BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Back door found in D-Link routers

From: Lee J <lee () riskbasedsecurity com>
Date: Mon, 14 Oct 2013 10:59:19 +1100
http://www.theregister.co.uk/2013/10/13/dlink_routers_have_admin_backdoor/

A group of embedded device hackers has turned up a vulnerability in D-Link
consumer-level devices that provides unauthenticated access to the units'
admin interfaces.

The flaw means an attacker could take over all of the user-controllable
functions of the popular home routers, which includes the DIR-100, DI-524,
DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240 units. According to the
post<http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/> on
/DEV/TTYS0, a couple of Planex routers are also affected, since they use
the same firmware.

A Binwalk extract of the DLink DIR-100 firmware revealed that an
unauthenticated user needs only change their user agent string to
xmlset_roodkcableoj28840ybtide to access the router's Web interface with no
authentication.

The /DEV/TTYS0 researcher found the user agent string inside a bunch of
code designed to run simple string comparisons. For one of those
comparisons, “if the strings match, the check_login function call is
skipped and alpha_auth_check returns 1 (authentication OK)”, the author
notes.

Some commentards to that post claimed to have successfully tested the
backdoor against devices visible to the Shodan device search engine.

The /DEV/TTYS0 author, Craig, says the backdoor exists in v1.13 of the
DIR-100revA products.

At this point, there's no defence against the backdoor, so users are
advised to disable WAN-port access to the administrative interfaces of
affected products. ®

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: