CVE-2016-6563
published 2018-07-13CVE-2016-6563: Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack in some D-Link DIR routers. The vulnerable XML…
PriorityP186critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
79.95%
99.6th percentile
Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack in some D-Link DIR routers. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha. The following products are affected: DIR-823, DIR-822, DIR-818L(W), DIR-895L, DIR-890L, DIR-885L, DIR-880L, DIR-868L, and DIR-850L.
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution"; flow:established,to_server; http.method; content:"POST"; http.request_header; header_lowercase; content:"soapaction|3a|"; startswith; content:"http|3a|//purenetworks.com/HNAP1/"; distance:0; fast_pattern; pcre:"/^(?:[^\x2f]+?[\x2f])?[^\x2f]/R"; reference:url,devttys0.com/2015/04/hacking-the-d-link-dir-890l/; reference:cve,2016-6563; classtype:attempted-admin; sid:2020899; rev:6; metadata:created_at 2015_04_13, cve CVE_2016_6563, confidence Medium, signature_severity Major, updated_at 2024_04_20;)
bytes↗
\xff\xff\xff\xff (n integer overwrite at offset 1024 in ARM payload)
- →The vulnerable XML fields within the SOAP body to inspect for abnormally long strings are: Action, Username, LoginPassword, and Captcha. ↗
- →A check probe can be identified by an HTTP POST to /HNAP1/ with SOAPAction 'http://purenetworks.com/HNAP1/Login' that returns HTTP 500 — the Metasploit module uses this to fingerprint vulnerable devices. ↗
- →ARM exploitation stage drops a payload ELF binary to /tmp/ via wget and executes it; monitor for wget activity originating from D-Link router processes writing to /tmp/ followed by chmod and execution. ↗
- →The exploit is pre-authentication and targets port 80 on the LAN interface; anomalously large SOAP body fields in HNAP Login requests from LAN hosts should be treated as suspicious. ↗
- →The ARM ROP chain overwrites the saved PC with a gadget from libuClibc-0.9.32.1.so; presence of libc base address 0x400DA000 in memory or crash dumps is indicative of exploitation attempts against ARM targets. ↗
- ·The MIPS libc base address is hardcoded and claimed to be the same across all firmware versions and all affected MIPS routers; however, ARM exploitation relies on ASLR brute-forcing (up to 15 minutes) because the base address varies. ↗
- ·MIPS payloads must be sent unencoded (Raw encoder) due to the Lextra RLX processor lacking certain load/store instructions; encoded payloads will fail with SIGILL. ↗
- ·ARM stager payloads (reverse/bind shell stagers) fail; only inline reverse TCP shell is reliable for ARM targets. Mettle also fails standalone on ARM unless run under strace/gdb. ↗
- ·The Metasploit module requires the Aggressive stance to run in the foreground for ARM targets, meaning it will block the handler during exploitation. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2237-8cw9-xj7q: Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack in some D-Link DIR routers
ghsa_unreviewed·2022-05-13
CVE-2016-6563 [CRITICAL] CWE-119 GHSA-2237-8cw9-xj7q: Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack in some D-Link DIR routers
Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack in some D-Link DIR routers. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha. The following products are affected: DIR-823, DIR-822, DIR-818L(W), DIR-895L, DIR-890L, DIR-885L, DIR-880L, DIR-868L, and DIR-850L.
VulnCheck
D-Link dir-823_firmware Stack-based Buffer Overflow
vulncheck·2016·CVSS 9.8
CVE-2016-6563 [CRITICAL] D-Link dir-823_firmware Stack-based Buffer Overflow
D-Link dir-823_firmware Stack-based Buffer Overflow
Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack in some D-Link DIR routers. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha. The following products are affected: DIR-823, DIR-822, DIR-818L(W), DIR-895L, DIR-890L, DIR-885L, DIR-880L, DIR-868L, and DIR-850L.
Affected: D-Link dir-823_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://info.greynoise.io/hubfs/resources/GreyNoise-2025-Mass-Internet-Exploitation-Report.pdf; https://www.bitsight.com/blog/rondodox-botnet-infrastructure-ana
Suricata
ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution
suricata·2015-04-13
CVE-2016-6563 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution
ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution"; flow:established,to_server; http.method; content:"POST"; http.request_header; header_lowercase; content:"soapaction|3a|"; startswith; content:"http|3a|//purenetworks.com/HNAP1/"; distance:0; fast_pattern; pcre:"/^(?:[^\x2f]+?[\x2f])?[^\x2f]/R"; reference:url,devttys0.com/2015/04/hacking-the-d-link-dir-890l/; reference:cve,2016-6563; classtype:attempted-admin; sid:2020899; rev:6; metadata:created_at 2015_04_13, cve CVE_2016_6563, confidence Medium, signature_severity Major, updated_at 2024_04_20;)
Exploit-DB
D-Link DIR-Series Routers - HNAP Login Stack Buffer Overflow (Metasploit)
exploitdb·2016-11-21
CVE-2016-6563 D-Link DIR-Series Routers - HNAP Login Stack Buffer Overflow (Metasploit)
D-Link DIR-Series Routers - HNAP Login Stack Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
# Payload working status:
# MIPS:
# - all valid payloads working (the ones that we are able to send without null bytes)
# ARM:
# - inline rev/bind shell works (bind... meh sometimes)
# - stager rev/bind shell FAIL
# - mettle rev/bind fails with sigsegv standalone, but works under strace or gdb...
class MetasploitModule 'Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow',
'Description' => %q{
Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which
is exposed on the LAN interface on port 80. This vulner
Metasploit
Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow
metasploit
Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow
Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow
Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol, which accepts arbitrarily long strings into certain XML parameters and then copies them into the stack. This exploit has been tested on the real devices DIR-818LW and 868L (rev. B), and it was tested using emulation on the DIR-822, 823, 880, 885, 890 and 895. Others might be affected, and this vulnerability is present in both MIPS and ARM devices. The MIPS devices are powered by Lextra RLX processors, which are crippled MIPS cores lacking a few load and store instructions. Because of this the payloads have to be sent unencoded, which can
http://seclists.org/fulldisclosure/2016/Nov/38http://www.securityfocus.com/bid/94130https://www.exploit-db.com/exploits/40805/https://www.kb.cert.org/vuls/id/677427http://seclists.org/fulldisclosure/2016/Nov/38http://www.securityfocus.com/bid/94130https://www.exploit-db.com/exploits/40805/https://www.kb.cert.org/vuls/id/677427
2018-07-13
Published
Exploited in the wild