Nmap Development mailing list archives
Tenda router backdoor
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Fri, 18 Oct 2013 17:28:25 +0200
Hey guys! It's been a while :) Craig of /dev/ttyS0 did it again. http://www.devttys0.com/2013/10/from-china-with-love/ Another backdoor in cheap routers, now in Tenda. I quickly wrote a small script (obviously based on Patrik's D-Link one) to test for the presence of this backdoor. You can find it attached to this message. My Nmap svn branch is largely outdated by now, so I didn't want to commit it straight there. I've also done some quick grepping on other tenda router firmwares I could get my hands on and here are the results: http://ea.github.io/blog/2013/10/18/tenda-backdoor/ The script output is as follows: -- @output -- PORT STATE SERVICE REASON -- 7329/udp open|filtered swx no-response -- | tenda-backdoor: -- | VULNERABLE: -- | Firmware backdoor in some models of Tenda routers allow for remote command execution -- | State: VULNERABLE -- | Risk factor: High -- | Description: -- | Tenda routers have been found to contain a firmware backdoor allowing remote command execution by using a magic word on udp port 7329. -- | -- | References: -- |_ http://www.devttys0.com/2013/10/from-china-with-love/ You can also specify the remote command to execute and get the results printed as debug output. Wasn't sure what would be the best approach to incorporate it's output to the vuln reporting table. Always have fun, Aleksandar
Attachment:
tenda-backdoor.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Tenda router backdoor Aleksandar Nikolic (Oct 18)