D-Link Router Backdoor Vulnerability Allows Full Access To Settings 228
StealthHunter writes "It turned out that just by setting a browsers user-agent to 'xmlset_roodkcableoj28840ybtide' anyone can remotely bypass all authentication on D-Link routers. It seems that thttpd was modified by Alphanetworks who inserted the backdoor. Unfortunately, vulnerable routers can be easily identified by services like shodanHQ. At least these models may have vulnerable firmware: DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240."
Will this stupidity ever end? (Score:5, Insightful)
Are these people too stupid to know that eventually, somebody _will_ analyze their firmware and find this? I think it is time to make them liable for a bit more than the device when things like these get found. Say, 10x the new value of the device to any customer that wants to give it back.
Re:Will this stupidity ever end? (Score:5, Insightful)
Well, as an ex D-Link customer, I'm glad to see someone is analyzing their firmware.
discipline (Score:5, Funny)
Comment removed (Score:5, Funny)
Re:Will this stupidity ever end? (Score:5, Insightful)
How about a Prison Sentence. These ego maniacs are putting people's bank account at risk. It is no different from writing a virus. In fact it is worse.
Re:Will this stupidity ever end? (Score:4, Interesting)
Who are you going to put in prison, exactly? It's possible only a small team of engineers was aware of this. Hell, may have even just been one rogue developer who nobody gave permission to put it there.
Re:Will this stupidity ever end? (Score:5, Insightful)
Idiot pruf (Score:4, Insightful)
Re: (Score:2, Insightful)
nobody is going to shell out that kind of budget for a sub $100 consumer router.
except such routers are the first line of defense, in many cases, of such things as a space shuttle guidance system....
(don't blame me for what nasa engineers have running at home...)
Re:Idiot pruf (Score:5, Interesting)
I can easily see something like this having the potential to cause losses not dissimilar to your "shuttle crash" scenario. It's "keys to the kingdom" external access to what should be a private network.
Finally, there's no chance in hell of even 1% of these devices receiving a firmware update. Nobody (outside of us) upgrades the firmware on their home router; They run it from factory until death, then buy another one. These devices will be vulnerable for the foreseeable future.
Re: (Score:2)
Forcing code vetting would change the economics of the industry. Companies would produce less models of router (for example) and they would produce a single model for longer. This would be good for everyone but the shareholders.
Re: (Score:3)
This would be good for everyone but the shareholders.
Good for the shareholders, too. It costs money to design and produce new versions of product with each new set of bells and whistles.
An issue that most companies seem to forget is brand loyalty. Even when such loyalty is as simple as "I had brand X model Y for several years and now it has failed. I need a new one. I'd buy the same thing because I am used to it and know how it works, but I can't because the company doesn't make it anymore." There are uncounted times I've gone through this process, having t
Re: (Score:3)
If you have a serious amount of money riding on your $100 modem/router/wifi being secure from within your own network then no amount of legislation is going to help you.
It doesn't matter how much money you have riding on your $100 router, it's serious if it's all your money. Which for many people is just a few hundred dollars in a bank account (if that!) which they need to feed their family. But if they don't participate in the internet, then they're not a member of modern society and their situation may well worsen. How much do you propose someone in this situation spend on a home router? Remember, your arrogance will be recorded for posterity.
Re:Idiot pruf (Score:4, Interesting)
I think it is? http://tsd.dlink.com.tw/downloads2008detailgo.asp [dlink.com.tw]
Someone commented on another website with this link: https://gist.github.com/ccpz/6960941 [github.com] which shows
the backdoor string being defined in some config.
Re: (Score:2)
100 bucks*10 million installations = 1 000 000 000 bucks.
just saying. anyhow, this isn't apparently open from the wan by default at least. so the people most fucked by this potentially are cafes etc semi public ap's. easiest damage scenario to come up with is just someone changing the cafes networks password. more damaging scenarios would be stuff like forwarding all the connections through somewhere else(and potential session hijinxes from that).
