D-Link won’t patch a critical, unauthenticated command injection vulnerability in its routers that allows hackers to remotely control the devices. The flaw exists in the newest firmware for the DIR-655, DIR-866L, DIR-652 and DHP-1565, which are routers for the home. D-Link stated that all four are end-of-life and are no longer sold or supported. The models are still available as new via third-party sellers.
The cause of the flaw is a lack of a sanity check for arbitrary commands that are executed by the native command-execution function. This is a typical security pitfall suffered by many firmware manufacturers according to Fortinet which first discovered the issue. The issue starts with the log-in function on the admin page for the router. The log-in function is performed using the URI /apply_sec.cgi function, it extracts the value of current_user and user_username from the NVRAM, which is a type of RAM that retains data after a device’s power is turned off. The function then compares the value of the current_user with the value of the variable acStack160. The current_user value in NVRAM will be set only after a successful user login, so by default its value is not initialized. The value of acStack160 is the result of base64encode user_usernam, and by default, the user_username is set to user, so there is no way the iVar2 can return a value of 0, so it won't return to the error.asp page. A hacker can perform any action in the SSC_SEC_OBJS array under the /apply_sec.cgi path.
Since there is no patch, affected routers should be replaced as soon as possible. In September, researchers discovered vulnerabilities in D-Link routers that can leak passwords for the devices, and which have the potential to affect every user on the network. In May, a researcher found attackers using the Google Cloud Platform to carry out three separate waves of DNS hijacking attacks against vulnerable D-Link and other consumer routers.