D-Link DWR-M972V SSH Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the D-Link DWR-M972V router, specifically in the 1.05SSG firmware version. The issue arises from improper authentication, allowing an attacker to access the device via SSH as the root user, without any password requirements. This vulnerability is present in the default configuration and can be exploited through both local and WAN ports.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected router.

Reproduction

To reproduce this vulnerability, perform a factory reset on the D-Link DWR-M972V router to restore its default settings. After the reset, connect a device to the router via a LAN cable and use a port scanning tool to identify open ports. The scan will reveal that ports 22 (SSH), 23 (Telnet), and 443 (HTTP) are open. Attempt to connect to the router via SSH on the LAN port. The connection will be successful, granting access as the root user without a password. This method can also be applied through the WAN port, providing the same level of access.