Ο Michael Messner a security researcher has identified multiple vulnerabilities in her routers DLink DIR-600 and DIR-300 that allow attackers to execute arbitrary shell commands.
According to the researcher's blog post, vulnerabilities are caused when access restrictions are absent and input validation is missing in the cmd parameter.
Command Injection OS vulnerability allows an attacker to launch telnetd and thereby compromise the device.
The vulnerability is described as follows: A hacker can change the password without knowing the current code by sending malicious code to the victim's device.
The researcher found that there is no encryption of the password and saves the root code in plain text in the var / passwd file.
Imagine what a hacker can do when it takes control of your router by making use of the vulnerability. It can very easily redirect all your links where he chooses. And surely the choices of a malicious user will not be good.
Messner warned the company about the vulnerability, but DLink's response was that it was a browser issue and would not fix its routers.