Reply
Highlighted
Posts: 1
Registered: ‎12-06-2017

JNAP / HNAP1 requests from EA8300 router with up to date firmware

[ Edited ]

On a recently purchased EA8300 router with up-to-date (1.1.3.184925) firmware, I am noticing the following periodic  requests from the router itself to a device connected to the wireless network, which is listening on port 80:

 

192.168.1.1 - - [06/Dec/2017:20:48:18 +0000] "POST /JNAP/ HTTP/1.1" 403 8344 "-" "-"
192.168.1.1 - - [06/Dec/2017:20:48:18 +0000] "GET /HNAP1/ HTTP/1.1" 404 6007 "-" "-"
192.168.1.1 - - [06/Dec/2017:20:48:18 +0000] "GET / HTTP/1.1" - - "-" "-"

 

The POST request has no payload and the following headers:


{ host: (assigned device IP),
  accept: '*/*',
  'x-jnap-action': '"http://linksys.com/jnap/core/GetDeviceInfo"',
  'content-type': 'application/json',
  'content-length': '2' }

 

This seems potentially related to previous JNAP/HNAP1 exploits. My question is: Is this the router itself performing some kind of security scan, or has my router been infected by an unpatched exploit?

Expert
Posts: 13,339
Registered: ‎01-18-2013

Re: JNAP / HNAP1 requests from EA8300 router with up to date firmware

It the Linksys SmartWifi device discovery probe to populate your Network Map.


Smiley Wink Please remember to Kudo those that help you.

Linksys
Communities Technical Support
Anonymous
Posts: 0

Re: JNAP / HNAP1 requests from EA8300 router with up to date firmware

CVE-2014-8244 and CVE-2014-8243

This is the chain used as a POC:

 

The CGI scripts in the firmware:

 

192.168.1.1/sysinfo.cgi    -- this gives system info to the attacker
192.168.1.1/ezwifi_cfg.cgi  -- this gives injection/remote execution to the attacker
192.168.1.1/qos_info.cgi - this speaks for itself

 

Java Portal Communication Module API is expoitable:

JNAP utility is used to test database connectivity, load FList from files, use Flist as input when calling opcodes on the server and display Flist - thats Oracle's JAVA 101

 

A payload stored in any of these objects/functions:

"Check for Updates"
Router diagnostic information/"Share router info with Linksys"
Router configuration "Backup/Restore"
Router Firmware/"Restore previous firmware"

will render the feflashing and reseting of the firmware useless 

 

If the router is compromised:- reflash/reset and manufally reconfigure network settings

 

But that is only a temporary fix - as long as JAVA/JNAP is used (HTTP POST/GET) its "rinse, repeat " insanity cycle

 

OR...add some python on top of C++ IDS and plug any SQLi, XSS and XML holes in your network - cough...

 

 

Posts: 12
Registered: ‎12-20-2017

Re: JNAP / HNAP1 requests from EA8300 router with up to date firmware

Why the 2 year old information on several threads cut and pasted?
This does not seem relevant to the current issue.
Anonymous
Posts: 0

Re: JNAP / HNAP1 requests from EA8300 router with up to date firmware

vxblade - your "2 year old info...not seem relevant" comment is a response to?