- Jul 22, 2014
- 2,525
Plain text password storage? Check. Directory traversal? Check. SOHOpeless? Check
Eight D-Link router variants are vulnerable to complete pwnage via a combination of security screwups, and only two are going to get patched.
Błażej Adamczyk of the Silesian University of Technology in Poland posted this month to Full Disclosure that he discovered the bugs in May of this year and notified D-Link. Despite insisting patches would be released four months ago from now, D-Link hasn't addressed the issue, so Adamczyk has gone public with the security holes.
For some of the affected devices, he wrote, there won't be patches. The vulnerable units are all in D-Link's DWR range: the DWR-116, DWR-140, DWR-512, DWR-640, DWR-712, DWR-912, DWR-921, and DWR-111. Most of these, Adamczyk claimed, will be left unpatched because D-Link told him they're end-of-life; only the DWR-116 and 111 would be fixed.
So far, in a complaint that all-too-often follows disclosures of vulnerabilities in home and SOHO-grade kit, fixes for even those two model have yet to land.
As demonstrated in the video below, the full compromise arises from a cascade of several vulnerabilities. They require access to the device's web-based settings panel, either on the local network or from the internet, depending on the configuration.
.....
Eight D-Link router variants are vulnerable to complete pwnage via a combination of security screwups, and only two are going to get patched.
Błażej Adamczyk of the Silesian University of Technology in Poland posted this month to Full Disclosure that he discovered the bugs in May of this year and notified D-Link. Despite insisting patches would be released four months ago from now, D-Link hasn't addressed the issue, so Adamczyk has gone public with the security holes.
For some of the affected devices, he wrote, there won't be patches. The vulnerable units are all in D-Link's DWR range: the DWR-116, DWR-140, DWR-512, DWR-640, DWR-712, DWR-912, DWR-921, and DWR-111. Most of these, Adamczyk claimed, will be left unpatched because D-Link told him they're end-of-life; only the DWR-116 and 111 would be fixed.
So far, in a complaint that all-too-often follows disclosures of vulnerabilities in home and SOHO-grade kit, fixes for even those two model have yet to land.
As demonstrated in the video below, the full compromise arises from a cascade of several vulnerabilities. They require access to the device's web-based settings panel, either on the local network or from the internet, depending on the configuration.
.....
