{"vuid":"VU#677427","idnumber":"677427","name":"D-Link routers HNAP service contains stack-based buffer overflow","keywords":["dlink","router","stack buffer overflow","CWE-121"],"overview":"D-Link DIR routers contain a stack-based buffer overflow in the HNAP Login action.","clean_desc":"CWE-121: Stack-based Buffer Overflow - CVE-2016-6563 \nProcessing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha. CVE-2016-6563  appears to affect: DIR-823\nDIR-822\nDIR-818L(W)\nDIR-895L\nDIR-890L\nDIR-885L\nDIR-880L\nDIR-868L\nDIR-850L","impact":"A remote, unauthenticated attacker may be able to execute arbitrary code with root privileges.","resolution":"Apply an update D-Link has released firmware updates to address the vulnerabilities in affected routers. Please see their announcement. If you are unable to update your device, please see the following workarounds:","workarounds":"Restrict Access As a general good security practice, only allow connections from trusted hosts and networks. Additionally, you may wish to disable remote administration of the router.","sysaffected":"","thanks":"Thanks to Pedro Ribeiro (\npedrib@gmail.com\n) of Agile Information Security for reporting this vulnerability.","author":"This document was written by Trent Novelly.","public":["http://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10066","https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-hnap-login.txt","https://cwe.mitre.org/data/definitions/121.html"],"cveids":["CVE-2016-6563"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2016-09-07T18:41:09Z","publicdate":"2016-11-07T00:00:00Z","datefirstpublished":"2016-11-07T15:37:10Z","dateupdated":"2017-03-08T15:16:25Z","revision":23,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"ND","cvss_collateraldamagepotential":"N","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"9.3","cvss_basevector":"AV:N/AC:M/Au:N/C:C/I:C/A:C","cvss_temporalscore":"8","cvss_environmentalscore":"5.9842549872","cvss_environmentalvector":"CDP:N/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}