CVE-2024-0769: The Vulnerability D-Link Won’t Fix in DIR-859 Router

D-Link DIR-859 Wi-Fi Router once sailed as a trusted model for consumers seeking reliable wireless connections. However, a critical security vulnerability, CVE-2024-0769 was found on this router that D-Link will not address due to the device reaching its End of Support (EoS) as of August 7, 2020.

This is an unauthenticated Path Traversal vulnerability in the firmware’s “fatlady.php” file, discovered in the DIR-859’s final firmware version RevA_FW_Patch_v1.06B01. This vulnerability allows for the leakage of session data, leading to full privilege escalation. This flaw, unveiled by security researchers Françoa Taffarel Rosário Corrêa, Osmany Barros de Freitas, and Lourenço Alves Pereira Junior, poses a significant risk by enabling unauthorized control over the device via the admin panel.

The breach is executed with a cunning simplicity: a malicious POST request sent via curl, targeting the “fatlady.php” file. With a crafted request, the attacker embeds an XML payload poisoned with a manipulated service parameter, allowing them to traverse directories unchallenged, potentially accessing unauthorized data.

“The vulnerability allows an attacker to inject commands via the ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml that contains login and password of admin panel,” the researcher wrote.

The crux of this vulnerability lies in the inadequate validation and sanitization of user input, allowing attackers to inject commands and access sensitive admin login credentials.

In response to CVE-2024-0769, D-Link recommends retiring these products and replacing them with products that receive firmware and device software updates.