D-Link Technical Support

Home Support Forums Security Advisories Shop English | French

Security Announcement

D-Link Router : HNAP Privilege Escalation - Command Injection

Publication ID: SAP10054
Resolved Status: Partial
Published on: 10 April 2015 5:51 GMT
Last updated on: 25 April 2015 4:24 GMT

Overview

The Several of D-Link's Wireless Routers contains a vulnerability that allows a malicious user to escalate privilege using normally unprivileged HNAP commands. This allow them to inject arbitrary commands into the router.

References

Zhang Wei (Qihoo360 ADLAB) (Link to follow)

Description

An attacker who wishes to gain acces to the router sends an unprivileged HNAP command such as GetDeviceSettings, they append to the command an additional command separated with an "/", which is used as a separator between commands. Any command(s) after the first will be executed unauthenticated. Additionally, additional commands will be passed directly to the underlying Linux system, allowing the injection of arbitrary system commands.

The GetDeviceSettings HNAP Command is used to indicate some very common parameters (e.g. the domain name of the HNAP device), as well as to define which HNAP commands are available.

Affected Product

Model Name	HW Version	Vulnerable FW Versions	Current FW Versions (include fixes)
DAP-1522	B1	2.01B01 and older	FW: Patch 2.03B01 Patch Notes: Link (Updated: 04/25/2015)
DIR-300	B1	2.15B01 and older	FW: Patch 2.06 Patch Notes: Link (Updated: 04/25/2015)
DIR-600	B1	2.17B02 and older	FW: Patch 2.06 Patch Notes: Link (Updated: 04/25/2015)
DIR-629	A1	1.01 and older	FW: Patch 1.03B01-CN Patch Notes: Link (Updated: 04/25/2015)
DIR-645	A1	1.04B12 and older	FW: Patch 1.05B01 Patch Notes: Link (Updated: 04/24/2015)
DIR-815	B1	2.03B08 and older	FW: Patch 2.04B01 Patch Notes: Link (Updated: 04/24/2015)
DIR-816L	A1	1.00 and older	FW: Patch 1.01B01 Patch Notes: Link (Updated: 04/23/2015)
DIR-816L	B1	2.05B02 and older	FW: Patch 2.06B01 Patch Notes: Link (Updated: 04/22/2015)
DIR-817LW	A1	1.03B05 and older	FW: Patch 1.04B01 Patch Notes: Link (Updated: 04/22/2015)
DIR-818L	A1	1.04B03 and older	FW: Patch 1.05B01 Patch Notes: Link (Updated: 04/21/2015)
DIR-818LW	B1	2.03B01 and older	FW: Patch 2.05B01 Patch Notes: Link (Updated: 04/21/2015)
DIR-820LW	B1	2.01 and older	FW: Patch 2.03B01 Patch Notes: Link (Updated: 04/24/2015)
DIR-850L	A1/B1	A1: 1.12B05 and older B1: 2.03B01 and older	A1 FW: Patch 1.13B01 Patch Notes: Link B1 FW: Patch 2.05B01 Patch Notes: Link (Updated: 04/24/2015)
DIR-860L	A1/B1	A1: 1.09B06 and older B1: 2.01B03 and older	A1 FW: Patch 1.10B04 Patch Notes: Link B1 FW: Patch 2.03B03 Patch Notes: Link (Updated: 04/24/2015)
DIR-865L	A1	1.07B01 and older	FW: Patch 1.08B14 Patch Notes: Link Facebook Wi-Fi FW: Patch 1.07B01_FB Patch Notes: Link (Updated: 04/24/2015)
DIR-868L	A1	1.10B03 and older	FW: Patch 1.10B04 Patch Notes: Link Facebook Wi-Fi FW: Patch 1.10B04_FB Patch Notes: Link (Updated: 04/24/2015)
DIR-880L	A1	1.03b11 and older	FW: Patch 1.04B01 Facebook Wi-Fi FW: Patch 1.04B01_FB Patch Notes: Link (Updated: 04/20/2015)
DIR-890L	A1	1.06b01 and older	FW: Patch 1.06B04 Patch Notes: Link (Updated: 04/16/2015)

Security patch for your D-Link Devices

These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.