After news came out about the vulnerability of d-link routers to a hnap attack described by SourceSec.com I read trough the article on the SourceSec homepage and tried their exploit tool hnap0wn on my own DIR-600. I was shocked that it worked even tough SourceSec didn't mention the DIR-600 in their article.
I thought OK at least D-Link knows about this vulnerability now because of the SourceSec article and they probably will provide me with a Firmware update in the near future. So I started to regularly check for an update on their German support website.
You can imagine that I was even more shocked when I found out that D-Link was indeed providing Firmware updates for the DIR-635 (HW-Revision B), DIR-655 (HW-Revision A), DIR-855 (HW-Revision A2) and DIR-615 (HW-Revision B1-B3) but not for the DIR-600, because they said that they “proactively” tested it and found out that it is not vulnerable.
They still (19.03.10) have their statement online saying the DIR-600 is not vulnerable.http://www.dlink.de/cs/Satellite?c=Page&childpagename=DLinkEurope-DE%2FDLTechNews&cid=1197318958161&p=1197318958161&pagename=DLinkEurope-DE%2FDLWrapper
I then contacted the German support and after giving an step by step explanation on how to use the hnap0wn script to change the admin password without authentication they where able to reproduce the attack and provided me with an Firmware update that closes the vulnerability. I will upload it in this thread after I asked the support for permission.
the vunerable firmware Version i tested was version 2.01 which is the most recent version on the support website. They fixed version they gave me is named 2.03.
In the meanwhile you can test if your DIR-600 is vulnerable by typing “http://192.168.0.1/HNAP1/” inside your browser address field if you get an xml document with a lot of SOAP actions as a response your router supports the hnap protocol.
Then you should try if the hidden user account is active on your router. Go to your router configuration site and type for User Name:”user” and leave the password blank. You should then be able to see most of the router configuration but wont be able to change anything.
The vulnerability that hnap0wn exploits is the fact that on the DIR-600 it is sufficient to provide the standard user account as authentication when sending an SOAP action request. There is an more detailed explanation in this article: http://www.sourcesec.com/Lab/dlink_hnap_captcha.pdf
if you want to try out the proof of concept tool provided by SourceSec remember to not specify the port 8099 and instead type ./hnap0wn 192.168.0.1 xml/SetDeviceSettings.xml because hnap only works on port 80 on the DIR-600.