D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-645 => Topic started by: stunner2002 on November 26, 2013, 06:46:51 AM
-
I downloaded the 1.04 Firmware update from the german support page.
The .zip file contains a changelog which says a FW 2.17 is available for Hardware Rev. A1 from 2013/06/25.
Where can I get that? Is it a beta? Want it! :)
Here is what it says:
DIR-645 Firmware Release Notes
Firmware: FW217B01
Hardware: A1
Date: 2013/06/25
Note:
1. FW version is advanced to v2.17
Problems Resolved:
1. Fixed the multiple security vulnerabilities.
2. Fixed the UPnP exploit.
Enhancements:
None
Known Issues:
None
Firmware: FW104B03
Hardware: A1
Date: 2013/03/27
Note:
1. FW version is advanced to v1.04
Problems Resolved:
1. Fixed the multiple security vulnerabilities.
- OS Command Injection in service.cgi (Issue A1)
Enhancements:
None
Known Issues:
None
Firmware: 1.03b11
Hardware: A1
Date: 2012/10/12
Problems Resolved:
1.Fix FAT32/FAT big file transfer error via samba.
2. Scheduled to send Email log fail after reboot
3. Remove 404 feature
Enhancements:
IPv 6 enhancement, pass UNH-IOL logo
SharePort Mobile supported
SharePort Web Access supported
Support Russia L2TP/PPTP Dual access
Enhance iOS 6 compatibility
-
Link>Welcome! (http://forums.dlink.com/index.php?topic=41537.0)
- What Hardware version is your router? Look at sticker under router.
- Link>What Firmware (http://forums.dlink.com/index.php?topic=47512.0) version is currently loaded? Found on the routers web page under status.
- What region are you located?
Hmmm, interesting. Not sure if the information is correct for this model router or not. I haven't heard of any changes and mostly when v2.xx is developed, it's mostly for Rev B models and not Rev A. Unless they maybe forth coming with a 645 Rev B model. I do have this v1.04 Build 11 on my 645 and it works. I don't see any v2.17 listed anywhere so this could be a mis-take.
I'll forward this to D-Link and see what information I get back.
-
FYI there is no v2.17 version for this model router. We presume the information posted in the notes was is error.
-
More on this http://www.scip.ch/en/?vuldb.9373
http://www.exploit-db.com/exploits/26664/
============ Solution ============
DIR-600 - update to v2.17b01
DIR-645 - update to v1.04b11
DIR-845 - update to v1.02b03
so I think that explains the meaning of the reference to 2.17
-
This issue was resolved in v1.04 B11
I was wondering where the v2.17 came from, now we know.
Thanks for sharing.
More on this http://www.scip.ch/en/?vuldb.9373
http://www.exploit-db.com/exploits/26664/
============ Solution ============
DIR-600 - update to v2.17b01
DIR-645 - update to v1.04b11
DIR-845 - update to v1.02b03
so I think that explains the meaning of the reference to 2.17
-
Is there a full list of all versions and the changes they brought to the table someplace? I am quite a ways behind the current version, but would like to review ALL the changes in ALL releases between where I am, and current.
~gs2gf
-
I'd have to look at each versions release notes. Usually not all in one place sometimes. What version is currently loaded? ???
What region are you located?
-
Knew a guy once who would not update firmware till he had investigated the problems in the existing firmware; of course nothing ever got upgraded as a result.
I'm a bit of the opposite and rush to the latest and 'greatest' when it comes to firmware, and this also has its flaws.
Here are the release notes for various versions
ftp://ftp2.dlink.com/PRODUCTS/DIR-645/REVA/
makes one wonder why there is not hardware that does not allow buffer overflow.
-
Well it's up to users to make up there own decisions about FW updates. I tend to agree with your friend, if it works, don't fix it. However I to eventually update FW. It's nice that we can downgrade too on most routers. Some we can't. Users needs to review the release notes and as I recommend to everyone, if there not effected by any of the issues in the release notes, and there routers are working, FW updates may not be needed. Ya, problems need to be troubleshot to narrow down the issue and see if a FW update is really needed. In some cases it's not or the FW update doesn't fix anything.
As far as I know, the 645 may not see another FW released unless there is a security issue. I am wondering why I see a B12 on a EU site though. No release notes and it's not officially released.
-
I'd have to look at each versions release notes. Usually not all in one place sometimes. What version is currently loaded? ???
What region are you located?
Firmware Version : 1.01 Fri 08 Jul 2011
US
I think there was a reason I didn't update on one of the earlier releases, something changed that I wasn't sure I wanted to risk, can't recall.
Are the individual version update notes available to the public anyplace?
~gs2gf
-
You have a good point, but firmware without security patches works just fine... and some changes are to accommodate new technology, which one might not yet have; now if one does not update, it will look like the new technology is to blame.
The great thing about D-Link, in my opinion, is the emergency room; as one risk of continually updating is bricking the unit...
B12 you say... gotta go...
-
Yes...nice to have a way to recover the router.
-
http://support.dlink.com/ProductInfo.aspx?m=DIR-645 (http://support.dlink.com/ProductInfo.aspx?m=DIR-645)
I know you had been talking about WoL a while back...
Firmware Version : 1.01 Fri 08 Jul 2011
US
I think there was a reason I didn't update on one of the earlier releases, something changed that I wasn't sure I wanted to risk, can't recall.
Are the individual version update notes available to the public anyplace?
~gs2gf
-
Can't find 1.04b12 anyplace...
any more hints?
-
Check ur email sir. ;D
-
http://support.dlink.com/ProductInfo.aspx?m=DIR-645 (http://support.dlink.com/ProductInfo.aspx?m=DIR-645)
I know you had been talking about WoL a while back...