Re: (Score:2)
Re:Idiot pruf (Score:4, Informative)
As a software engineer working on a large consumer product, I can attest that every single line of code coming from our team goes through code review. It does increase short term costs a bit (but not prohibitively), but results in great net savings over the long haul as most defects are found before shipping, when code fixes are cheap. Finding and fixing the same defects after shipping is horrendously expensive and results in angry customers.
NCEES certifies software engineers too, more prova (Score:3)
Minor nitpick - you're thoroughly mistaken. The National Council of Examiners for Engineering and Surveying has standards for certifying software engineers just like any other branch of engineering.
"The term engineer is reserved for disciplines requiring strict standards and provable output"
Perhaps you're unaware that software can be much more provable than concrete or steel. Dlink could have had strict standards that would have prevented this problem. Few developers employ engineering methods properly
Re:Will this stupidity ever end? (Score:5, Interesting)
It sounds more like the backdoor was put in deliberately, probably to aid support staff who were fed of up trying to explain how to type "192.168.1.1" into the address box instead of Bing. This way they can just find your IP address and then go in via the backdoor to sort any problems out, about 90% of which will be wifi congestion on the default channel (11).
Re:Will this stupidity ever end? (Score:5, Informative)
Luckily, my D-Link router is not vulnerable to this attack (maybe the attack just needs to be tweaked). It's stacked behind a non-D-Link router, just in case.
Re: (Score:3)
Re: (Score:2)
If you create a faulty product that causes property loss or death, heads must fall. In China, they just shoot the CEO in cases like this.
For that huge income they should at least pick the people who pick the people who do the quality control.
Re: (Score:2)
Re: (Score:3)
WIth proper corporate liability, there wouldn't be need for any angry mob. I didn't suggest any lynching, i suggest proper laws.
Re: (Score:2)
Didn't intend to suggest that you did. Shooting CEOs in the head outside of the rule of law is a bad thing. I think we can safely agree on that.
In all seriousness, that's always a better solution than mob violence. I just sometimes worry that mob violence is going to happen faster than proper laws.
Re:Will this stupidity ever end? (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
Re:Will this stupidity ever end? (Score:4, Insightful)
Hell, may have even just been one rogue developer who nobody gave permission to put it there.
It's a safe bet their law team already have that at the top of the whiteboard.
Re: (Score:2)
Then you better have some way to prove it. Else, I still want the head of your boss. Because he is in the end responsible for what's happening in his company.
He who makes the decisions shall be held responsible for them.
Re: (Score:2)
The CEO. If you don't know what's going on in your company, you're criminally negligent anyway.
Maybe that would make them at least interested in knowing just what their company makes. I somehow have the feeling D-Link's CEO's response would be "Firmware? What firmware, I thought we're making hardware here!"
Re: (Score:2)
"The CEO. If you don't know what's going on in your company, you're criminally negligent anyway."
Unless you're Jon Corzine.
Re: (Score:2)
Really though if you don't know whether third party software embedded in a few of your huge range of products contains a hidden backdoor when a rarely used feature is activated what kind of CEO ar
Re:Will this stupidity ever end? (Score:5, Interesting)
Re: (Score:2)
Congrats. You found a sensible use for the DMCA.
That can only lead to its change to make sure it must never be applied that way.
Re:Will this stupidity ever end? (Score:5, Insightful)
The law is only for little people. Who went to prison when Sony rooted and vandalized thousands of computers with their XCP malware? Nobody. You have to hack a rich person's or organization's computers to go to jail. You and I don't count.
Re: (Score:3, Insightful)
How about a Prison Sentence. These ego maniacs are putting people's bank account at risk. It is no different from writing a virus. In fact it is worse.
Sorry man, but this isn't an ego maniac. It's worse than that. 04882 is an oblique reference to the product ID used by Revell. Revell produces hobby scale models of various things. In this case... of the USS Enterprise, as seen in the worst trek movie ever -- Star Trek: Into Darkness. Which means, we're not dealing with an ego maniac: We're dealing with a guy who is utterly devoid of ego. This particular model probably sits on his desk in his cube, providing both inspiration to one 'Joel' in D-Link's softwa
Re: (Score:2)
In other news, this incident is excellent fodder for security researchers to use as a case in point for how knowledge of a person's habits and hobbies can provide valuable insight into potential password selections, and also that the password selection is so strongly correlated with these things, that knowing the password alone can be sufficient to uniquely identify the user!
Re: (Score:2)
Re:Will this stupidity ever end? (Score:5, Interesting)
The DI-524 is, what, 8 years old? The firmware for it hasn't been updated since 2006. How, then is it listed as vulnerable?
This is some guy on a blog. It's a mixture of fact and wild speculation. This isn't an official security notification on something like Bugtraq or CERT, etc. He tested the DI-100 firmware, v1.13. The FTP link he provided lists the timestamp for the file as "02/19/2013 11:09AM", not 2006.
He doesn't even have a DI-100, he just downloaded it at random. He thinks, based on "the source code of the HTML pages and some Shodan search results", that the devices listed are affected. There was no actual testing, it's just rampant speculation based on Sir Bloggy McBlogs google-fu. Now, that said, I have been doing some additional research and the company Revell is based out of Germany -- which is also where D-Link's software development team is. Revell's website indicates the model went on sale about the same time as the movie release -- May 2013. The timestamp is February. It's not enough to bust my theory that 04882 is a reference to the model... it's just possible the website is wrong, or he got one early from a friend who works at said company. It does happen; Maybe they handed them out at special screenings.
Such is the nature of speculating on these things; it's interesting, but it's nearly impossible to get positive verification of a theory.
Re: (Score:2)
Kirk traveled into the past at some point and planted this, it will most likely save the ship and its crew. They need our help!
Wow (Score:3)
I'm always amazed to read about things like this because most engineers are not morons. Why would they do it? How could they not know it would be discovered?
The Black Hats have probably known about this for a long time...
Re: (Score:2)
It was a rushed job.
It was another department.
It was outsourced.
So many product lines. So much work.
The supervisor wants features for a global market, other product lines are for security.....
Re: (Score:3)
If "most engineers are not morons" then we wouldn't need Bobby Tables [bobby-tables.com] as an example when explaining simple security issues to them.
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Most engineers are not morons.
Sadly, not everyone writing code is an engineer. You get a fair lot of people considering themselves "programmers" these days because they can slap together a few objects in a RAD tool (without having the foggiest clue what happens behind those shiny icons they click on), copy/paste some code from various example pages and finally run whatever mess that creates through the compiler often enough 'til it finally compiles. Add some shotgun debugging and you know why code is in the
Re:Will this stupidity ever end? (Score:5, Interesting)
Sometimes I think that things like this should be felonies, though. Criminal offense or not, in a sensible world this would put alphanetworks out of business.
Re:Will this stupidity ever end? (Score:4)
Individually suing in small claims court is almost always the better option, if you have the time.
Re: (Score:3)
Class action isn't about customers winning, it's purpose is to teach the company a lesson.
Re: (Score:2)
10x the new value of the device to any customer that wants to give it back
Silly idea, make them liable for costs. Then the device manufacturers will be supporting the [cough] on-line content industry [cough],
Re: (Score:2)
Are you talking about DLink or the NSA, or is the just DLinks way of complying?
Just wondering....
Re:Will this stupidity ever end? (Score:4, Interesting)
I also have my own site and I see many things. I know that every day there are people knocking on doors or ports. It is another world that most people only understand as some kind of stuff done by technically afflicted people.
And? (Score:2)
Re: (Score:3)
Well are you running an administration service on an open Internet facing port?
Your router won't get a chance to read the user agent string if you don't allowed an inward connection.
Then all you have to worry about is your insiders.
Re: (Score:2)
Thank Goodness... (Score:2)
Re:Thank Goodness... (Score:5, Interesting)
That the consumer is always so proactive with updates that they'll upgrade their router the instant a fix is released.......NOT.
"A quick Google for the “xmlset_roodkcableoj28840ybtide” string turns up only a single Russian forum post from a few years ago, which notes that this is an “interesting line” inside the /bin/webs binary. I’d have to agree."
Even if they do, it sounds like they'll be almost four years late.
Backwards: edit by 04882 Joel backdoor (Score:5, Interesting)
And the post points out (in 2010) that if you reverse the string it was "edit by 04882 Joel Backdoor" so it was clearly a backdoor.
