity again and change their minds about patching it. Having received no response in the meantime, he decided to go public with the discovery.

His findings have been confirmed by the heise Security, and the list of affected devices and firmware versions includes the DIR-300 router (firmware version 2.12 and 2.13) and the DIR-600 router (firmware version 2.12b02, 2.13b01 and 2.14b01).

Since there are no current mitigations for the attacks, they advise decommissioning the affected routers until D-Link offers a fix.









Spotlight

USBdriveby: Compromising computers with a $20 microcontroller

Posted on 19 December 2014.  |  Security researcher Samy Kamkar has devised a fast and easy way to compromise an unlocked computer and open a backdoor on it: a simple and cheap ($20) pre-programmed Teensy microcontroller.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Dec 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //