D-Link DIR-806 Devices Command Injection

By

D-Link Corporation is a multinational networking equipment manufacturing corporation headquartered in Taipei, Taiwan. D-Link’s products are geared towards the networking and communications market. Its business products include switches, surveillance network cameras, firewalls, iSCSI SANs and business wireless, while consumer products cover consumer wireless devices, broadband devices, and the Digital Home devices. DIR-806 is a wireless AC750 dual band router and access point

An issue was discovered in D-Link DIR-806 devices. There is command injection in function hnap_main, which calls system() without checking the parameter that can be controlled by user, and finally allows remote attackers to execute arbitrary shell commands with a special HTTP header.
While this vulnerability is a couple years old, SonicWall Capture Labs threat research team recently spotted attacks exploiting this vulnerability in the wild.

Command Injection Vulnerability
The goal of command injection attack is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation

D-Link DIR-806 Devices Command Injection| CVE-2019-10891
A command injection vulnerability exists in D-Link routers.
Following are some exploits in the wild. The Home Network Administration Protocol(HNAP) allows querying and setting of configuration options on network devices . It is based on SOAP therefore an attacker can send HTTP POST messages with a special header Soapaction.

This header is used to download malicious payload(in this case it is wget.sh file) from an attacker controlled server. The attacker then executes the malicious script on the vulnerable device.

This vulnerability is patched.

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15501:D-Link DIR-806 Devices Command Injection
    • IPS 13635:D-Link Devices HNAP SOAPAction-Header Command Injection

IoCs
dcf241331018349c57d5636cc4076676727364178bf75fd5fc4003969e866b2a
6182e41e66eac130893d600836e6957dd28ffeded793a2b71aebd6ec947ca358
47b396259c4b24091e7bedb876bbac6658768cd6b70826322388d1bb1de33f11
bba1631d1891c9d62bd1a48d5b064ba1b1e65563b237c7bff4afbd049f2c5fa1

Threat graph

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.