Risk of intrusions in D-Link devices

A few days ago, Blazej Adamczyk reported a series of vulnerabilities in D-Link devices that could allow an attacker to gain control of the router, even allowing it to execute code directly.

The affected devices are: DWR-116, DWR-512, DWR-712, DWR-912, DWR-921 and DWR-111, although others with the same type of firmware could also be affected.
• CVE-2018-10822, possibility to read files remotely and arbitrarily via / .. or // after a "GET / uir" in an HTTP request.
• CVE-2018-10823, command injection.
• CVE-2018-10824, passwords stored in a plain text file.
The cross-directory problem (CVE-2018-10822) is due to an incomplete repair of the CVE-2017-6190 vulnerability, discovered by Patryk Bogdan.

By combining the vulnerabilities CVE-2018-10822 and CVE-2018-10824, an attacker could try to obtain the administrator's password in case of knowing the location of the file in which the password is stored.

The attacker could obtain a binary configuration file containing the administrator's username and password as well as other router configuration data. The lack of encryption described by the CVE-2018-10824, together with the vulnerability of the transversal directory (CVE-2018-10822) that allows the attacker to read the file without the need for identification, pose a serious risk.

The vulnerability CVE-2018-10823 has identified the possibility of executing arbitrary code by an attacker who has been identified in the router.

So it would be possible to inject commands through parameters that are not correctly validated in the "chkisg.htm" view to take full control of the device when obtaining the "passwd" file.