Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
D-Link Authentication Bypass Vulnerabilities
Posted by: SourceSec
Date: January 11, 2010 01:42PM

We've found that multiple D-­Link routers suffer from insecure implementations of the Home Network Administration Protocol (HNAP) which allow un­authenticated and/or un­privileged users to view and configure administrative settings on the router.

HNAP is a SOAP-based protocol, so it is possible that an external attacker could exploit this using DNS-rebinding attacks.

Further, the mere existence of HNAP allows attackers to completely bypass the CAPTCHA login features that D-­Link has made available in recent firmware releases.

We've found vulnerabilities in D-Link HNAP implementations dating back to 2006 when D-Link first started adding HNAP support to their firmware, so we suspect that most, if not all, D-Link routers since that time are vulnerable. However, only the following routers and firmware versions have been confirmed:

1) DI-­524 hardware version C1, firmware version 3.23
2) DIR-­628 hardware version B2, firmware versions 1.20NA and 1.22NA
3) DIR-­655 hardware version A1, firmware version 1.30EA

We've written a full description of the vulnerabilities and posted POC code here: http://www.sourcesec.com/2010/01/09/d-link-routers-one-hack-to-own-them-all/

Options: ReplyQuote
Re: D-Link Authentication Bypass Vulnerabilities
Posted by: rvdh
Date: January 12, 2010 06:24AM

edited post, see post by Skyphire (which is me, or was me) lol it gets complex with all these personas ;)



Edited 1 time(s). Last edit at 07/25/2010 04:22PM by rvdh.

Options: ReplyQuote
Re: D-Link Authentication Bypass Vulnerabilities
Posted by: Albino
Date: July 24, 2010 12:18PM

Nice. And there I was feeling pleased about finding some CSRF in my DLINK. At least noscript's ABE seems to prevent it.

What would be interesting is an intelligent CSRF bot that, given an IP, would find an accessible version of its router then use this to learn the architecture and write the CSRF code for the original target. There are too many routers to do it manually.

Options: ReplyQuote
Re: D-Link Authentication Bypass Vulnerabilities
Posted by: Skyphire
Date: July 25, 2010 04:15PM

Here's the paper I wrote, a bit more organized: http://www.skyphire.nl/pubs/SKY-2008-03-01.txt

Options: ReplyQuote
Re: D-Link Authentication Bypass Vulnerabilities
Posted by: Albino
Date: September 05, 2010 11:38AM

Your site appears to be down :(

Is there anywhere else I could find that file? It had some funky js in it.

Options: ReplyQuote


Sorry, only registered users may post in this forum.