[ALUG] Firmware update for D-Link DIR-645 and DIR-890L

[Andreas Tauscher]

The guys from /dev/ttyS0 are nice guys but this firmware bugfix was
worth a post titled: "What the Ridiculous Fuck, D-Link?!" [1]

In a former article the firmware for this was dissembled and they found
some serious security problems:
1. Use of unauthenticated user data in a call to system (command injection)
2. Use of unauthenticated user data in a call to sprintf (stack overflow)
3. Unauthenticated users can execute privileged HNAP actions (such as
changing the admin password)

Now D-Link released a bugfix. The conclusion of this bug fix:
"However, they’ve added another sprintf to the code before the call to
access; their patch to prevent an unauthenticated sprintf stack overflow
includes a new unauthenticated sprintf stack overflow.

But here’s the kicker: this patch does nothing to prevent
unauthenticated users from executing completely valid administrative
HNAP actions, because all it does is ensure that the HNAP action is
valid. That’s right, their patch doesn’t even address all the bugs
listed in their own security advisory!"

It is not the first time D-Link is releasing such "quality" updates.

For me is since longer time D-Link is anyway a no-go. (To be exact since
mid 2004 when I commited a Kernel patch for a D-Link ethernet card to
get it working with the r8169 module. What D-Link provided was a copy of
the original Realtek driver for 2.4 kernels - took me a while to find
this out. Somehow the code looked familiar.... Except removing any
copyright notes, writing in D-Link and completely f***ing up this driver
they got done nothing.) Better no device than a D-Link device....

Andreas

[1] http://www.devttys0.com/2015/04/what-the-ridiculous-fuck-d-link/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20150415/0051f353/attachment.pgp>