Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Tenda router backdoor

From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Fri, 18 Oct 2013 17:28:25 +0200
Hey guys!
It's been a while :)

Craig of /dev/ttyS0 did it again.

http://www.devttys0.com/2013/10/from-china-with-love/

Another backdoor in cheap routers, now in Tenda.

I quickly wrote a small script (obviously based on Patrik's D-Link one)
to test for the presence of this backdoor. You can find it attached
to this message.

My Nmap svn branch is largely outdated by now, so I didn't want to commit
it straight there.

I've also done some quick grepping on other tenda router firmwares I
could get my hands on
and here are the results:
http://ea.github.io/blog/2013/10/18/tenda-backdoor/

The script output is as follows:

-- @output
-- PORT     STATE         SERVICE REASON
-- 7329/udp open|filtered swx     no-response
-- | tenda-backdoor:
-- |   VULNERABLE:
-- |   Firmware backdoor in some models of Tenda routers allow for
remote command execution
-- |     State: VULNERABLE
-- |     Risk factor: High
-- |     Description:
-- |       Tenda routers have been found to contain a firmware backdoor 
allowing remote command execution by using a magic word on udp port 7329.
-- |
-- |     References:
-- |_      http://www.devttys0.com/2013/10/from-china-with-love/

You can also specify the remote command to execute and get the results
printed as debug output.
Wasn't sure what would be the best approach to incorporate it's output
to the vuln reporting table.

Always have fun,
Aleksandar

Attachment: tenda-backdoor.nse
Description: 

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: