Source: KsanderDN via Shutterstock

Researchers have released an exploit for a zero-day security flaw in a family of D-Link routers that can allow attackers to take over devices and execute commands with root privileges.

The SSD Secure Disclosure team of researchers released a proof-of-concept exploit for a flaw associated with the handling of HNAP login requests in D-Link DIR-X4860 routers, according to a blog post published on May 14. The vulnerability can be exploited as part of a chain of vulnerabilities to achieve device takeover.

"Security vulnerabilities in DIR-X4860 allow remote unauthenticated attackers that can access the HNAP port to gain elevated privileges and run commands as root," according to the post, attributed to "Noamr" of the SSD team. "By combining an authentication bypass with command execution the device can be completely compromised."

The most serious flaw results from the lack of proper implementation of the authentication algorithm in the router's handling of HNAP login requests. HNAP is a SOAP-based protocol for the identification, configuration, and management of network devices.

"The issue results from the lack of proper implementation of the authentication algorithm," according to the post. "An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the router."

No Response, No Patch

The HNAP flaw and exploit chain, discovered by an undisclosed researcher with the SSD team, affects DIR-x4860 devices running the DIRX4860A1_FWV1.04B03 firmware. The line of routers is aimed for use in the home, but compromise can affect corporate networks through users of a remote workforce.

SSD reached out three times in the past month to D-Link about the issue; however, so far they have not received a response, according to the post. D-Link did not immediately reply to a Dark Reading request for comment today.

D-Link flaws can pose a serious risk for those using vulnerable devices and have potentially a broad reach. Past vulnerabilities have been exploited to wrangle devices into a botnet and steal sensitive data from network attached storage (NAS) devices. The company itself also has been the victim of a significant security breach in the past that exposed source code and customer data.

The Attack Chain

SSD provided a step-by-step process for bypassing authentication and then exploiting the HNAP flaw. They also published supporting proof-of-concept documentation that others can use to exploit the chain of flaws.

The first step in the process is to send a specially crafted HNAP login request and await response, which returns the response data: Challenge, Cookie, PublicKey. An attacker can use these to values to create a legitimate password for the admin account, the researchers said.

"The Cookie is used as the cookie header for all subsequent HTTP requests, while Challenge and PublicKey are used to encrypt the password and generate HNAP_AUTH authentication in the HTTP header," according to the post.

They can then proceed to find a vulnerability in the /bin/prog.cgi file, where it occurs in the function that handles the login request. Typically, this request would retrieve a password and then generate a private key, but this doesn't occur here.

"When the PrivateLogin parameter is included in the request, and the value of the PrivateLogin parameter is 'Username,' then the PrivateKey is generated from the value of the Username parameter," which is as an administrator, Noamr wrote.

This means that if an attacker performs a login request, "admin" can be used as the password to calculate the relevant data without knowing the real password to bypass login authentication.

Specifics of HNAP Flaw

The HNAP flaw exists within prog.cgi, "which handles HNAP requests made to the lighttpd webserver listening on TCP ports 80 and 443," according to the post.

"The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call," Noamr wrote. "An attacker can leverage this vulnerability to execute code in the context of root.

Specifically, the vulnerability lies in the file /bin/prog.cgi in the function that handles the SetVirtualServerSettings. "The LocalIPAddress parameter is controlled by the attacker, and then a call to the FCGI_popen function can cause command injection," according to the post.

Without D-Link's response, the researchers have "no way of knowing how to mitigate this vulnerability," says an SSD representative to Dark Reading.
"Several emails sent to D-Link went unanswered, and we felt there was no way to get the attention this vulnerability deserves without making it public," the spokesperson says, adding that the company responded more promptly to vulnerability disclosures in the past.

A separate published report on the flaw noted that users of an affected device can avoid exploitation by disabling its remote access management interface.