Earlier this year in Jan, SourceSec Security Research published a exploit which in fact is just a SOAP packet which allow users to set admin passwords (in the LAN, unless someone finds a way to use HNAP over WAN) on some of the routers. I have reasons to believe in fact it is all routers supporting HNAP.
The details:
http://www.sourcesec.com/tag/hnap/
D-Link replied and stated somethings which I think was stupid such as it can only be exploited with the software (which I see is nothing more than injecting a SOAP packet because there is no authentication). I believe anyone with some SOAP knowledge is able to just send the packet over or simply run the bash scripts available on the website.
The argument about which firmware is probably some overlook by the security researcher, but D-Link should spend more time checking which are the affected firmware instead of check out which of the listed firmware did not exist!
BUT, this is the best part. Singapore telco Starhub has some promotion for their users to get D-Link products (for free I guess) and D-Link has even created a special page for Starhub users.
Here is the "Download" page for the Starhub equipment on D-Link:
http://www.dlink.com.sg/Starhub/downloads.asp
The best part is, look at those firmware. They are ancient! The link still works though, but it seems like this page is totally forgotten and they will probably not update it any further. What this means is that all Starhub users who follows this link will believe that this is the latest firmware available for their routers. And take for example DIR-655. The vulnerability is only fixed in 1.33NA which has the following update notes:
¤ Fixed: Correct HNAP issue.
¤ Fixed: DNS relay issue ( WAN Slowdown )
¤ Added: Advanced DNS descriptions
And we still have 1.11 on the Starhub page. To add some damage to this, 1.33NA is essentially for North America. I had tried looking for 1.33WW (world Wide) and this only thing that came close is from the Russia FTP which may very well end up giving you a Russian web interface (unconfirmed).
Has D-Link forsaken the rest of the world on DIR-655? Well share your thoughts here in the comments.
No comments:
Post a Comment