The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!
Re: (Score:2, Insightful)
And the post points out (in 2010) that if you reverse the string it was "edit by 04882 Joel Backdoor" so it was clearly a backdoor.
The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!
Somebody found it profitable enough to make an effort to stifle the spread of knowledge about the backdoor?
"Profit" can be anything of value, of course.
Re:Backwards: edit by 04882 Joel backdoor (Score:5, Insightful)
The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!
Seriously? That's not a scandal, that's the way the world works. People that LOOK for stuff like that want to keep those exploits to themselves because they want to USE THEM. If you reveal the damn thing, it'll get patched.
Not many people want to do all the work of looking through binaries figuring out obscure shit like this just for fun.
Re: (Score:3)
edited by 04882 Joel backdoor (Score:4, Interesting)
Re:edited by 04882 Joel backdoor (Score:5, Funny)
Re:edited by 04882 Joel backdoor (Score:5, Insightful)
s this the guy behind it? http://www.joesdata.com/executive/Joel_Liu_421313008.html [joesdata.com] Assuming good will, it seems like debugging code left in the final firmware release.
Regardless of how strong the evidence may be, uniquely identifying someone on the internet is dangerous and may even expose you to a slander/libel/defamation case. You may recall not long ago the witch hunt on reddit for the Boston Bomber. Over a dozen 'suspects' were named and shamed on the forums, none of whom turned out to be the actual person. Those people's lives crumbled into dust after, and police had to devote valuable resources at the time to protecting those individuals from vigilantes. Don't go the extra step of naming someone -- no matter how confident you are, the odds are very high that you're wrong. I know you think you're being edgy, smart, whatever and showing off your google-fu here, but you've actually rather accomplished the reverse -- you've demonstrated a reckless abandon and an inability to consider the consequences of your actions, or at least favoring momentary glory and recognition at the expense of another. Neither scores high marks in internet ethics.
On the internet, a loaded finger is a bigger threat than a loaded gun.
Re:edited by 04882 Joel backdoor (Score:5, Insightful)
It might have nothing to do with anyone called Joel. When I was far younger and quite bored, I graffiti'd "Patrick Tang was here" (in a place where a Patrick Tang had been). Patrick Tang had nothing to do with the use of his name, but when he discovered it, he went to considerable effort to obscure it, believing he would likely be blamed.
Many routers subject to UPnP vulnerability anyway (Score:5, Insightful)
PDF link, published earlier this year, shows how many manufacturers use a stack with a UPnP vuln that gives root, even from the WAN side:
http://www.defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf [defensecode.com]
Point is, you probably weren't as safe as you thought you were, even before this new disclosure.
I think a huge problem with consumer-grade wifi routers today is that as manufacturers race to support new models with new wifi standards and new competitive feature sets, older models quickly become abandonware. There's very little guarantee around firmware updates for critical vulnerabilities, and end users are mostly oblivious to being at risk. By the time you pick up that $80 model from the store it's probably borderline EOL already.
Re: (Score:2)
It seems like they have about as many remote vulnerabilities as your run-of-the-mill Windows installation.
Maybe we should follow the same advice as is given to protect Windows from remote attackers: don't connect it directly to the Internet; put it behind a hardware firewall, opening only the ports you need. Like http port 80.
Oh, wait...
Did the NSA have a hand in this too? (Score:2)
How to bury your company's reputation with one password.
Re:Did the NSA have a hand in this too? (Score:4, Insightful)
How to bury your company's reputation with one password.
D-link's rep was buried long ago.
Re: (Score:3)
D-link's rep was buried long ago.
I'd tend to say that D-link's rep is long-lived and very consistent.
Yes they did, TAO (Score:4, Insightful)
Read it and weep:
http://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story_1.html
"Much more often, an implant is coded entirely in software by an NSA group called Tailored Access Operations (TAO). As its name suggests, TAO builds attack tools that are custom-fitted to their targets. "
"Tailored Access Operations has software templates to break into common brands and models of “routers, switches and firewalls from multiple product vendor lines,” according to one document describing its work."
