Turn off remote admin, SOHOpeless D-Link owners
HNAP stack overflow revealed
It's 2016, and D-Link still can't get its Home Network Automation Protocol (HNAP) implementation right.
In a terse advisory, the Carnegie-Mellon CERT says the HNAP service in D-Link's "DIR" range of routers has a stack-based buffer overflow.
“Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack. The vulnerable XML fields within the SOAP body are:
Action, Username, LoginPassword, and
Captcha”, the advisory states.
So far, the advisory says, D-Link hasn't addressed the problem, which affects its DIR-823, DIR-822, DIR-818L(W), DIR-895L, DIR-890L, DIR-885L, DIR-880L and DIR-868L units.
The only workaround is to disable remote administration.
Agile Information Security's Pedro Ribeiro reported the issue, and has a Metasploit proof-of-concept here.
Ribeiro explains that the vulnerable fields accept arbitrarily long string and copies them into the stack. The processor the vulnerable devices use, Lextra RLX (which Ribeiro describes as “crippled MIPS cores”, can't cope, and crash.
There are two ways to crash the stack, Ribeiro writes: the first is to send one of the vulnerable fields a string more than 3096 bytes long; the second is to overrun the stack of the calling function,
hnap_main, with 2048+ bytes.
If this sounds familiar, it's because you've got a long memory. For example, six years ago, SourceSec Security Research reported (PDF) bugs in the HNAP implementation.
As Ribeiro notes, “D-link has a long history of vulnerabilities in HNAP”, many of them attributed to embedded device hacker Craig Heffner of dev/ttyS0. ®