HomeVulnerabilityPoC exploit launched for RCE zero-day in D-Hyperlink EXO AX4800 routers

PoC exploit launched for RCE zero-day in D-Hyperlink EXO AX4800 routers

The D-Hyperlink EXO AX4800 (DIR-X4860) router is susceptible to distant unauthenticated command execution that might result in full machine takeovers by attackers with entry to the HNAP port.

The D-Hyperlink DIR-X4860 router is a high-performance Wi-Fi 6 router able to speeds of as much as 4800 Mbps and superior options like OFDMA, MU-MIMO, and BSS Coloring that improve effectivity and cut back interference.

The machine is significantly common in Canada, and it is offered within the international market in response to D-Hyperlink’s web site, and nonetheless actively supported by the seller.

At present, the SSD Safe Disclosure group of researchers introduced that they found flaws in DIR-X4860 gadgets operating the most recent firmware model, DIRX4860A1_FWV1.04B03, which allows unauthenticated distant command execution (RCE).

“Safety vulnerabilities in DIR-X4860 permit distant unauthenticated attackers that may entry the HNAP port to realize elevated privileges and run instructions as root,” reads SSD’s disclosure.

“By combining an authentication bypass with command execution the machine may be fully compromised.”

See also  Netgear WNR614 flaws enable gadget takeover, no repair out there

Accessing the Residence Community Administration Protocol (HNAP) port on the D-Hyperlink DIR-X4860 router is comparatively simple typically, because it’s normally HTTP (port 80) or HTTPS (port 443) accessible via the router’s distant administration interface.

Exploitation course of

The SSD analysts have shared step-by-step exploitation directions for the problems they found, making a proof-of-concept (PoC) exploit now publicly obtainable.

The assault begins with a specifically crafted HNAP login request to the router’s administration interface, which features a parameter named ‘PrivateLogin’ set to “Username” and a username of “Admin”.

The router responds with a problem, a cookie, and a public key, and these values are used to generate a sound login password for the “Admin” account.

A follow-up login request with the HNAP_AUTH header and the generated LoginPassword is distributed to the goal machine, primarily bypassing authentication.

Login request that bypasses the authentication step
Login request that bypasses the authentication step
Supply: SSD Safe Disclosure

With authenticated entry, the attacker then exploits a command injection vulnerability within the ‘SetVirtualServerSettings’ perform through a specifically crafted request.

The susceptible ‘SetVirtualServerSettings’ perform processes the ‘LocalIPAddress’ parameter with out correct sanitization, permitting the injected command to execute within the context of the router’s working system.

See also  Venafi’s new providing to dam unauthorized code throughout person environments

SSD says it has contacted D-Hyperlink 3 times to share its findings with the router maker over the previous 30 days, however all makes an attempt to inform them have been unsuccessful, leaving the failings at present unfixed.

BleepingComputer has additionally reached out to D-Hyperlink with a associated request, and we’re nonetheless ready for a remark.

Till a security firmware replace is made obtainable, customers of the DIR-X4860 ought to disable the machine’s distant entry administration interface to forestall exploitation.

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular