Rick Ramgattie is a Security Analyst at Independent Security Evaluators, who will help us assess the security of the D-Link DIR-865L router to show how we can chain vulnerabilities in both its web and storage interfaces to get root shell access. This would give an attacker full access to the device thus allowing them to spy on the user's web traffic, redirect the user to phishing sites, or add the router to a botnet.
When you plug in a USB drive the router shares it over an anonymous Samba share, which an attacker can abuse. Since the Samba server follows symbolic links we can then explore the entire file system rather than just the USB drive. The router stores the web interface password in a clear text file, so with Samba we download it. The router's web application has a file inclusion vulnerability, so we can write files where we want. Finally we show with a race condition vuln, we can use the file inclusion vulnerability to overwrite a script with our desired included script and have it execute.
By chaining these vulns together, we can launch a Telnet server, achieving full root access to the device.
To be clear, this vulnerability has been patched, and we're demonstrating it today to demystify how hacking works.
Check out the Motherboard Guide to Not Getting Hacked here.
This is part of How Hacking Works, a series of stories that demystifies the art of security research in hopes of improving digital security across the board.