If you’re a D-Link router user, keep your eyes and ears open for the next round of firmware fixes.
The company is apparently scrambling to fix a long-standing bug revealed earlier this month by keen router security researcher Craig of /dev/ttys0.
Unfortunately, it sounds as though the first round of patches for this bug didn’t actually fix the problem, and the next round of patches-to-the-patches aren’t quite ready as we write this.
Of course, even when they are available, many users may be slow to apply them, or even to realise that they’re available.
The bug is caused, quite literally, by three misplaced letters.
The D-Link programmers wrote strstr() where they should have written strcmp().
If that sounds like gobbledegook to you, don’t worry: here’s a quick explanation.
HNAP in brief
D-Link routers support a feature called HNAP (Home Network Administration Protocol), which sounds like exactly what you need to administer a home router.
To prevent just anyone from playing around with the settings on your router, however, you need to authenticate before you use it, meaning that you have to provide a secret password.
Requiring a password is a jolly good idea, because it authorises you to perform HNAP commands such as: SetWanSettings, AddPortMapping, SetWLanRadioSettings, FirmwareUpload and Reboot.
These commands, in order, let you: configure the external network; allow connections into the network from the outside; set up Wi-Fi; and to reconfigure the router completely.
Powerful stuff for an unauthenticated crook, which is why you have to be authenticated first.
Sadly, there is one command that doesn’t requires authentication: GetDeviceSettings.
We say “sadly” because it’s the lines of code that exempt that command from needing the password that contain the bug.
The programmers tried to verify that the command you sent in was exactly GetDeviceSettings.
If it was, then they would skip the password check.
Usually, in C, you check whether two text strings are the same using strcmp(X,Y), short for “string compare of X and Y.”
But the coders wrote strstr(X,Y) instead, which is short for “does string X contain string Y?”
Once they’ve decided whether to require a password or not, the programmers process the command by chopping it off from the end of the HTTP request and deciding what to do based on its text string.
What happens next
You can see what happens next.
You send a command that contains the text GetDeviceSettings, but ends with the text, say, DoSomethingImportant.
The system will let you DoSomethingImportant, but will skip the password check because of the GetDeviceSettings.
If you like, putting the string GetDeviceSettings into the middle of a command is a sort of skeleton key to HNAP.
Command injection
Worse still, you can actually persuade the router to run any Linux system command that you put at the end of the HTTP request, not just commands listed officially in the HNAP specification.
In other words, sticking the string GetDeviceSettings into the middle of a command is a sort of skeleton key to anything and everything on the router.
In penetration testing parlance, that’s known as command injection, for rather obvious reasons.
In the slightly garbled prose [quoted verbatim below] of D-Link’s own security advisory:
An attacker who wishes to gain acces to the router sends an unprivileged HNAP command such as GetDeviceSettings, they append to the command an additional command separated with an "/", which is used as a separator between commands. Any command(s) after the first will be executed unauthenticated. Additionally, additional commands will be passed directly to the underlying Linux system, allowing the injection of arbitrary system commands.
Worst of all, until the patches come out, Craig says that he hasn’t been able to find a way to disable HNAP.
Presuambly, it’s so important for setting up and using your router that turning it off would be like blocking up the fuel filler cap in your car: good for theoretical safety, but not much practical use in real life.
What to do?
• If your router supports it, consider using a community-based open source firmware like OpenWRT.
Like most vendor firmware, the community versions are Linux based, but are generally much more modular, meaning you can leave out parts you don’t need.
• If you don’t want to, or can’t, switch firmware, consider setting up a dedicated network security gateway.
You can use a commercial quality product between your insecure router and your home network to backfill the security you are missing in your SoHo product. Example: Sophos UTM Home Edition, which is is 100% free. (Many routers are also modems, and can’t simply be replaced by a dedicated gateway product.)
• Whatever firmware or router you use, check for and install updates promptly.
Home routers have been plagued over the years by bugs that may open up your entire home network to crooks.
Yet many of us, even if we are quick with Windows or OS X updates, are slow to sort out our routers.
• If you are doing string handling in C, be super-careful when you write your own code.
And be super-scrupulous when you are reviewing other people’s code.
Even severe bugs are often subtle enough that they look correct at first sight.
Sophos UTM Home Edition
Want commercial-quality network security at home?
Try our award winning UTM.
The Home Edition includes all the Sophos UTM features: a VPN, email scanning, web filtering, web application security, and everything you need to keep up to 50 devices on your home network secure, 100% free for home use.
In you live in a shared house, or you have children to look out for online, this could be just the product you need.
