Hacker Craig Heffner says D-Link has not only failed in its bid to patch its DIR-890L router but has managed to introduce a new vulnerability instead.
The Tactical Network Solutions router wrecker says D-Link's quadcopter-esque AC3200, reviewed elsewhere as " the most insane router in the history of mankind", is open to authentication bypass.
Heffner disclosed the vulnerabilities earlier this month badging it as a product with the same buggy firmware "crammed" into routers for years.
D-Link has been contacted for comment.
The Home Network Administration Protocol (HNAP) bug affects the DIR-645 and DIR-890L and centres on the incorrect use of strstr for validation which he says D-Link attempted but failed to patch.
Heffner says the router rooter failed to remove the sprintf stack overflow, the call to system, and did not as they should have used strcmp instead of strstr to validate the SOAPAction header.
"[The patch] does at least prevent users from supplying arbitrary data to sprintf and system," Heffner says in an advisory.
"However, they’ve added another sprintf to the code before the call to access; their patch to prevent an unauthenticated sprintf stack overflow includes a new unauthenticated sprintf stack overflow.
"But here’s the kicker: this patch does nothing to prevent unauthenticated users from executing completely valid administrative HNAP actions, because all it does is ensure that the HNAP action is valid. That’s right, their patch doesn’t even address all the bugs listed in their own security advisory!"
Security failures in SOHO routers are depressingly common, however borked patches that serve only to introduce new flaws are another level of failure.
D-Link patched some of its camera kit last month after an earlier mass patch run for its network boxes.
Experts agree that small home and office routers are almost universally terrible, often as a result of the focus on cost competition between feature and function-obsessed vendors. ®