Vulnerability Note VU#677427
D-Link routers HNAP service contains stack-based buffer overflow
Original Release date: 07 Nov 2016 | Last revised: 10 Nov 2016

Overview
D-Link DIR routers contain a stack-based buffer overflow in the HNAP Login action.

Description
CWE-121: Stack-based Buffer Overflow – CVE-2016-6563
Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack.

The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha.

CVE-2016-6563 appears to affect:

DIR-823
DIR-822
DIR-818L(W)
DIR-895L
DIR-890L
DIR-885L
DIR-880L
DIR-868L

Impact
A remote, unauthenticated attacker may be able to execute arbitrary code with root privileges.

Solution
Apply an update

D-Link has released firmware updates to address the vulnerabilities in affected routers. Please see their announcement.
If you are unable to update your device, please see the following workarounds:
Restrict Access

As a general good security practice, only allow connections from trusted hosts and networks.

Additionally, you may wish to disable remote administration of the router.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedD-Link Systems, Inc.Affected12 Sep 201627 Oct 2016If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal
8.0
E:POC/RL:W/RC:ND

Environmental
6.0
CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

http://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10066
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-hnap-login.txt
https://cwe.mitre.org/data/definitions/121.html

Credit

Thanks to Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security for reporting this vulnerability.
This document was written by Trent Novelly.

Other Information

CVE IDs:
CVE-2016-6563

Date Public:
07 Nov 2016

Date First Published:
07 Nov 2016

Date Last Updated:
10 Nov 2016

Document Revision:
18

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply