Remote code execution in D-Link routers

Remote code execution in D-Link routers

D-Link has released new firmware for a number of routers to address a highly critical security vulnerability SB2016081203 (CVE-2016-5681). The affected routers are:

DIR-850L B1, DIR-822 A1, DIR-823 A1, DIR-895L A1, DIR-890L A1, DIR-885L A1, DIR-880L A1, DIR-868L B1, DIR-868L C1, DIR-817L(W) and DIR-818L(W).

The vulnerability exists within the cgibin binary, intended to handle session cookie. This binary is called from different parts of D-Link web interface, including the service, exposed through the WAN network interface on port 8181/TCP. A remote attacker can send a specially crafted "uid" cookie via the HTTP POST request to "/dws/api/Login" login page, cause buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may allow an attacker to obtain full access to vulnerable device and use it to gain access to local network.

Public exploit code was also released by D-Link support website. Below is a dump of HTTP POST request, which can be used to trigger a buffer overflow: 

----------------- REQUEST:
POST /dws/api/Login HTTP/1.1
Host: IP:8181
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
Cookie: uid="A"*3220 + "AAAA" + "BBBB" +"CCCC" +"DDDD" +"EEEE" +"FFFF" +"GGGG" +"HHHH" +"XXXX" << This causes the stack buffer overflow
Connection: close

id=test&password=test
-----------------

To resolve this vulnerability we recommend to install the latest version of firmware, available from vendor’s website:

  • DIR-850L Rev. B1 Official FW v2.07 (v2.07WWB05)
  • DIR-817 Rev. Ax Official FW End Aug. 2016
  • DIR-818L Rev. Bx Beta FW v2.05b03beta03  End Aug. 2016
  • DIR-822 Rev. A1 Official FW v3.01 (v3.01WWb02)
  • DIR-823 Rev. A1 Official FW v1.00 (v1.00WWb05)
  • DIR-895L Rev. A1 Official FW v1.11 (v1.11WWb04)
  • DIR-890L Rev  A1 Official FW v1.09 (v1.09b14)
  • DIR-885L Rev. A1 Official FW v1.11 (v1.11WWb07)
  • DIR-880L Rev. A1 Official FW v1.07 (v1.07WWb08)
  • DIR-868L Rev. B1 Official FW v2.03 (v2.03WWb01)
  • DIR-868L Rev. C1 Official FW v3.00 (v3.00WWb01)

We also would suggest to filter all traffic on TCP port 8181 at least on WAN interface.

And of cource you can use our free vulnerability scanner to check if you are vulnerable.

Back to the list

Latest Posts

Cyber Security Week in Review: May 2, 2025

Cyber Security Week in Review: May 2, 2025

In brief: SonicWall warns of active exploitation of recently patched bugs, Commvault confirms a nation-state zero-day attack, and more.
2 May 2025
Nation-state hackers exploit zero-day in Commvault Azure environment

Nation-state hackers exploit zero-day in Commvault Azure environment

Additionally, SonicWall has warned that two flaws affecting its SMA100 appliances are being actively exploited in the wild.
1 May 2025
New crypto exchange Grinex suspected to be Garantex rebrand following US seizure

New crypto exchange Grinex suspected to be Garantex rebrand following US seizure

After Garantex’s domains were seized, Grinex was immediately promoted in Telegram channels.
30 April 2025
Popular Posts
Featured vulnerabilities
Multiple vulnerabilities in MicroDicom DICOM Viewer
High Patched | 02 May, 2025
Multiple vulnerabilities in KUNBUS Revolution Pi OS Bookworm and Revolution Pi PiCtory
High Patched | 02 May, 2025
Server-side request forgery in IBM Business Monitor
Medium Patched | 02 May, 2025
IBM Watson Speech Services Cartridge update for FreeType
High Patched | 02 May, 2025
IBM Watson Speech Services Cartridge update for Apache Tomcat
Сritical Patched | 02 May, 2025