In August of 2017, FortiGuard Labs discovered a pre-authenticated remote code execution vulnerability on D-Link router DIR868L. This vulnerability is specific to a local ISP’s customized firmware.
This vulnerability, designated as FG-VD-17-214, is an unauthenticated buffer overflow that occurs when the affected router parses authentication requests. This vulnerability is rated as “Critical” because it can be exploited without user interaction, meaning it could easily be weaponized by cybercriminals. Upon successful exploitation, an attacker could then run arbitrary code under the privilege of a web service.
The CGIBIN’s URI /authentication.cgi that handles authentication didn’t sanitize the input properly. As a result, a maliciously crafted HTTP request can cause a buffer overflow and lead to remote code execution.
Affected models: DIR868L
Affected firmware: v1.09SHC
Fixed firmware: v1.21SHCb03
Due to the severity and ease of exploitation of this vulnerability, FortiGuard Labs has followed a responsible disclosure protocol, which includes only releasing a partial disclosure as a warning for our customers, but which does not include code samples or a detailed description of the exploit.
We have recently observed that more than one hundred devices reachable via the internet are still using the old firmware, and are affected by this vulnerability. If you own any of the affected models, please go to http://www.dlink.com.sg/dir-868l/#firmware to update your device to the latest version as soon as possible.
When this vulnerability was initially discovered, Fortinet immediately released IPS signature Dlink.DIR800.URI.Buffer.Overflow to proactively protect our customers.
We would like to thank the D-Link SG Team, IMDA-ISG-CERT, SingCERT, and Cyber Security Agency for their cooperation in fixing this vulnerability.
-= FortiGuard Lion Team =-