Hackers exploit critical D-Link DIR-859 router flaw to steal passwords

Hackers are exploiting a critical vulnerability that affects all D-Link DIR-859 WiFi routers to collect account information from the device, including passwords.

The security issue was disclosed in January and is currently tracked as CVE-2024-0769 (9.8 severity score) - a path traversal flaw that leads to information disclosure.

Although D-Link DIR-859 WiFi router model reached end-of-life (EoL) and no longer receives any updates, the vendor still released a security advisory explaining that the flaw exists in the "fatlady.php" file of the device, affects all firmware versions, and allows attackers to leak session data, achieve privilege escalation, and gain full control via the admin panel.

D-Link is not expected to release a fixing patch for CVE-2024-0769, so owners of the device should switch to a supported device as soon as possible.

Detected exploitation activity

Threat monitoring platform GreyNoise has observed the active exploitation of CVE-2024-0769 in attacks that rely on a slight variation of the public exploit.

The researchers explain that hackers are targeting the 'DEVICE.ACCOUNT.xml' file to dump all account names, passwords, user groups, and user descriptions present on the device.

Contents of the retrieved configuration file
Source: GreyNoise

The attack leverages a malicious POST request to '/hedwig.cgi,' exploiting CVE-2024-0769 to access sensitive configuration files ('getcfg') via the 'fatlady.php' file, which potentially contains user credentials.

Malicious POST request
Source: GreyNoise

GreyNoise has not determined the motivation of the attackers, but the targeting of user passwords shows an intention to perform device takeover, thus giving the attacker full control of the device.

"It is unclear at this time what the intended use of this disclosed information is, it should be noted that these devices will never receive a patch," the researchers explain.

"Any information disclosed from the device will remain valuable to attackers for the lifetime of the device as long as it remains internet facing" - GreyNoise

GreyNoise notes that the public proof-of-concept exploit, on which current attacks rely, targets the 'DHCPS6.BRIDGE-1.xml' file instead of 'DEVICE.ACCOUNT.xml', so it could be used to target other configuration files, including:

These files could expose configurations for access control lists (ACLs), NAT, firewall settings, device accounts, and diagnostics, so defenders should be aware of them being potential targets for exploitation.

GreyNoise makes available a larger list of files that could be invoked in attacks that exploit CVE-2024-0769. This should server defenders in case other variations occur.