CVE-2016-6563 RCE flaw affects D-Link Routers, disable remote admin

Carnegie-Mellon CERT warns of a flawed implementation of HNAP in D-Link routers (CVE-2016-6563) that could be exploited for remote execute code.

According to the Carnegie-Mellon CERT the implementation of the Home Network Automation Protocol (HNAP) of D-Link routers is affected by a stack-based buffer overflow vulnerability tracked as CVE-2016-6563.

The flaw could be exploited by a remote, unauthenticated attacker to execute arbitrary code with root privileges.

“Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha”, the advisory states.”, reads the advisory.

The D-Link routers affected by the CVE-2016-6563 flaw belonging to the DIR family are:

DIR-823
DIR-822
DIR-818L(W)
DIR-895L
DIR-890L
DIR-885L
DIR-880L
DIR-868L

According to the Carnegie-Mellon CERT, D-Link hasn’t fixed the problem, the only workaround is to disable remote administration.

The bad news is the availability of a Metasploit proof-of-concept exploit code published by the security expert Pedro Ribeiro from Agile Information Security.

Ribeiro explained that the issue it caused by fields accepting arbitrarily long string that are copied into the stack.

“Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol, which accepts arbitrarily long strings into certain XML parameters and then copies them into the stack. This exploit has been tested on the real devices DIR-818LW and 868L (rev. B), and it was tested using emulation on the DIR-822, 823, 880, 885, 890 and 895. Others might be affected, and this vulnerability is present in both MIPS and ARM devices.” is the description of the CVE-2016-6563 vulnerabilities provided by Ribeiro “The MIPS devices are powered by Lextra RLX processors, which are crippled MIPS cores lacking a few load and store instructions. Because of this the payloads have to be sent unencoded, which can cause them to fail, although the bind shell seems to work well. For the ARM devices, the inline reverse tcp seems to work best. Check the reference links to see the vulnerable firmware versions.”

Ribeiro discovered two methods to trigger the vulnerability, passing to a vulnerable field a string longer than 3096 bytes or overrunning the stack of the calling function, hnap_main, with 2048+ bytes.

This isn’t the first time that experts find a flaw in the D-link implementation of the HNAP, many years ago experts at SourceSec Security Research discovered similar issues in the service.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2016-6563, D-Link Routers)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.