January 9th, 2010
We’ve been on hiatus over the past few months working on other projects, but last week we re-focused on D-Link routers. While we previously found a flaw in D-Link’s CAPTCHA implementation, this time around we’ve found a way to view and edit D-Link router settings without any administrative credentials.
The short story is that D-Link routers have a second administrative interface, which uses the Home Network Administration Protocol. While HNAP does require basic authentication, the mere existence of HNAP on D-Link routers allows attackers and malware to bypass CAPTCHA “security”. Further, HNAP authentication is not properly implemented, allowing anyone to view and edit administrative settings on the router.
HNAP appears to have been implemented in D-Link routers since 2006, and cannot be disabled. We have verified that vulnerabilities exist in the HNAP implementations of the DI-524, DIR-628 and DIR-655 routers, and suspect that most, if not all, D-Link routers since 2006 are vulnerable.