Monday, March 1, 2010

Dlink router with HNAP vulnerability


A flawed implementation of the Home Network Administration Protocol (HNAP) reportedly allows attackers to gain unauthorised admin access to numerous D-Link router models
SourceSec Security research webpages claims finding a flaw in D-Link’s CAPTCHA implementation, around a way to view and edit D-Link router settings without any administrative credentials.
Simply said,  D-Link routers have a second administrative interface, which uses the Home Network Administration Protocol. While HNAP does require basic authentication, the mere existence of HNAP on D-Link routers allows attackers and malware to bypass CAPTCHA “security”. Further, HNAP authentication is not properly implemented, allowing anyone to view and edit administrative settings on the router.
For detailed vulnerability summary click there pdf