DNS hijacking vulnerability affects D-Link DSL router, possibly other devices

D-Link DIR-880L

A vulnerability found in a DSL router model from D-Link allows remote hackers to change its DNS (Domain Name System) settings and hijack users’ traffic. The issue might also affect other devices because it is located in a popular firmware used by different manufacturers, according to a security researcher.

A proof-of-concept exploit was published Tuesday for the D-Link DSL-2740R model, a dual-function ADSL modem/wireless router device, which according to the D-Link support site has been phased out. This means the device is no longer being sold, but might still receive support if covered by warranty.

The exploit was created by Todor Donev, member of a Bulgarian security research outfit called Ethical Hacker, who claims that more devices from D-Link and other manufacturers might be affected.

The vulnerability is actually in ZynOS, a router firmware developed by ZyXEL Communications that’s used in products from multiple networking equipment manufacturers, including D-Link, TP-Link Technologies and ZTE, Donev said via email.

Attackers don’t need to have access credentials for the affected devices in order to exploit the vulnerability, but do need to be able to reach their Web-based administration interfaces, he said.

If the administration interface is exposed to the Internet—routers are sometimes configured in this way for remote administration—the risk of exploitation is higher. But even if it’s only accessible from within the local area network, hackers can still use cross-site request forgery (CSRF) techniques to reach a router’s interface.

CSRF attacks hijack users’ browsers to perform unauthorized actions when they visit compromised sites or click on malicious links. Rogue code loaded from a website can instruct a browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with routers.

Large scale CSRF attacks against router owners that were designed to replace DNS servers configured on their devices with servers controlled by attackers were observed on the Internet in the past.

DNS servers have an important role. They translate website names that humans can understand into numerical IP addresses that computers use to speak with each other. If a router uses a malicious DNS server, attackers can direct computers served by that router to rogue servers when they attempt to access legitimate websites.

In March 2014, Internet security research organization Team Cymru uncovered a global attack campaign that compromised over 300,000 home routers and changed their DNS settings. A different vulnerability in ZynOS was exploited in that attack and one of the techniques used was likely CSRF.

Donev did not report the vulnerability to D-Link and as far as he knows it is currently a zero-day—a name given to publicly disclosed, but unpatched vulnerabilities.

D-Link did not immediately respond to a request for comment sent Tuesday.

Subscribe to the Best of PCWorld Newsletter