cbcvebase.
CVE-2016-6563
published 2018-07-13

CVE-2016-6563: Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack in some D-Link DIR routers. The vulnerable XML…

PriorityP186critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
79.95%
99.6th percentile
Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack in some D-Link DIR routers. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha. The following products are affected: DIR-823, DIR-822, DIR-818L(W), DIR-895L, DIR-890L, DIR-885L, DIR-880L, DIR-868L, and DIR-850L.

Detection & IOCsextracted from sources · hover to see the quote

url/HNAP1/
urlhttp://purenetworks.com/HNAP1/Login
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution"; flow:established,to_server; http.method; content:"POST"; http.request_header; header_lowercase; content:"soapaction|3a|"; startswith; content:"http|3a|//purenetworks.com/HNAP1/"; distance:0; fast_pattern; pcre:"/^(?:[^\x2f]+?[\x2f])?[^\x2f]/R"; reference:url,devttys0.com/2015/04/hacking-the-d-link-dir-890l/; reference:cve,2016-6563; classtype:attempted-admin; sid:2020899; rev:6; metadata:created_at 2015_04_13, cve CVE_2016_6563, confidence Medium, signature_severity Major, updated_at 2024_04_20;)
bytes
\xff\xff\xff\xff (n integer overwrite at offset 1024 in ARM payload)
  • The vulnerable XML fields within the SOAP body to inspect for abnormally long strings are: Action, Username, LoginPassword, and Captcha.
  • A check probe can be identified by an HTTP POST to /HNAP1/ with SOAPAction 'http://purenetworks.com/HNAP1/Login' that returns HTTP 500 — the Metasploit module uses this to fingerprint vulnerable devices.
  • ARM exploitation stage drops a payload ELF binary to /tmp/ via wget and executes it; monitor for wget activity originating from D-Link router processes writing to /tmp/ followed by chmod and execution.
  • The exploit is pre-authentication and targets port 80 on the LAN interface; anomalously large SOAP body fields in HNAP Login requests from LAN hosts should be treated as suspicious.
  • The ARM ROP chain overwrites the saved PC with a gadget from libuClibc-0.9.32.1.so; presence of libc base address 0x400DA000 in memory or crash dumps is indicative of exploitation attempts against ARM targets.
  • ·The MIPS libc base address is hardcoded and claimed to be the same across all firmware versions and all affected MIPS routers; however, ARM exploitation relies on ASLR brute-forcing (up to 15 minutes) because the base address varies.
  • ·MIPS payloads must be sent unencoded (Raw encoder) due to the Lextra RLX processor lacking certain load/store instructions; encoded payloads will fail with SIGILL.
  • ·ARM stager payloads (reverse/bind shell stagers) fail; only inline reverse TCP shell is reliable for ARM targets. Mettle also fails standalone on ARM unless run under strace/gdb.
  • ·The Metasploit module requires the Aggressive stance to run in the foreground for ARM targets, meaning it will block the handler during exploitation.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.