D-Link Vulnerability Exploited in the Wild

The D-Link DIR-859 routers have reached their end-of-life (EoL) and no longer receive security updates. Despite this, D-Link released a security advisory detailing the flaw in the “fatlady.php” file, which affects all firmware versions of the device. This path traversal vulnerability enables attackers to leak session data, escalate privileges, and ultimately gain full control over the router via the admin panel. 

The specific vulnerability allows for unauthorized access to sensitive configuration files by manipulating URL paths to traverse directories and access files outside the intended directory. This can lead to information disclosure, including leaking user credentials and other critical configuration data. 

Exploitation in the wild 

Security researchers at GreyNoise have observed active exploitation of this vulnerability. Hackers are targeting the "DEVICE.ACCOUNT.xml" file to extract account names, passwords, user groups, and other user-related information present on the device. The exploitation involves sending malicious POST requests to the “/hedwig.cgi” endpoint, leveraging the vulnerability in the "fatlady.php" file to access sensitive configuration files via the “getcfg” command. 

GreyNoise noted that while the exact motivation of the attackers remains unclear, the primary goal appears to be taking control of the device. The compromised routers can then be used for further malicious activities, such as launching additional attacks within the local network, eavesdropping on network traffic, or using the device as part of a botnet. 

Potential impact 

The exploitation of this vulnerability has significant potential impacts. The compromised data can provide attackers with credentials for further network infiltration or be used to maintain persistent access to the compromised device. The leaked information can include: 

• User credentials: Login names and passwords, which can be used to access other devices or services within the network. 

• Configuration data: Network settings, firewall rules, and other configuration details that can be manipulated to facilitate further attacks or data exfiltration. 

• Session data: Information about active sessions, which can be hijacked to impersonate legitimate users. 

Given the severity of the vulnerability and the potential for extensive data leakage and control, the impact on affected users can be profound. Attackers gaining full control of the router can manipulate network traffic, intercept sensitive communications, and create a staging point for launching further attacks within the local network. 

Mitigation recommendations 

Since the DIR-859 routers are no longer supported and will not receive patches for this vulnerability, the recommended course of action for users is to replace the affected devices with newer, supported models. This will ensure that users have the latest cybersecurity features and receive timely updates to protect against known vulnerabilities. 

Users who cannot immediately replace their devices should take the following steps to mitigate the risk: 

1. Disable remote administration: Ensure that remote administration is disabled to prevent unauthorized access from outside the local network. 

1. Network segmentation: Place the router in a separate network segment to isolate it from critical systems and limit potential damage from an exploit. 

1. Monitor traffic: Regularly monitor network traffic for unusual activities that could indicate exploitation attempts or unauthorized access. 

1. Use strong passwords: Ensure that all user accounts on the router use strong, unique passwords to reduce the risk of brute-force attacks. 

Conclusion 

The exploitation of the D-Link DIR-859 router vulnerability highlights the risks associated with using outdated and unsupported devices. Users must remain vigilant about the security of their network infrastructure and prioritize the replacement of end-of-life devices with newer models that receive regular cybersecurity updates. The observed exploitation activity underscores the importance of timely mitigation measures to protect sensitive information and maintain the security of networked environments.