SourceSec security research has unveiled a serious flaw in D-link routers, by which a hacker can get into and edit the settings of the router without having to enter the admin credentials.

According to SourceSec, this vulnerability exists in the DI-524, DIR-628 and DIR-655 routers. D-link has a secondary admin interface which uses HNAP (Home Network Administration Protocol), which has been part of D-link routers since 2006. HNAP authentication is SOAP based, and requires basic admin authentication, but some of the D-link routers enable an attacker to get through using the GetDeviceSettings SOAP action to bypass the security mechanisms. Though GetDeviceSettings does not, on its own, give out any sensitive information, it can be used to bypass the authentication requirements for all other SOAP actions.

Further details on the research is given in the paper here. Currently there are no known ways to disable the HNAP implementation on D-link, so there is no fix to this as of now. D-Link has been first to add the CAPTCHA security check to its home routers to help prevent attacks, but this vulnerability can be used by an attacker to get through many security measures including CAPTCHA. SourceSec has also provided a sample exploit called HNAP0wn on their website.