D-Link Router : HNAP Privilege Escalation - Command Injection

13 April, 2015

Overview

The Several of D-Link's Wireless Routers contains a vulnerability that allows a malicious user to escalate privilege using normally unprivileged HNAP commands.  This allows them to inject arbitrary commands into the router.

References

Zhang Wei (Qihoo360 ADLAB) (Link to follow)

 

Description

An attacker who wishes to gain access to the router sends an unprivileged HNAP command such as GetDeviceSettings, they append to the command an additional command separated with an "/", which is used as a separator between commands.  Any command(s) after the first will be executed unauthenticated.  Additionally, additional commands will be passed directly to the underlying Linux system, allowing the injection of arbitrary system commands.

The GetDeviceSettings HNAP Command is used to indicate some very common parameters (e.g. the domain name of the HNAP device), as well as to define which HNAP commands are available.

 

Affected Product  

Model Name

HW Version

Vulnerable FW Versions

Current FW Versions   (include fixes)

DAP-1522

B1

2.01B01 and older

FW: Patch 2.03B01
Patch Notes: Link

(Updated: 04/25/2015)

DIR-300

B1

2.15B01 and older

FW: Patch 2.06
Patch Notes: Link

(Updated: 04/25/2015)

DIR-600

B1

2.17B02 and older

FW: Patch 2.06
Patch Notes: Link

(Updated: 04/25/2015)

DIR-645

A1

1.04B12 and older

FW: Patch 1.05B01
Patch Notes: Link

(Updated: 04/24/2015)

DIR-815

B1

2.03B08 and older

FW: Patch 2.04B01
Patch Notes: Link

(Updated: 04/24/2015)

DIR-816L

A1/B1

A1: 1.00 and older

B1: 2.05B02 and older

A1 FW: Patch 1.01B01
Patch Notes: Link

B1 FW: Patch 2.06B01
Patch Notes: Link

(Updated: 04/23/2015)

DIR-818LW

B1

2.03B01 and older

FW: Patch 2.05B01
Patch Notes: Link

(Updated: 04/21/2015)

DIR-850L

A1/B1

A1: 1.12B05 and older

B1: 2.03B01 and older

A1 FW: Patch 1.13B01
Patch Notes: Link

B1 FW: Patch 2.05B01
Patch Notes: Link

(Updated: 04/24/2015)

DIR-860L

A1/B1

A1: 1.09B06 and older

B1: 2.01B03 and older

A1 FW: Patch 1.10B04
Patch Notes: Link

B1 FW: Patch 2.03B03
Patch Notes: Link

(Updated: 04/24/2015)

DIR-865L

A1

1.07B01 and older

FW: Patch 1.08B14
Patch Notes: Link

(Updated: 04/24/2015)

DIR-868L

A1

1.10B03 and older

FW: Patch 1.10B04
Patch Notes: Link

(Updated: 04/24/2015)

DIR-880L

A1

1.03b11 and older

FW: Patch 1.04B01
Patch Notes: Link

(Updated: 04/20/2015)

DIR-890L

A1

1.06b01 and older

FW: Patch 1.06B04
Patch Notes: Link

(Updated: 04/16/2015)

 

Security patch for your D-Link Devices

These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.