Which Routers Are Vulnerable to the D-Link HNAP Exploit?
January 18th, 2010
ZDNet and PCWorld have both run articles regarding our recent disclosure of the D-Link HNAP vulnerability. As with other postings and reports, there seems to be some confusion as to which routers and models are affected.
D-Link has made some statements that we’d like to offer rebuttals to, as we either suspect them to be incorrect or find them to be downright confusing. The below quotations are from the ZDNet article:
The model that D-Link said is not in the European market is DI-524 (C1). In addition, that model does not support HNAP, the company noted.
Yes, the DI-524 hardware version C1 does in fact support HNAP. It was one of the first D-Link routers to do so. Install the most recent firmware release (version 3.23). HNAP is clearly there and vulnerable.
The non-existent model is DIR-628 (B2), as only A hardware has ever been released for that device.
Correct, the DIR-628 hardware version B2 does not exist; that’s bad on us. The version we tested was actually A2 not B2 as we erroneously reported. I find it odd that D-Link doesn’t seem to have even tested their A-series DIR-628s though. If they had, they would have found that they were vulnerable.
Finally, model DIR-655 (A1, firmware 1.30EA) runs a restricted firmware version related to East Asia and therefore irrelevant for Europe.
There seems to be some expectation from D-Link and others that we have tested every firmware version for every D-Link router in existence. That is simply not possible for us to do. We tested three different D-Link routers with four different firmware versions that spanned a period of three years and two continents, and they were all vulnerable. But that is all that we have tested, and therefore all that we can confirm. Just because we didn’t test European firmware doesn’t mean that it is or isn’t vulnerable. It just means that we didn’t test it.
The networking company said on Monday that the problem, discovered by security researchers SourceSec, affects three of its wireless routers: DIR-855 (hardware version A2), DIR-655 (versions A1 to A4) and DIR-635 (version B).
Interestingly, D-Link told PCWorld that there were five routers affected: the DIR-855, DIR-655, DIR-635, DIR-615, and the DI-634.
Now, we know that the DI-524 and DIR-628 are vulnerable. We have also had reports that the DIR-300 is vulnerable (though we can’t confirm this). Yet D-Link does not mention any of them in their list of vulnerable routers. So are there three router models affected? Or five? Or more? Has D-Link performed comprehensive testing on their routers? Or are these just the ones that they’ve tested so far? I can assure you that the DIR-628 and DI-524 need to be added to this list; which others are missing?
In addition, just running the exploit code was not enough to compromise D-Link routers, it said. “It is important to note that running the code on its own is not sufficient to hack into the router: only the software tool provided seems to achieve this result,” said the D-Link statement.
OK, now I’m confused – running the code won’t hack the router, but running the software will? It’s a bash script: the code is the software (Einhorn is Finkle…Finkle is Einhorn…). Any piece of software that can make Web requests can be used to exploit the vulnerability. Web browser? Check. Netcat? Yup. Wget? Sure! Curl? Definitely! I’m not sure what D-Link is trying to say here.
And finally, there’s the inevitable passing of the buck:
“By publicising their tool, and giving specific instructions, the authors of the report have publicly outlined how the security can be breached, which could have had serious repercussions for our customers,” said the D-Link statement.
Yes, of course. It’s not D-Link’s fault for selling vulnerable routers to their customers. It’s obviously our fault for informing their customers of the vulnerability. Shame on us.
- 19 Comments »
- Posted in News, Vulnerabilities
January 18th, 2010 at 10:50 pm
really liked that Ace Ventura reference. Dlink’s response really make them look bad, I would expect a more serious response from a vendor this big, not one that looks like it comes from a mom and pop’s store on the corner of the street.
January 18th, 2010 at 11:28 pm
Our intention is certainly not to make D-Link look bad. We’re very glad that they have already released new firmware to fix the issue. Our concern is that they aren’t addressing all the routers and/or firmware versions that are affected, particularly ones that we reported in our initial publication.
BTW, glad you liked the reference. Great movie.
