The D-Hyperlink EXO AX4800 (DIR-X4860) router is susceptible to distant unauthenticated command execution that might result in full machine takeovers by attackers with entry to the HNAP port.
The D-Hyperlink DIR-X4860 router is a high-performance Wi-Fi 6 router able to speeds of as much as 4800 Mbps and superior options like OFDMA, MU-MIMO, and BSS Coloring that improve effectivity and cut back interference.
The machine is significantly widespread in Canada, and it is offered within the world market based on D-Hyperlink’s web site, and nonetheless actively supported by the seller.
Immediately, the SSD Safe Disclosure staff of researchers introduced that they found flaws in DIR-X4860 units operating the most recent firmware model, DIRX4860A1_FWV1.04B03, which allows unauthenticated distant command execution (RCE).
“Safety vulnerabilities in DIR-X4860 enable distant unauthenticated attackers that may entry the HNAP port to achieve elevated privileges and run instructions as root,” reads SSD’s disclosure.
“By combining an authentication bypass with command execution the machine will be fully compromised.”
Accessing the House Community Administration Protocol (HNAP) port on the D-Hyperlink DIR-X4860 router is comparatively easy normally, because it’s normally HTTP (port 80) or HTTPS (port 443) accessible by the router’s distant administration interface.
Exploitation course of
The SSD analysts have shared step-by-step exploitation directions for the problems they found, making a proof-of-concept (PoC) exploit now publicly accessible.
The assault begins with a specifically crafted HNAP login request to the router’s administration interface, which features a parameter named ‘PrivateLogin’ set to “Username” and a username of “Admin”.
The router responds with a problem, a cookie, and a public key, and these values are used to generate a legitimate login password for the “Admin” account.
A follow-up login request with the HNAP_AUTH header and the generated LoginPassword is shipped to the goal machine, primarily bypassing authentication.
Supply: SSD Safe Disclosure
With authenticated entry, the attacker then exploits a command injection vulnerability within the ‘SetVirtualServerSettings’ operate through a specifically crafted request.
The susceptible ‘SetVirtualServerSettings’ operate processes the ‘LocalIPAddress’ parameter with out correct sanitization, permitting the injected command to execute within the context of the router’s working system.
SSD says it has contacted D-Hyperlink thrice to share its findings with the router maker over the previous 30 days, however all makes an attempt to inform them have been unsuccessful, leaving the failings presently unfixed.
BleepingComputer has additionally reached out to D-Hyperlink with a associated request, and we’re nonetheless ready for a remark.
Till a safety firmware replace is made accessible, customers of the DIR-X4860 ought to disable the machine’s distant entry administration interface to stop exploitation.