CVE-2016-6563 RCE flaw affects D-Link Routers, disable remote admin

Carnegie-Mellon CERT warns of a flawed implementation of HNAP in D-Link routers (CVE-2016-6563) that could be exploited for remote execute code.

According to the Carnegie-Mellon CERT the implementation of the Home Network Automation Protocol (HNAP) of D-Link routers is affected by a stack-based buffer overflow vulnerability tracked as  CVE-2016-6563.

The flaw could be exploited by a remote, unauthenticated attacker to execute arbitrary code with root privileges.

“Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha”, the advisory states.”, reads the advisory.

The D-Link routers affected by the CVE-2016-6563 flaw belonging to the DIR family are:

• DIR-823
• DIR-822
• DIR-818L(W)
• DIR-895L
• DIR-890L
• DIR-885L
• DIR-880L
• DIR-868L

According to the Carnegie-Mellon CERT, D-Link hasn’t fixed the problem, the only workaround is to disable remote administration.

The bad news is the availability of a Metasploit proof-of-concept exploit code published by the security expert Pedro Ribeiro from Agile Information Security.

Ribeiro explained that the issue it caused by fields accepting arbitrarily long string that are copied into the stack.

“Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol, which accepts arbitrarily long strings into certain XML parameters and then copies them into the stack. This exploit has been tested on the real devices DIR-818LW and 868L (rev. B), and it was tested using emulation on the DIR-822, 823, 880, 885, 890 and 895. Others might be affected, and this vulnerability is present in both MIPS and ARM devices.” is the description of the CVE-2016-6563 vulnerabilities provided by Ribeiro “The MIPS devices are powered by Lextra RLX processors, which are crippled MIPS cores lacking a few load and store instructions. Because of this the payloads have to be sent unencoded, which can cause them to fail, although the bind shell seems to work well. For the ARM devices, the inline reverse tcp seems to work best. Check the reference links to see the vulnerable firmware versions.”

Ribeiro discovered two methods to trigger the vulnerability, passing to a vulnerable field a string longer than 3096 bytes or overrunning the stack of the calling function, hnap_main, with 2048+ bytes.

This isn’t the first time that experts find a flaw in the D-link implementation  of the HNAP, many years ago experts at SourceSec Security Research discovered similar issues in the service.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2016-6563, D-Link Routers)