Okay, I grabbed the two most recent versions release notes, which included earlier releases too, see below. Thanks for remembering about WoL, but not sure why you mentioned it, I didn't see anything in the release notes about it, or am I missing something? (WoL doesn't work in my version either, but it had on an older D-Link router I had...)
DIR
-
645
Revision A1
Firmware:
v.1.04B11
Date: 2013/12/19
Release Notes:
Vulnerabilities Addressed
-
Fix Admin Password will accepting and saving complex password, then not allow the user to use new
complex passw
ord
-
Fix Buffer overflow on "post_login.xml"
-
Fix Buffer overflow on "hedwig.cgi"
-
Fix Buffer overflow on "authentication.cgi"
-
Fix (CSRF) Cross
-
site scripting on "bind.php"
-
Fix (CSRF) Cross
-
site scripting on "info.php"
-
Fix (CSRF) Cross
-
site scrip
ting on "bsc_sms_send.php"
-
Fix Web file access api getfile path could not include ../
-
Fix bypass authentication before scan direction in the router. (__ajax_explorer.sgi)
-
Fix
curl
-
H "Cookie: uid=9gIdu6X6nF"
-
d
"EVENT=%26%20telnetd%26"
http://192.168.0.1/service.cgi
would cause script injection issue to execute
telentd.
-
Fix bypass authentication on version.php show too much router information
-
Fix widget functions and remove the relative files like r
outer_info.xml from unauthorized access
-
Fix issue that disables telnetd after the router is not longer factory default
-
Fix unauthorized post execute commands in the router by command.php
-
Fix Vulnerabilities Discovered and Disclosure by Roberto Palea
ri <
"roberto@greyhats.it"
>
-
Fix Buffer overflow on "post_login.xml"
-
Fix Buffer overflow on "hedwig.cgi"
-
Fix Buffer overflow on "authentication.cgi"
-
Fix (CSRF) Cross
-
site scripting on "bind.php"
-
Fix (CSRF)
Cross
-
site scripting on "info.php"
-
Fix (CSRF) Cross
-
site scripting on "bsc_sms_send.php"
DIR-645 Revision A Release Notes
=================================================
Firmware 1.04
Date: 06/11/2013
Bug-Fixes Addressed
Fix bug streaming multicast data in LAN affect WLAN can’t access network.
Fix Banner on web configuration does not display or scale + or - with Firefox and Safari
Add router_info.xml for DCC can detect WAN link status(DCC bug,Fw work-around)
Fix DHCP client renew fail when using broadcast flag
GUI date/time extend to 2037
Fix Login password limit to 15 char same as password setting in admin page.
Fix iTunes server cause out of memory when parsing some error mp3 file.
Fix the problem that wifi-enhance not working
Reduce the logout timeout from ten to three minutes for D-Link request due to security consideration.
Fix reset statistic fail.
Fix signal of wifi client always show 100%
Enable 3TB hdd support
Fix the ping for IPv6 ";reboot" will cause system reboot.we need do shell command escape before execute.
Vulnerabilities Addressed
Fix Admin Password will accepting and saving complex password, then not allow the user to use new complex password
Fix Web file access api getfile path could not include ../
Fix bypass authentication before scan direction in the router. (__ajax_explorer.sgi)
Fix curl -H "Cookie: uid=9gIdu6X6nF" -d "EVENT=%26%20telnetd%26" http://192.168.0.1/service.cgi would cause script injection issue to execute telentd.
Fix bypass authentication on version.php show too much router information
Fix widget functions and remove the relative files like router_info.xml from unauthorized access
Fix issue that disables telnetd after the router is not longer factory default
Fix unauthorized post execute commands in the router by command.php
Fix Vulnerabilities Discovered and Disclosure by Roberto Paleari <"roberto@greyhats.it">
Fix Buffer overflow on "post_login.xml"
Fix Buffer overflow on "hedwig.cgi"
Fix Buffer overflow on "authentication.cgi"
Fix (CSRF) Cross-site scripting on "bind.php"
Fix (CSRF) Cross-site scripting on "info.php"
Fix (CSRF) Cross-site scripting on "bsc_sms_send.php"
Official Disclosure @ http://bit.ly/19BZZZH
=================================================
Firmware 1.03
Date: 11/21/2012
SharePort Mobile / Web access Support
Enhanced iOS6 compatibility
Enhanced IPv6
=================================================
Firmware 1.02
Date: 07/12/2012
Boxee improvement
Disable WPS-PIN Method
=================================================
Firmware 1.01
Date: 09/26/2011
Revision Info:
Fix wrong WAN port position picture in wizard setup.
Fix syslog function.
Fix DCS-5220 IPCAM WPA/WPA2 IOT issue.
=================================================
-
Ya I looked at your history and you were chatting with Ambercap about WoL. I don't think anyone got it working on this router.
Ya the most recent FW is a lot of security fixes that I helped confirm with D-Link.
-
WoL: Wake-on-LAN
for people like me that get confused with acronyms
-
You should know that by now sir. LOL ::)
-
Tis true, but my ailing mind buckles to
IP
ATM
ISDN
LAN
SNMP
FTP
DNS
TCP
ISP
VPN
SMTP
LDAP
NFS
NTP
SSL
NAT
TFTP
WAN
LAN
IMAP
STP
POP
PPP
IPP
TSP
DoS
VLAN
PPTP
-
That why theres Wikipedia sir. ;)
-
http://forums.dlink.com/index.php?topic=60680.0 (http://forums.dlink.com/index.php?topic=60680.0)
Can't find 1.04b12 anyplace...
any more hints?