D-Link Fails at Strings

Small Office and Home Office (SOHO) wireless routers have terrible security. That’s nothing new. But it is somewhat sad that manufacturers just keep repurposing the same broken firmware. Case in point: D-Link’s new DIR-890L, which looks like a turtled hexapod. [Craig] looked behind the odd case and grabbed the latest firmware for this device from D-Link’s website. Then he found a serious vulnerability.

D-Link's DIR-890 Router

The usual process was applied to the firmware image. Extract it, run binwalk to find the various contents of the firmware image, and then extract the root filesystem. This contains all the code that runs the router’s various services.

The CGI scripts are an obvious place to poke for issues. [Colin] disassembled the single executable that handles all CGI requests and started looking at the code that handles Home Network Administration Protocol (HNAP) requests. The first find was that system commands were being built using HNAP data. The data wasn’t being sanitized, so all that was needed was a way to bypass authentication.

This is where D-Link made a major error. They wanted to allow one specific URL to not require authentication. Seems simple, compare string A to string B and ensure they match. But they used the strstr function. This will return true if string A contains string B. Oops.

So authentication can be bypassed, telnetd can be started, and voila: a root shell on D-Link’s most pyramid-shaped router. Oh, and you can’t disable HNAP. May we suggest OpenWrt or dd-wrt?

32 thoughts on “D-Link Fails at Strings

  1. I buy all routers with the express purpose of putting an open source firmware on it. if I can’t do that with the router, then I will not buy it. Even then I don’t totally feel safe anymore.

    1. Same here, OpenWrt FTW.

      Still it’s a shame we don’t always get best performance out of the hardware (HNAT for example). 802.11ac support is still quite wonky (few atheros devices, maybe some blob drivers for broadcom).

      1. What’s the big deal with hardware NAT? I’ve toyed with it, and I immediately convinced myself that it’s not a thing that I’m interested in: Immediately gone was all of the QoS goodness that I’ve been using for aeons to keep the household happy, whether gaming or Netflixing or torrenting — all at once. (Yay Tomato!)

        Maybe if I had Google Fiber I’d be looking seriously at hardware NAT (since the bottleneck would almost always be very far downstream and completely out of my hands anyway), but at the moment I get better real-world performance without it.

        That said, I’m still confused as to why it matters about security flaws in New-Hotness router: Why is it routing at all? As long as WPA is secure and the thing is firewalled, who cares?

        Step 1: Buy a router to route, and let it do its NAT routing thing using a somewhat-trustworthy open firmware and let it do 802.11b/g if it suits you (2.4GHz 802.11n is almost always a mistake). It’s easy to find a very fast router with good open third-party firmware, if all you care about is routing performance and 802.11b/g. (An old WRT54GS or GL will do fine on for these roles on my 18/1.5Mbps VDSL, even with QoS rules, and my current Asus RT-N16 hardly even notices that it is routing. YMMV.)

        Step 2: Buy an 802.11ac access point, and let it be an access point, using whatever firmware, and keep it behind the firewall implicit in step 1.

        Please note: Step 2 might involve a COTS thing that calls itself a “router,” but which becomes an access point once its own DHCP server is disabled. Bonus points for plugging it into your somewhat-trusted (step 1) router and hiding it in plain sight. Start by putting it on its own logical subnet, VLAN, or physical subnet — be creative.

    1. I doubt OpenWRT works properly with this router. 802.11ac support is still pretty bad and the driver they do have doesn’t work 100% yet according to the forum.

      Pretty much all consumer routers aren’t actually designed by the companies that sell them. They’ll buy in a premade design for hardware + firmware from somebody like Sercomm and then put it into a fancy case + brand it. The original firmware will have horrendous code + flaws and then whoever is contracted to mod the firmware for the company will add their own screw ups. It is also why they tend not to have glaring issues and flaws fixed.

  2. Why doesn’t he just sign a contract w/ Cisco or D-Link sometime and remove all these sprintf bugs? That would be a funny awkward meeting to see. Jesus, I bet he has a picture of both companies in his room like Ray Finkel lol “laces out! die dan die!”.

    Kidding, routers are too important for closed source firmware w/ most likely forced backdoors (even though practically no one will read it and actually understand it all).

