Hidden admin access on D-Link routers
According to a posting on the SourceSec Security Research web page, many – potentially all – of the router models D-Link has marketed since 2006 are affected by a flawed implementation of the Home Network Administration Protocol (HNAP). Local and external attackers can reportedly exploit the flaw to gain access to the router's network settings.
According to SourceSec, the D-Link routers include both a regular administrative interface and a HNAP connection that can't be disabled. SourceSec say they have verified that this administrative access via HTTP is vulnerable in the DI-524, DIR-628 and DIR-655 routers, allowing attackers to edit the router's administrative settings and take full control of all network traffic.
While the SOAP-based HNAP does require basic admin authentication, said the security firm, some D-Link routers allow the "GetDeviceSettings" SOAP action to be executed without authentication, which reportedly enables attackers to bypass the security mechanisms and execute other unauthorised SOAP actions. Although other D-Link routers are reportedly not affected by this vulnerability, SourceSec say that attackers can instead exploit the usually ignored user account (login: user, no password) on these routers. The security firm describes further details in a paper; a sample exploit called HNAP0wn can also be found on their website.