Multiple D-Link routers have vulnerabilities in their Common Gateway Interface (CGI) that if exploited could result in remote code execution.
The Carnegie Mellon University Software Engineering Institute’s CERT/CC reported the CGI codes have two flaws: The /apply_sec.cgi code is exposed to unauthenticated users and the ping_ipaddr argument of the ping_test action fails to properly handle newline characters.
The result is that any arguments after a newline character sent as ping_ipaddr in a POST to /apply_sec.cgi are executed on the device with root privileges.
“By performing an HTTP POST request to a vulnerable router’s /apply_sec.cgi page, a remote, unauthenticated attacker may be able to execute commands with root privileges on an affected device. This action can happen as the result of viewing a specially-crafted web page,” the report said.
The products affected are the DIR-655, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835 and DIR-825.
There is currently no patch, update or workaround available for these problems. Additionally, D-Link no longer supports the affected routers.