D-Link DIR routers contain a stack-based buffer overflow in the HNAP Login action

Vulnerability

The HNAP SOAP protocol on affected D-Link DIR routers (DIR-823, DIR-822, DIR-818L(W), DIR-895L, DIR-890L, DIR-885L, DIR-880L, DIR-868L, DIR-850L) contains a stack-based buffer overflow when processing malformed SOAP messages during the HNAP Login action. The vulnerable XML fields are Action, Username, LoginPassword, and Captcha [1][2]. This vulnerability is present in both MIPS and ARM devices [1].

Exploitation

An unauthenticated attacker on the LAN can send a crafted SOAP request to port 80 with overly long strings in the vulnerable XML fields, causing a stack buffer overflow. The Metasploit module demonstrates exploitation by sending a payload that overwrites the return address [1]. No authentication is required; the attacker only needs network access to the router's web interface.

Impact

Successful exploitation allows remote code execution with root privileges [2]. The attacker gains full control over the router, enabling traffic interception, device reconfiguration, or use as a pivot point.

Mitigation

D-Link has released firmware updates to address the vulnerability; users should apply the latest firmware for their specific model [2]. As a workaround, restrict access to the router's web interface to trusted hosts and disable remote administration if not needed [2]. No KEV listing is noted.