14 DAY TRIAL // The DNS settings of some router models from D-Link can be modified without authorization via their web-based administration console.
No authentication is required for this attack, which can be used to redirect users to malicious online locations hosting malware or phishing pages.
Vulnerability may be unpatched at the moment
An exploit has been created and published by Todor Donev, a member of the Bulgarian security research group Ethical Hacker; the goal of the organization is to establish a community of professionals bringing innovation in the field of computer security.
His research focused primarily on the D-Link DSL-2740R device, but according to the advisory published on Tuesday, other routers from the manufacturer are also affected by the vulnerability. The researcher did not provide a list with the devices that are impacted.
It is unclear whether Donev contacted D-Link on this matter, as there is no information regarding a responsible disclosure of the flaw.
According to the product page from D-Link, DSL-2740R has been phased out, which means that it is no longer sold.
However, this end-of-life status also means that support is still offered if the product is still covered by warranty.
DNS technology is responsible for translating domain names into the IP addresses of the servers hosting the website. If the Internet gateway device is configured to connect to a rogue DNS server, the content retrieved will not be the original one.
Risks associated with DNS hijacking
In the advisory published by Donev, he warns that changing the DNS (domain name system) settings is particularly useful to cybercriminals.
One of the dangers posed by this malicious practice is replacing the ads on legitimate sites visited by a victim with whatever the attacker wants; but controlling and redirecting the network traffic is by far the highest risk.
“Users of infected systems may not be granted access to download important OS and software updates from vendors like Microsoft and from their respective security vendors,” Donev says in the advisory.
Important to note is that exploiting the vulnerability discovered by the researcher requires the router to be accessible from the Internet; most older routers have this option enabled by default.
Closing outside access limits the possibility of an attack, although bypassing this measure can be done through a cross-site forgery request (CSRF) method, if a compromised website is accessed.