D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-655 => Topic started by: v0idi on January 11, 2010, 03:44:37 AM
-
Hello,
I just stumbled across a blog post (http://www.sourcesec.com/2010/01/09/d-link-routers-one-hack-to-own-them-all/ (http://www.sourcesec.com/2010/01/09/d-link-routers-one-hack-to-own-them-all/)) which details a vulnerability in the HNAP implementation on at least the DIR-655 and a few other D-Link models as well. The vulnerability allows one to change the router settings without knowing the administrator password, and is exploitable at least on the local network.
So, has the problem been acknowledged and when can we expect a fix?
-
They will probably wiff it off by saying that as long as the exploit can not be done from outside the local network there is "nothing to worry about". Then again, not even D-link's staff work "in IT" by the fanboys definition.
-
Interesting info. I am interested to see how this unfolds. I really hope the mods have the impartiality leave this thread open, and if necessary, only delete inflammatory posts.
-
Hello,
I just stumbled across a blog post (http://www.sourcesec.com/2010/01/09/d-link-routers-one-hack-to-own-them-all/ (http://www.sourcesec.com/2010/01/09/d-link-routers-one-hack-to-own-them-all/)) which details a vulnerability in the HNAP implementation on at least the DIR-655 and a few other D-Link models as well. The vulnerability allows one to change the router settings without knowing the administrator password, and is exploitable at least on the local network.
So, has the problem been acknowledged and when can we expect a fix?
Kinda funny take a look here as well.
http://www.pcworld.com/businesscenter/article/186996/dlink_issues_fixes_for_router_vulnerabilities.html (http://www.pcworld.com/businesscenter/article/186996/dlink_issues_fixes_for_router_vulnerabilities.html)
Yet I have not saw one single patch yet.. Great going D-Link..
-
Get the utility and try it.
I believe we patched that a long time ago. That website is reporting on things from like six months ago.
-
Get the utility and try it.
I believe we patched that a long time ago. That website is reporting on things from like six months ago.
Thats strange if you look at the original posters post it wasnt 6 months ago this was posted there either. They are not the only sites who posted this as well.
-
Look at the full write up. It states what firmwares are actually effected.
1.20 for the 655? That OLD.
And it's 1.20EU not even a north american firmware.
-
They also refer to a DI-524 and a Di-624M. It's old code and the site is just looking to report on anything.
-
I am going to make a post on there ask them why they are posting news from 6 months ago like you claim... This way its linked back to here and they can get the facts straight...
-
did you read the full write up? It lists the firmwares they tested.
Also i think you mean (here) not hear?
-
Why would pcworld post stories from 6 months ago if these were not true?
-
Your avoiding the question. I can't comment on what they do. What I can comment on is the FULL WRITEUP. Which I read and CLEARLY notes OLD firmware.
-
Have you tested the tool? Cause it clearly works...
-
You tested it? We're looking in to it now. Thats why I asked. What were the results of your test?
-
You said this was patched... But yet....
"D-Link Corp. today admitted that some of its routers have a vulnerability that could allow hackers access to a device's administrative settings."
January 15, 2010 11:28 AM ET
-
Again we're testing I based the statement on the firmware and the testing they ran. I went ahead and located a linux machine to run the test through.
I said I believe it was patched. Again I was looking for someone that had confirmed that the hole still posed a threat, not an argument.
-
Lycan-
I don't know how you keep your cool in these forums. I've read through most of the topics last night and there are soooo many haters right now. Everyone needs to be a little more constructive with their criticism. "you guys suck", "worst company ever", "don't know what you're doing", are worthless criticisms. I understand that you guys are currently working on the DIR-655 patch and am patiently waiting for it. Please keep the rest of us "who actually enjoy d-link products" up to date on the next release.
Thanks,
BR
-
I'm not trying to argue its the internet.. If it was real life then it would be different ;) but you make it seem that way when you go and correct someone over spelling they made a mistake on.. I was pointing things out so they could get patched nothing more nothing less.
-
I wasn't sure if you and misspoke and meant hear or just used the wrong here.
We'll test against the vulnerability and report the findings to PM.
-
After testing this we have determined that the script doesn't appear to allow the user to adjust settings. We're investigating this further.
-
Post any information regarding this topic to:
http://forums.dlink.com/index.php?topic=10458.0 (http://forums.dlink.com/index.php?topic=10458.0)
Keeping the posts unified makes it easier to monitor than searching for multiple threads.