Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Turn off remote admin, SOHOpeless D-Link owners

HNAP stack overflow revealed

It's 2016, and D-Link still can't get its Home Network Automation Protocol (HNAP) implementation right.

In a terse advisory, the Carnegie-Mellon CERT says the HNAP service in D-Link's "DIR" range of routers has a stack-based buffer overflow.

“Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha”, the advisory states.

So far, the advisory says, D-Link hasn't addressed the problem, which affects its DIR-823, DIR-822, DIR-818L(W), DIR-895L, DIR-890L, DIR-885L, DIR-880L and DIR-868L units.

The only workaround is to disable remote administration.

Agile Information Security's Pedro Ribeiro reported the issue, and has a Metasploit proof-of-concept here.

Ribeiro explains that the vulnerable fields accept arbitrarily long string and copies them into the stack. The processor the vulnerable devices use, Lextra RLX (which Ribeiro describes as “crippled MIPS cores”, can't cope, and crash.

There are two ways to crash the stack, Ribeiro writes: the first is to send one of the vulnerable fields a string more than 3096 bytes long; the second is to overrun the stack of the calling function, hnap_main, with 2048+ bytes.

If this sounds familiar, it's because you've got a long memory. For example, six years ago, SourceSec Security Research reported (PDF) bugs in the HNAP implementation.

As Ribeiro notes, “D-link has a long history of vulnerabilities in HNAP”, many of them attributed to embedded device hacker Craig Heffner of dev/ttyS0. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like