D-link security breach - the joel back door

[Swamppifi]

I have been reading about the security breach with the D-link products, and have a back door hard encoded.

So today I thought I back out my D-link products and tested them.

I started by loading up a portable firefox and the add in required with the back door string, I won't give the exact details, its out on the net, just saying what I found.

So I tested a DIR-300 , didn't work, its secure.

next was the DSL 504T asdl modem, again it is secure, the back door didn't work.

But next I tested two of my DI-524up, opened up the browser and was being asked for a password, so far it is secure, but when I activated the backdoor........open seaseme......

The back door complete bypass the login page and gave me root user, both on the lan port, and the wlan port,yes it works wirelessly.

Anyone using D-link routers , need to look this up with the effective models, then urgently update the firmware, or replace the gear, this is a massive backdoor

I have posted on here as I haven't seen any thread on the subject and as it is a.major breach,needs to be fixed quickly

[Guest spazi]

Yeah I read about this backdoor. My dad actually uses a D-link router, I quickly updated the firmware and presto, no more backdoor.

Crazy to think that in this year of our lord, dumb shit like this still happens :P

[Swamppifi]

I was shocked...when I read it, horrified when it worked...amused at the craftiness of the programmer to hide it this long so it ended up in many products.

spliting the string up and only combining it at the last second in assembly, it wasn't going to show, the only way to find it was to run it thought a debugger and pay careful attention to the values in the stacks and what it is compared to, and that is how it was found.

I am glad that D-link has fixed it in the latest firmware, just need to flash the update.

[dustbyter]

The problem is that many consumers, won't install this update. They are not aware of what firmware is. Thus they will continue to be at risk :(

[barry99705]

Some EnGenius wireless products have Administrator:admin, admin:admin, login:admin, and manager:admin for ssh access hard coded in. Found this out running a scan of my home network and a couple of my client's networks. This is on the latest firmware.

Edited March 8, 2014 by barry99705

[Swamppifi]

While I like the cleverness of how its done, And even think it is a neat trick that could be used for other projects, how about hidden web pages on a router or app that is only shown with the correct browser is detected.

as pointed out above, the average user dosen't think twice about router security, let alone know that they can update the firmware, they are blissful unaware that they may be open to attack from their router.

All sort of things can be done once the root user has been accuried, from data interception to planting viruses onto every computer that acssess the compromised box.

Just on point, I scanned my wardriving data base for identified D link routers, and I have over 80 mapped, so once you craked the wpa2, you could own the system, just people who are unaware of the risk.

The computer industry goes on about makings sure you have the latest anti virus and to keep your definitions up to date, what about the companies make auto updates on firmware part of router security so the device is automatically updated as holes are found.

They need to take a leaf out of microsofts book with their pain in the backside update policy, even if I hate it, I understand the.need for it.

Peter

[digip]

While I like the cleverness of how its done, And even think it is a neat trick that could be used for other projects, how about hidden web pages on a router or app that is only shown with the correct browser is detected.

There is actually a list somewhere, of different routers, that have hidden pages and stats, diganostics, etc, that aren't on the administration pages default menus. I know a lot of linksys and cisco home routers have some of the same page names, so I'm sure there are other hidden things in devices from an OEM standpoint, whether it be hard coded shells, backdoors, or other pages not used in the final product but left in for whatever reasons. Most of the pages are statistical in nature though and I don't recall any of them being really useful, but some of them could be accessed, like style sheet directories, without prompted for the login to the admin interface, some of those pages could be accessed without the htpasswd pop-up or a login page prompt, while on others, you still had to login to access the other pages.

Also, a lot of them don't offer SSH, FTP or Telnet access in the manuals, and the ports are often closed, but some of them have been known to have usernames for them in the firmware, which when used, let you in, like hard coded accounts for the regular admin interface, and with a flip of some info in the firmware or modded firmware enabling or opening ports to login to the other interfaces, such as telnet or SSH then becomes possible and the hard coded usernames work around changed passwords, while some just need an attemtp to see if the port is open when its not listed, its a matter of brute forcing your way in if its not hard coded logins, but they left the service running on the devices.

Some are vulnerable to XSS and injection to turn services on via the browser URL itself too, and I recall even an attack talk given I think at Defcon, on having end users send a session to remote attackers, even when the outside admin interface was disabled. Thats a bit more off topic, but still an interesting talk if you can find the video. I think I posted it on the forums in another post somewhere before.

[Swamppifi]

Hi digip

Thanks for your lengthy reply, I have found the list you have been talking about.

It is good infomation, will help with what I want to experiment with.

Peter