Hacker warns that implemented fixes are not effective

Apr 15, 2015 10:10 GMT  ·  By
“sprintf()” function is followed by a call to “access(),” generating a new buffer overflow
   “sprintf()” function is followed by a call to “access(),” generating a new buffer overflow

The current firmware releases for D-Link’s DIR-890L and DIR-645 router models, touted to deliver security fixes, do not patch flaws acknowledged by the company, a hacker affirms.

Firmware build 1.06.B01 for DIR-890L and 1.04.B13 Beta for DIR-645 were published on Tuesday and should address a bug with the HNAP (Home Network Administration Protocol) that could be exploited to inject arbitrary commands into the router, without prior authentication.

Additionally, in the case of DIR-645, a buffer overflow vulnerability exists, and according to a security advisory updated on Tuesday by the manufacturer, the problem was eliminated.

Attackers could change router settings

However, on a blog dedicated to hacking embedded devices, a hacker says that the two releases are identical and the modifications included do not solve the acknowledged security problems.

The hacker examined only the firmware for DIR-690L and said that an unauthenticated user could still inject commands by using data in a call to “system” and that executing administrative HNAP actions was not restricted, as long as they were valid.

A malicious actor could send queries about the hosts present on the internal network, as well as access and modify system settings or reset the device to factory defaults.

Plugging one hole generated another

He also draws attention to the fact that although arbitrary data can no longer be delivered to “sprintf” and “system” functions, the developers’ solution is not efficient because it creates another buffer overflow vulnerability in “sprintf.”

“However, they’ve added another ‘sprintf’ to the code before the call to ‘access;’ their patch to prevent an unauthenticated ‘sprintf’ stack overflow includes a new unauthenticated ‘sprintf’ stack overflow,” the hacker wrote in a blog post on Tuesday.

The command injection bug affects multiple routers, whose firmware build with the fixes is currently under development.

According to the security bulletin from D-Link, the issues in the case of DIR-645 firmware have been fully resolved. The same document for DIR-690L, however, shows that problems have been resolved only partially.