Comments on: Which Routers Are Vulnerable to the D-Link HNAP Exploit?

By: complete blood count results

complete blood count results — Fri, 03 Sep 2010 01:36:21 +0000

The nation’s actually finicky host to job credit.

By: Samy

Samy — Tue, 20 Jul 2010 15:35:06 +0000

Hi sergiu, the problem is solved for me now so i forgot to mention that they published ther firmware update on April 14 on the German dlink ftp site: ftp://ftp.dlink.de/dir/dir-600/driver_software/DIR-600_fw_revb_203b02_ALL_de_20100316.zip

This is Firmware Version 2.03 and the prof of concept tool does no longer work on it.

By: sergiu

sergiu — Tue, 06 Jul 2010 06:43:34 +0000

nevermind … FW is available also on RO ftp …

By: sergiu

sergiu — Fri, 02 Jul 2010 08:04:15 +0000

forgot to mention: i bought DIR-600 also in Europe area on 30.06.2010 (firmware ver. 2.02)

By: sergiu

sergiu — Fri, 02 Jul 2010 07:41:34 +0000

ok Samy, can you realease to us the firmware update received from german dlink?

By: Термолидер

Термолидер — Mon, 21 Jun 2010 09:23:03 +0000

Thank you for the wonderful review!

By: Samy

Samy — Fri, 19 Mar 2010 13:31:06 +0000

I got in touch with the German dlink support and after giving them a step by step instruction on how to use the exploit script the finally admitted that there was a vulnerability and that they where able to reproduce it. I then received a firmware update which should deactivate the hidden user account on the DIR-600 making HNAP access via the standard user account impossible.

I tried it out and it seems to work. Sadly you are not able to deactivate the user account via the web-configuration. Only this Firmware update seems to work, but it is not yet publicly available on their support website neither are they publicly admitting that their is a problem with the DIR-600.

By: craig

craig — Thu, 11 Mar 2010 02:25:00 +0000

Thanks for the extra info Samy. As specified elsewhere in the paper, some D-Link routers run HNAP on port 80 while others use port 8099; it looks like the DIR-600 uses port 80 which is why specifying port 8099 doesn’t work.

If you want to know which port is being used for HNAP, browse to http://192.168.0.1/HNAP1/; if HNAP is being run on a port other than 80, it will redirect your browser to the appropriate port.

By: Samy

Samy — Sat, 06 Mar 2010 23:47:46 +0000

I have to correct myself the Version 2.01 i have installed is actually the latest release.
D-Link just calls it 2.01b01 on their german support website instead of 2.01. Aniway i did the firmware update and its the same release and vulnerable!

this is the output i get from hnap0wn when it sucessfully changed the admin password:

samy@MeanMachine:~/Downloads$ ./hnap0wn 192.168.0.1 xml/SetDeviceSettings.xml

Trying SOAPAction header exploit…

SOAPAction header exploit failed! Trying privilege escalation exploit…

REBOOT

By: Samy

Samy — Sat, 06 Mar 2010 23:22:03 +0000

Hi Craig, i am not running the latest release, i am running the pre installed Firmware Version 2.01

I will install the newer version and then test again.

I also found out that you now have a newer version of you proof of concept artikel out. You added the part that you schould specify the port “8099″ wenn trying to execute hnap0wn. I have to tell you that this new Command does not work and the script will fail with the dir-600 whereas the old command without the port 8099 and just the ip works perfectly.