Better yet, you get 12 free licences for Sophos Anti-Virus for Windows that you can install and manage throughout your household, right from the UTM web console.
Understanding firewalls and secure gateways
Listen to our Sophos Techknow podcast, Firewalls Demystified
(Audio player above not working? Download, or listen on Soundcloud.)
Anonymous
Typo? “It it was, then they would skip the password check.” -> “>>If<< it was…"
Anna Brading
Thanks, we’ve fixed it.
Martyn Tanner
can you update us when new firmware is available?
Bob
Is there a list of the routers affected?
Does this apply to all DLink routers, or only the ones with wifi?
I have an old basic router, no wifi.
I have forgotten and misplaced the password for it. Is there any way to retrieve it? Like the method in your article?
Paul Ducklin
The security advisory we link to in the article (the one that the quote is lifted from) is probably the best place to go.
It lists 17 affected models – if I counted correctly :-) – and gives estimated dates when the patches will be coming out for each model.
As for a forgotten password, it should be possible, given physical access to the router, to do a “hard reset”, for example by holding down a special button while the router powers up. This should at least let you connect to the router’s management web pages via a directly-wired network cable, and reconfigure it so it works again.
You should be able to come up with details on how to reset your particular model with a bit of online digging around. (Sounds like a good opportunity to give OpenWRT a try. If your router supports it, reflashing with OpenWRT is effectively a “hard reset,” so they’ll have instructions on how to do that. You can always go back to D-Link firmware later if you want.)
Bob
Thanks, My model router is not on the list. I was able to reset my router like you said, although I only had to press the reset button for a second.
AG
“Of course, even when they are available, many users may be slow to apply them, or even to realise that they’re available.”
I had a D-Link router some years ago (a DIR-600, one of those mentioned in the list at D-Link, via your link; surprised that it still gets updates, I know it is still sold, but the way they treated it some years ago one would think they considered it having reached EOL), and then it sometimes didn’t matter that you knew one (firmware update) was available, you had to hunt it down! If it wasn’t available on the, in this case, Scandinavian support page you might find it on the German, or Czech etc. A joke.
We saw a case of HNAP issue in relation to D-Link in 2010; initially nothing was mentioned related to DIR-600 on the Scandinavian page, though it was mentioned on the German support page, and later that year you could find an updated firmware via a German FTP page hosted by D-Link, as well as in Australia, New Zeeland, Italy and Poland.
But months later you could still not find it on the Scandinavian page. I do realise that there are differences depending on region, for example another HW version had been sold in the US, but I don’t think there would be any differences within Europe, apart from language packs.
That one, in 2010, was supposed to fix:
1. Fix the issue that DIR-600 doesn’t update the security settings in web UI when client is connected over WPS PIN method.
2. Fix the HNAP security issue that the malware “hnap0wn” can change the security setting of Administrator.
A background for that one; someone apparently contacted D-Link in Germany. http://forums.dlink.com/index.php?topic=12061.0
Later that year, 2010, there were reports about another security problem with DIR-300, apparently similar to DIR-600, and lo and behold, a firmware was released late that year for DIR-600, it could be found in Czech, not in Scandinavia or Sweden.
In December 2011 we learned about the WPS debacle, hitting just about any vendor using it, and updates started to pop up in the beginning of 2012. Anything for DIR-600? It took time; again Germany saw some, this time, two-step firmware that could be used for HW version B1, but nothing in Sweden.
In December that year, 2012, a year after the major vulnerability in WPS was announced, you could only find version 2.01 and 2.10 on the Swedish support page; that is, the first firmware version for revision B1 and revision B5, more or less what customers got out of the box. A joke! Later on a new firmware update for other security issues, 2012/2013, somehow managed to severely slow my broadband speed, so I moved on to another brand. (And at the time, the alternative, DD-WRT for DIR-600, didn’t help much; download speed also went down to 50%.)
So, it took time to get security updates created in the first place; then when they “arrived” it might take time before you could do an update to the router; and updates could be introducing new problems, as seen above. Great! (And I was a user that cared enough to track down those firmware updates.)
I don’t think this is just D-Link having sloppy written firmware, guess a majority of SOHO routers, no matter price, is seeing this, in some way or the other, as mentioned among other places in this blog. They do put a lot of effort into the design and adding features, home clouds, apps and what not, but getting the basic right seems to be of no interest. As always, an educated buyer can put some pressure to move things in the right direction. The companies are perfectly happy receiving money from their customers, but when it comes to support it seems like the customers have to do most of the work.
Michael
Great article, thanks.
John
Great article, thanks