    1. And really that’s the same reason open source has it’s flaws as well. 9/10 people will simply download the open source software and install it with a script having no clue what is in the code. So all it would take is for someone to insert nefarious, but clever backdoors into the code and you are worse off than D-Link because at least you can sue D-Link for doing it.

      And trust me, open source has holes and flaws just like anything else. You could argue that, yeah, but it’s open source so people will close them. And so will D-Link and the rest when they discover them. But with open source, again, 9/10 would have no clue how to even re-compile the firmware themselves so they will have to wait on others to patch the holes.

      The truth is with Linux even, 9/10 simply install it COTS from a script. Most linux users have no clue how to create a kernel or even secure their systems after the install and instead rely on the default settings.

      It boils down to an elitist attitude and that’s all. The only reason Linux is more secure is because nobody really writes viruses for linux because it isn’t installed on 99% of the computers in the world. If it was, it would be the target. Common sense.

  3. I am pretty happy with my Asus AC66U (iirc). Apparently ASUS took open source router software, customized it, rebooted the user interface and released it open source.

    There’s even an open source derivative firmware called Merlin that patches in advanced functionality on top of official firmware. In fact there’s been a symbiotic relationship between the two. I believe some of Merlins features were introduced into later official firmware.

    I have this router and have been pleased with its performance, features, and stability. Supports AC fine.

    Don’t like it’s firmware? install your favorite flavor of open source firmware. The hardware is capable.

  4. Most of the routers these days use bits and pieces of Open Source code and because of GPL, the vendors usually have the source code available. The memory prices are no longer the weak excuse that they would revert to closed source kernel (see the old Cisco with some of their later WRT54* revs).

    Strangely enough that this particular model from D-Link didn’t show up in their GPL website. Not sure why, but it is something that people can ask D-Link about.
    http://tsd.dlink.com.tw/GPL.asp

    Just have to google gpl or open source with the name of the router vendors if you want to mess around with the source code before you complain about these things in general. If/when the source code are available, then the “community” could have fixed these issues, right? Can’t have it both ways.

    1. Anyone who follows the gpl-violations mailing list will know that getting the correct source code (i.e. the bits they need to release in order to be compliant with the licenses) for many of these routers is very difficult. Many many companies continue to violate the GPL and it takes a lot of work by various entities to get the companies to comply.

  5. And this would be exhibit A as to why I abandoned consumer routers altogether. Lately I’ve just been taking old boxes, throwing some extra NICs in there and slapping OpenBSD on top. So what if I don’t get a UI to manipulate it, at least I’m immune to ridiculous bugs like this. For the longest time I was using a machine I picked up from Goodwill for $25 (133 Mhz p-II, 256 MB RAM and a 10 GB Hard disk) and slapped in a couple 10/100 NICs and a PCI 802.11g card. The thing ran perfectly until the motherboard finally kicked (a couple caps blew an shorted out the power pins on the north bridge). Bought an old P-4 system to replace it for another $20. So much cheaper than even a standard “router”.

      1. pfsense is ok for some things but I’m seeing some issues, lately. for one, there’s no good way to re-get a public side (north) dhcp addr. web gui won’t do it, cli won’t do it. rebooting does it, though, but that’s harsh. and it has no powerfail protection ;( it used to but not anymore. if I power it off abruptly, it does not recover gracefully! the whole web gui ‘goes away’ and many things break on reboot. you have to do a full install again!!!

        I’m about ready to give up on this POS and go back to linux for my firewall router. with voyage linux, at least, its mounted readonly at boot and you can pull power at any time and not reliable boots again next time. pfsense totally misses that aspect and so for a firewall, it falls short.

        the dhcp thing is my big problem with pfsense, though. if I reboot my cable modem, I need my firewall to get a new dhcp and it won’t unless I reboot IT.

        1. PF sense is just a copy of OpenBSD’s PF firewall daemon, except lobotomized. In OpenBSD it would be a simple matter of encasing the name of the external interface in parenthesis in the rule set and then just running dhclient on the console…

          I’ve never like GUI-based systems anyway, just one more thing to produce holes and fail when all I want to do is change some settings. I prefer to see the daemon restart rather than a dialog box saying “Restarting, please wait”

    1. There are many embedded x86 options as well, many of them a few years old and pretty affordable. I routinely troll eBay for used PC Engines and Soekris boxes. If you need more throughput, pick up a Mini-ITX board and add a multiport Ethernet card.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s