Today Rick Ramgattie will assess the security of the D-Link DIR-865L router to show how he can chain vulnerabilities in both its web and storage interfaces to get root shell access. This would give an attacker full access to the device thus allowing them to spy on the user’s web traffic, redirect the user to phishing sites, or add the router to a botnet.
When you plug in a USB drive the router shares it over an anonymous Samba share, which an attacker can abuse. Since the Samba server follows symbolic links we can then explore the entire file system rather than just the USB drive. The router stores the web interface password in a clear text file, so with Samba we download it. The router’s web application has a file inclusion vulnerability, so we can write files where we want. Finally we show with a race condition vuln, we can use the file inclusion vulnerability to overwrite a script with our desired included script and have it execute.
By chaining these vulnerabilities together, we can launch a Telnet server, achieving full root access to the device.