Several vulnerabilities in the DIR-600 and DIR-300 routers of network solutions company D-Link may allow hackers to redirect Internet traffic and compromise usersâ€™ devices, according to German security researcher Michael Messner. The holes are supported by the lack of password hashing and root passwords being saved in plain text.
The Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to easily change a password through malicious software, as there is no request for the password. The OS Command Injection vulnerability allows hackers to compromise usersâ€™ devices.
â€œThe vulnerability is caused by missing access restrictions and missing input validation in the cmd parameter and can be exploited to inject and execute arbitrary shell commands,â€ Messner said in a blog post. â€œIt is possible to start a telnetd to compromise the device.â€
The H-Online also ran tests and discovered many of the devices can even be accessed from the Internet and managed to inject a harmless command into such a router. â€œA real attacker could randomly exploit systems, for example to divert a router’s entire internet traffic to a third-party server.â€
According to Messner, D-Link said the issues are browser-related and they will not provide a fix. The security expert informed the company in December of last year.