Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[amy]

After news came out about the vulnerability of d-link routers to a hnap attack described by SourceSec.com I read trough the article on the SourceSec homepage and tried their exploit tool hnap0wn on my own DIR-600. I was shocked that it worked even tough SourceSec didn't mention the DIR-600 in their article.

I thought OK at least D-Link knows about this vulnerability now because of the SourceSec article and they probably will provide me with a Firmware update in the near future. So I started to regularly check for an update on their German support website.

You can imagine that I was even more shocked when I found out that D-Link was indeed providing Firmware updates for the DIR-635 (HW-Revision B), DIR-655 (HW-Revision A), DIR-855 (HW-Revision A2) and DIR-615 (HW-Revision B1-B3) but not for the DIR-600, because they said that they “proactively” tested it and found out that it is not vulnerable.

They still (19.03.10) have their statement online saying the DIR-600 is not vulnerable.
http://www.dlink.de/cs/Satellite?c=Page&childpagename=DLinkEurope-DE%2FDLTechNews&cid=1197318958161&p=1197318958161&pagename=DLinkEurope-DE%2FDLWrapper

I then contacted the German support and after giving an step by step explanation on how to use the hnap0wn script to change the admin password without authentication they where able to reproduce the attack and provided me with an Firmware update that closes the vulnerability. I will upload it in this thread after I asked  the support for permission.

the vunerable firmware Version i tested was version 2.01 which is the most recent version on the support website. They fixed version they gave me is named 2.03.


Technical stuff:
In the meanwhile you can test if your DIR-600 is vulnerable by typing “http://192.168.0.1/HNAP1/” inside your browser address field if you get an xml document with a lot of SOAP actions as a response your router supports the hnap protocol.
Then you should try if the hidden user account is active on your router. Go to your router configuration site and type for User Name:”user” and leave the password blank. You should then be able to see most of the router configuration but wont be able to change anything.

The vulnerability that hnap0wn exploits is the fact that on the DIR-600 it is sufficient to provide the standard user account as authentication when sending an SOAP action request. There is an more detailed explanation in this article: http://www.sourcesec.com/Lab/dlink_hnap_captcha.pdf

if you want to try out the proof of concept tool provided by SourceSec remember to not specify the port 8099 and instead type ./hnap0wn 192.168.0.1 xml/SetDeviceSettings.xml because hnap only works on port 80 on the DIR-600.

[amy]

Ok, great news the new fixed firmware is now publicly available on the german dlink ftp site you can download it via the following link
ftp://ftp.dlink.de/dir/dir-600/driver_software/DIR-600_fw_revb_203b02_ALL_de_20100225.zip

I have to say that the german D-links support was very helpfull and quick in responding to my complaint.

[f41thr]

Ok, great news the new fixed firmware is now publicly available on the german dlink ftp site you can download it via the following link
ftp://ftp.dlink.de/dir/dir-600/driver_software/DIR-600_fw_revb_203b02_ALL_de_20100225.zip

I have to say that the german D-links support was very helpfull and quick in responding to my complaint.

Just upgrade to 2.03 but this won't fix the issue with Log Settings. On my 600 it is not possible to select the Log Level settings. Tic boxes are greyed out.

F41THR