Recently, SourceSec Security Research announced on its blog that they have discovered a vulnerability in D-Link routers that allows outsiders and insiders to access and edit the router settings without having to use admin login credentials.
This can be done because the routers have an additional administrative interface, which uses the (insecurely) implemented Home Network Administration Protocol. Just the fact that the HNAP is present on the routers is enough to allow attackers to bypass the CAPTCHA login features.
They have issued a detailed report in which they state which D-Link routers are vulnerable (DI-524, DIR-628 and DIR-655) and the code required to take advantage of the flaw. They also made available the proof-of-concept tool for executing the attack.
According to ZDNet UK, a week or so later D-Link acknowledged the vulnerability in three of its routers, but not the three that SourceSec named. They claimed that the tool SourceSec has provided is the only way to exploit the vulnerability because running the code by itself doesn’t do the trick. D-Link has also criticized their move to render public the flaw AND offer software to take advantage of it – they say that they have put a lot of their customers in danger. In the meantime, they did upload patches on its websites.
It didn’t take long for SourceSec to post a rebuttal: they challenge some of the information about which appliances are vulnerable and point out that, of course, they haven’t tested all of the D-Link routers. They also claim that the code can be used with any piece of software that can make Web requests.