So on the one hand they're supposed to defend US networks from attack, while on the other hand they have detailed knowledge of these backdoors and use them for their own use while keeping them secret.
So yes, the NSA did have a hand in it, at the minimum it kept it secret while exploiting it.
Re: (Score:2)
You guys find a backdoor in a Chinese product and say it's the NSA?? If these were Cisco routers I'd agree, but I don't see the NSA putting back doors in Chinese firmware. I'd say it's so the Chinese government can spy on their citizens. You don't really think the USA is alone in building a surveillance state, do you?
Tomato, DD-WRT, or OpenWrt (Score:5, Informative)
Because friends don't let friends run crappy firmware with back doors/known problems.
http://www.linuxpromagazine.com/Issues/2010/119/Security-Lessons-Linux-WAP/(tagID)/337 [linuxpromagazine.com]
xmlset_roodkcableoj28840ybtide (Score:5, Funny)
Heay!
That's the combination on my luggage!
-
Re: (Score:2)
The home router market is a an ongoing disaster (Score:5, Interesting)
There is a systemic complete and total regard for basic tenets of security in nearly the entire home router/cpe market.
Start with crypto - no hwrng and a known "less than ideal" version of /dev/random to feed your "secure" wpa and ssh sessions.
Worse:
There is no privilege separation in most routers, which was ok when they were single function devices - BUT: not ok, when vulnerability via services like samba can be used to root most of the top 10 current home routers:
http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp [securityevaluators.com]
Once an attacker p0wns your home gateway they can change your dns to malicious sites, as dnschanger did:
http://www.dcwg.org/ [dcwg.org]
or have it participate in botnets, or inflict further attacks on unsuspecting devices both inside and outside your firewall, or sniff your traffic - there is no security when your front door is left wide open.
What nearly every home router and cpe manufacturer is shipping is **rotware**, running 4-7 year old kernels with known CVEs, and 10 year old versions of critical services like dnsmasq. You'd think that new 802.11ac devices available for this christmas might have some modern software on it, but just to pick out a recent example - the "new" netgear nighthawk router runs Linux 2.6.36.4 and dnsmasq 2.15, according to their R7000 gpl code drop -
http://kb.netgear.com/app/answers/detail/a_id/2649 [netgear.com]
Brand new hardware - 4+ and 10 year old software respectively.
It's unfair of me to pick on Netgear, every router I've looked at this christmas season has some major issues.
Right now, the only current hope for decent security in home routers is in open, modern, and maintained firmware. And I wish the manufacturers (and ISPs, AND users, and governments) understood that, and there was (in particular) a sustainable model for continuous updates and upgrades as effective as android's in this market. I don't care if it came from taxation, isp fees, or built into the price of the device - would you willingly leave your networks' front door open if you understood the consequences?
Rotten routers with closed source code, and no maintenance, are a huge security risk, and they are holding back the ipv6 transition, (and nearly all current models have bufferbloat, besides)
How can the dysfunctional edge of the Internet be fixed?
Re: (Score:3, Interesting)
"Right now, the only current hope for decent security in home routers is in open, modern, and maintained firmware"
Nah. The only lonely hope fer descentified home security routers is to build sum yerself. It aren't that hard. What hillbilly don't got a beige box layin' about and a spare NIC? Need juz... uh... count 'em: | | <- Dis manny Etherport whatsits to build a maximam security gateway. I tighted two screws (righty tighty, leftie loosie), got dem dere PCI card hooked up. Putted in a CD, wot axed a few questimations, and done.
Oh, but dis is dat dere big brained slashamadoodle folks. Fergiven ma pardon. Ai
Re: (Score:2)
Re: (Score:2)
And every DOD approved server is running RHEL6 which is 2.6.32. The kernel version doesn't tell you shit unless you know what patches have been added.
Re: (Score:2)
My router is about 10 years old now, still working. Supports WPA-PSK, so it has all the features I need it to have.
However afaik no way to update the firmware. Which of course is >10 years old now. And even if I could... well it's hanging on a wall, and it's doing its job - it's a device, and not something that's high on my priority list to check for vulnerabilities.
I guess my best chance to keep safe is the fact that's so old and some obscure brand it's not a known target for would-be attackers.
A big problem (Score:4, Insightful)
This is NOT a small, obscure problem for users of DLINK routers. Although it does not open up Wifi access or anything like that, having access to the configuration panel of your router is bad news even from inside the network. I can't think of anyway to automatically exploit it via a browser (XSS-style) but a small executable (or trusted Java applet, for instance) could do it.
Additionally, I wonder how many small establishments are offering free wifi using DLINK equipment. Those networks are now vulnerable.
If I was a bad(er) guy, the first thing I would change would be the DNS settings. Forcing all computers behind the router to use a DNS I control opens up all sorts of interesting ways to mess with people.
Re:A big problem (Score:5, Informative)
Apparently IE might let you change the user agent
http://stackoverflow.com/questions/6995311/how-can-i-spoof-the-user-agent-of-a-javascript-get-request [stackoverflow.com]
You'd just need to work in some cross domain exploit somehow... or have a subdomain of your website resolve to 192.168.1.1
Re: (Score:2)
I never thought of this, that's pretty sneaky.
Re: (Score:3)
This was a big issue here in South Africa a few months ago. Telkom (the local state owned incompetent telco) were selling approved DLink modems with helpful extra admin accounts (username: support password: support was one I saw) which suddenly started redirecting traffic to interesting locations [mybroadband.co.za].
Re:A big problem (Score:5, Interesting)
Being able to manipulate the router's config interface would allow an external entity the ability to upload a new firmware to the router. The new firmware would offer the attacker switches to flip at will that would enable packet sniffing of all traffic and man-in-the-middle SSL attacks. Organized crime / NSA (redundant to mention both, I know) seek no deeper capabilities than this.
You bring up a great point of smaller establishments running WiFi on D-Link equipment. Perhaps their SSID's should be modified to read, "HACKED BY NSA - DO NOT USE!"
Comment removed (Score:3)
updating contacts (Score:2)
Why bother? (Score:3)
Why do all these router vendors even bother producing their own nonstandard firmware?
Most of the hardware is based around a small set of common chipsets anyway, so why not use an existing firmware such as dd-wrt or openwrt.
Re: (Score:3)
Branding. Same reason Samsung has all but forked Android. If they don't, there is no difference any more between various devices.
Re: (Score:2)
Which is in most cases just stupid...
Most of the branded versions of android (and other similar systems) that i've seen have been considerably worse than the stock version, especially the carrier branded versions.
OEM versions of windows are just as bad too.
By creating a branded version you are differentiating yourself as being inferior, thats not a good "difference" at all as in many cases people will actively seek out devices which don't have the branded software versions.
Is this where I get to feel smug? (Score:2)
Re: (Score:2)
You should definitely be feeling pretty smug.
Re: (Score:3)
You can also compare Apple's 2095 vulnerabilities for 97 products [cvedetails.com] to D-Link's 43 vulnerabilities for 40 products [cvedetails.com].
So "wear protection". This IS Slashdot... (Score:2)
Many folks are installing pfSense etc on thin clients (plentiful on Ebay and dirt cheap). Choose whatever distro you like then have at it. Rolling your own goes back to floppy-based Linux routers and is old news.
Re: (Score:2)
Re: (Score:2)
I have a dir-655 as well and it doesn't support tomato or any other custom firmwares as far as I know
Re: (Score:2)
And you never get hit with a drive-by that tries the back door from the LAN side.
Re: (Score:2)
DD-WRT has always shipped with a default password, which is something like 'admin'. That is the Very First thing to be changed upon login, after a firmware flash, so what is your point?
Is this the article you were referring to?: http://tech.slashdot.org/story/13/03/15/1234217/backdoor-found-in-tp-link-routers [slashdot.org]
Perhaps your memory is faulty, but like this D-LINK situation in the news today, replacing the firmware will solve the problem. DD-WRT is the answer in this case, not the problem. If I'm missing somethi
Re: (Score:2)
"Security is a process, not a product" would already be enough for most managers to remember.
Security is nothing you can buy. No black box you put in the corner and be done with it. Security is something you have to do.