January 19th, 2010 at 3:27 pm
[...] nie ukrywa, że jest zaskoczony stanowiskiem prezentowanym przez D-Linka i po kolei odpiera zarzuty oraz objaśnia D-Linkowi funkcje wbudowane w ich własny sprzęt. Ale najlepszy w polemice z [...]
January 19th, 2010 at 6:22 pm
I’ve contacted D-Link, and their outsourced technical support is obviously completely clueless and of no help. As of now, there does not appear to be any Firmware update for North American routers. I have the DIR-655 A2 and the latest firmware update for North America seems to be back in July 2009.
Craig, or anybody else who is associated with SourceSec, can you please e-mail me and help me find the updated firmware? The company is of no help whatsoever. Any help would be appreciated. Thank you.
January 20th, 2010 at 2:56 pm
D-Link’s response to this exploit is abysmal. I suppose they think ignorance is bliss to their customers. Any decent company would have had their PR office say something in response to this across all of their web sites–even if it’s something like “We are looking into this exploit and will report back soon with more information.” At this moment, I’m left to conclude that D-Link does not know exactly which routers are vulnerable and which firmware versions are vulnerable. I’ve always been pleased with my D-Link router’s performance, but I’m not willing to risk operating my network with a security vulnerability like this. Thanks to SourceSec for posting the information. D-Link–get your head out of your ass.
January 20th, 2010 at 7:36 pm
@Kurt:
I believe that the newest beta firmware for the DIR-655 fixes the HNAP vulnerability, though I haven’t tried it myself (http://forums.dlink.com/index.php?topic=10470.0).
@Kevin:
We agree that based on the few public statements that they have given, D-Link does not seem to have a definite answer on which routers or firmware releases are vulnerable, nor a good grasp on the exploit itself. Hopefully they’re still in testing mode and will release more detailed information soon.
January 21st, 2010 at 3:09 pm
HNAP, I heard that is something Cisco came up with. is that correct ?
If yes, is Linksys routers also infected with this issue.
However. Believe D-Link should come out with a statement about this.
But in the co.uk and the .se sites I found new firmwares.
DIR-615 HW:Bx FW: 2.27b01
DIR-635 HW:Ax FW: 1.13b00w
DIR-635 HW:Bx FW: 2.33EUb01
DIR-655 HW:Ax FW: 1.31EUb02
DIR-855 Hw:Ax FW: 1.21EUb01
January 21st, 2010 at 8:17 pm
HNAP is actually patented by PureNetworks, but PureNetworks was acquired by Cisco so it is essentially a Cisco thing now. We have tested two Linksys routers (WRT-160N and WRT-54G2) that support HNAP and they do not appear to be vulnerable to this attack.
January 22nd, 2010 at 9:45 am
I’ve tested the exploits against the DIR-825 Hardware A1, Firmware 1.12NA.
I’m saddened to say I was successful in several of the operations such as rebooting the device, checking status, etc. However, some items such as changing the mac filters failed.
January 22nd, 2010 at 2:21 pm
Sorry if my tech. skills are not high enough.
But in none technical words.
How is it possible to hit the target outside the LAN if you do not know the WAN IP or run some kind of tracer ?
And It is my understanding, that if there is a valid PW on both user and admin, it is not possible to do the attack ?
January 22nd, 2010 at 7:30 pm
@Chris:
Interesting that changing the mac filters didn’t work. I don’t believe we tried that particular action during our testing, so it’s possible that the XML data for that action could be wrong. The most sensitive actions for a malicious attacker would be changing the administrative password and editing the TCP/IP settings (i.e., changing the DNS servers used by the router), so I would check to see if those work. Sounds like the DIR-825 is at least partially vulnerable, so that’s another router that I haven’t seen D-Link mention in their vulnerability list. Thanks for letting us know!
