D-Link’s failed patch for DIR-890L router adds a new hole

Prolific hacker Craig Heffner, who has a particular interest in hacking embedded devices, has recently documented the existence of a command injection bug in the firmware of D-Link’s DIR-890L router. He then discovered that the same bug was flagged in the DIR-645 by another researcher and patched by D-Link earlier this year.

Four days later, D-Link issued the same patch for DIR-890L (they are identical), and Heffner decided to see whether it works. He claims that it doesn’t.

“Although I focused on command injection in my previous post, this patch addresses multiple security bugs, all of which stem from the use of strstr to validate the HNAP SOAPAction header: use of unauthenticated user data in a call to system (command injection); use of unauthenticated user data in a call to sprintf (stack overflow); and unauthenticated users can execute privileged HNAP actions,” says Heffner, adding that D-Link was clearly aware of all three attack vectors, as it acknowledged them in their security advisories.

“Their fix to all these fundamental problems is to use the access function to verify that the SOAPAction is a valid, expected action by ensuring that the file /etc/templates/hnap/.php exists. However, they’ve added another sprintf to the code before the call to access; their patch to prevent an unauthenticated sprintf stack overflow includes a new unauthenticated sprintf stack overflow,” he noted.

“But here’s the kicker: this patch does nothing to prevent unauthenticated users from executing completely valid administrative HNAP actions, because all it does is ensure that the HNAP action is valid. That’s right, their patch doesn’t even address all the bugs listed in their own security advisory!”

D-Link is yet to comment on this claim.

Don't miss