@M3:
On older models (specifically, the DI-524), if you change the default password for the admin and user accounts then you are OK (of course, you’ll want to make them something that isn’t easily guessed). For the newer routers (DIR-628, DIR-655, etc), this vulnerability allows an attacker to completely bypass the login. It doesn’t matter what you set your passwords to, and in fact, an attacker can re-set the admin password to whatever he/she wants.
An attacker that is not in your LAN cannot access HNAP directly, as it is only enabled on the router’s LAN interface. However, using DNS-rebinding or possibly some flash-based attacks, it would be possible for a remote attacker to exploit this vulnerability if someone inside the network browsed to a Web site that he had infected with some malicious HTML/JavaScript code.
January 26th, 2010 at 10:33 am
Craig,
Interestingly enough, Dlink’s ftp site has a beta firmware for the 825 titled: dir825_fw_113b03NA_HNAP_beta.zip. This came out 4 days ago.
I’d guess that is as much an admission as anything.
Also, I didn’t run your script to perform the test. Instead I wrote my own using c# and your xml files. So, it’s entirely possible the failure in updating the MAC info was my fault (so to speak).
February 6th, 2010 at 1:32 pm
DI-524 HW Revision B2 with 2.07v Firmware (newest to find on Dlink site) seems not to be vulnerable:
./hnap0wn 192.168.xxx.1:8099 xml/GetWLanSecurity.xml
Trying SOAPAction header exploit…
SOAPAction header exploit failed! Trying privilege escalation exploit…
Default creds failed! Sorry!
February 7th, 2010 at 5:28 pm
Tossin,
We didn’t test revision B2, but I couldn’t find the firmware release that you mentioned (2.07) on D-Link’s site. Are you sure that it supports HNAP at all? Also, the DI-524 rev C1 that we tested ran HNAP on port 80, not 8099, so make sure that you’re testing the right port too.
February 21st, 2010 at 9:16 pm
I know for sure that my dir-600 is vulnerable (bought it in europe).
tested the script running ubuntu on my laptop, i was able to change the admin password to “123″.
jet d-link says dir-600 are not afected, are they just lying, to stupid too test, or am i halluzinating?
The pr guys from d-link should quit their job, if the thought just denying the problem would be a good strategy..
February 27th, 2010 at 8:41 pm
Samy, you’re the second person who has told us that the DIR-600 is vulnerable. We don’t have one, so we can’t confirm, but it may be an issue of some firmware versions are vulnerable while others aren’t. We have suspected that D-Link didn’t do full-scope testing on their products before releasing their list of vulnerable routers, so it’s not clear if they tested all their routers or looked at all their firmware releases or not. Are you running the latest firmware release for the DIR-600?
March 6th, 2010 at 6:22 pm
Hi Craig, i am not running the latest release, i am running the pre installed Firmware Version 2.01
I will install the newer version and then test again.
I also found out that you now have a newer version of you proof of concept artikel out. You added the part that you schould specify the port “8099″ wenn trying to execute hnap0wn. I have to tell you that this new Command does not work and the script will fail with the dir-600 whereas the old command without the port 8099 and just the ip works perfectly.
March 6th, 2010 at 6:47 pm
I have to correct myself the Version 2.01 i have installed is actually the latest release.
D-Link just calls it 2.01b01 on their german support website instead of 2.01. Aniway i did the firmware update and its the same release and vulnerable!
this is the output i get from hnap0wn when it sucessfully changed the admin password:
samy@MeanMachine:~/Downloads$ ./hnap0wn 192.168.0.1 xml/SetDeviceSettings.xml
Trying SOAPAction header exploit…
SOAPAction header exploit failed! Trying privilege escalation exploit…
REBOOT
March 10th, 2010 at 9:25 pm
Thanks for the extra info Samy. As specified elsewhere in the paper, some D-Link routers run HNAP on port 80 while others use port 8099; it looks like the DIR-600 uses port 80 which is why specifying port 8099 doesn’t work.
If you want to know which port is being used for HNAP, browse to http://192.168.0.1/HNAP1/; if HNAP is being run on a port other than 80, it will redirect your browser to the appropriate port.