Slashdot Mirror

← Back to Stories (view on slashdot.org)

D-Link Router Backdoor Vulnerability Allows Full Access To Settings

Posted by samzenpus on from the protect-ya-neck dept.

StealthHunter writes "It turned out that just by setting a browsers user-agent to 'xmlset_roodkcableoj28840ybtide' anyone can remotely bypass all authentication on D-Link routers. It seems that thttpd was modified by Alphanetworks who inserted the backdoor. Unfortunately, vulnerable routers can be easily identified by services like shodanHQ. At least these models may have vulnerable firmware: DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240."

28 of 228 comments (clear)

  1. Will this stupidity ever end? by gweihir · · Score: 5, Insightful

    Are these people too stupid to know that eventually, somebody _will_ analyze their firmware and find this? I think it is time to make them liable for a bit more than the device when things like these get found. Say, 10x the new value of the device to any customer that wants to give it back.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Will this stupidity ever end? by DigitAl56K · · Score: 5, Insightful

      Well, as an ex D-Link customer, I'm glad to see someone is analyzing their firmware.

    2. Re:Will this stupidity ever end? by Anonymous Coward · · Score: 5, Insightful

      How about a Prison Sentence. These ego maniacs are putting people's bank account at risk. It is no different from writing a virus. In fact it is worse.

    3. Re:Will this stupidity ever end? by johndoe42 · · Score: 4, Interesting
      A class action lawsuit for gross negligence might do the trick.

      Sometimes I think that things like this should be felonies, though. Criminal offense or not, in a sensible world this would put alphanetworks out of business.

    4. Re:Will this stupidity ever end? by AlphaWolf_HK · · Score: 4, Interesting

      Who are you going to put in prison, exactly? It's possible only a small team of engineers was aware of this. Hell, may have even just been one rogue developer who nobody gave permission to put it there.

      --
      Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
    5. Re:Will this stupidity ever end? by Samantha+Wright · · Score: 4, Insightful

      I might propose targeting the software review board that didn't catch the flaws, or perhaps the management who decided such a review board was unnecessary. Security-critical hardware should have at least some QC and/or validation at the firmware code level, y'know?

      --
      Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
    6. Re:Will this stupidity ever end? by sirlark · · Score: 4, Interesting

      Actually, this makes a twisted form of sense. The DMCA and earlier wire tapping and computer fraud laws state two things iirc 1) Attempting to access a system which you do not have permission to access is illegal, and 2) subverting a security mechanism to provide unintended access is illegal. Now (1) only applies if someone uses the back door to gain access to your system, but (2) applies just because the back door exists. The stated intent is that these routers are secure (read the advertising gumph), which means the existence of the back door was a subversion of the intent for security. Someone, somewhere did this, and should be held liable. Considering the "OMFG it's on a computer" factor and the peculiarly zealous manner in which violations are normally prosecuted, I don't see why this shouldn't carry jail time, and a lot of it, as a sentence. I make this argument in support of consistency. What's good for goose is good for the gander. I don't actually agree with the sentences recommended/allowed by those acts.

    7. Re:Will this stupidity ever end? by girlintraining · · Score: 5, Interesting

      The DI-524 is, what, 8 years old? The firmware for it hasn't been updated since 2006. How, then is it listed as vulnerable?

      This is some guy on a blog. It's a mixture of fact and wild speculation. This isn't an official security notification on something like Bugtraq or CERT, etc. He tested the DI-100 firmware, v1.13. The FTP link he provided lists the timestamp for the file as "02/19/2013 11:09AM", not 2006.

      He doesn't even have a DI-100, he just downloaded it at random. He thinks, based on "the source code of the HTML pages and some Shodan search results", that the devices listed are affected. There was no actual testing, it's just rampant speculation based on Sir Bloggy McBlogs google-fu. Now, that said, I have been doing some additional research and the company Revell is based out of Germany -- which is also where D-Link's software development team is. Revell's website indicates the model went on sale about the same time as the movie release -- May 2013. The timestamp is February. It's not enough to bust my theory that 04882 is a reference to the model... it's just possible the website is wrong, or he got one early from a friend who works at said company. It does happen; Maybe they handed them out at special screenings.

      Such is the nature of speculating on these things; it's interesting, but it's nearly impossible to get positive verification of a theory.

      --
      #fuckbeta #iamslashdot #dicemustdie
    8. Re:Will this stupidity ever end? by AmiMoJo · · Score: 4, Interesting

      It sounds more like the backdoor was put in deliberately, probably to aid support staff who were fed of up trying to explain how to type "192.168.1.1" into the address box instead of Bing. This way they can just find your IP address and then go in via the backdoor to sort any problems out, about 90% of which will be wifi congestion on the default channel (11).

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    9. Re:Will this stupidity ever end? by AliasMarlowe · · Score: 5, Informative

      Read the user agent backwards, as indicated in the blog: "edit by 04882 joel back door". Stupidity indeed, even leaving a name.
      Luckily, my D-Link router is not vulnerable to this attack (maybe the attack just needs to be tweaked). It's stacked behind a non-D-Link router, just in case.

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    10. Re:Will this stupidity ever end? by mcgrew · · Score: 4, Insightful

      The law is only for little people. Who went to prison when Sony rooted and vandalized thousands of computers with their XCP malware? Nobody. You have to hack a rich person's or organization's computers to go to jail. You and I don't count.

      --
      Free Martian Whores!
  2. Re:Thank Goodness... by fuzzyfuzzyfungus · · Score: 4, Interesting

    That the consumer is always so proactive with updates that they'll upgrade their router the instant a fix is released.......NOT.

    "A quick Google for the “xmlset_roodkcableoj28840ybtide” string turns up only a single Russian forum post from a few years ago, which notes that this is an “interesting line” inside the /bin/webs binary. I’d have to agree."

    Even if they do, it sounds like they'll be almost four years late.

  3. Backwards: edit by 04882 Joel backdoor by Anonymous Coward · · Score: 5, Interesting

    And the post points out (in 2010) that if you reverse the string it was "edit by 04882 Joel Backdoor" so it was clearly a backdoor.

    The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

    1. Re:Backwards: edit by 04882 Joel backdoor by Anonymous Coward · · Score: 5, Insightful

      The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

      Seriously? That's not a scandal, that's the way the world works. People that LOOK for stuff like that want to keep those exploits to themselves because they want to USE THEM. If you reveal the damn thing, it'll get patched.

      Not many people want to do all the work of looking through binaries figuring out obscure shit like this just for fun.

  4. edited by 04882 Joel backdoor by austerestyle · · Score: 4, Interesting

    Read backwards it reads the same as the comment subject. Is this the guy behind it? http://www.joesdata.com/executive/Joel_Liu_421313008.html Assuming good will, it seems like debugging code left in the final firmware release.

    1. Re:edited by 04882 Joel backdoor by _merlin · · Score: 4, Insightful

      It might have nothing to do with anyone called Joel. When I was far younger and quite bored, I graffiti'd "Patrick Tang was here" (in a place where a Patrick Tang had been). Patrick Tang had nothing to do with the use of his name, but when he discovered it, he went to considerable effort to obscure it, believing he would likely be blamed.

    2. Re:edited by 04882 Joel backdoor by jamesh · · Score: 4, Funny

      All this time we were running around blaming the NSA, when it was Joel all along!

    3. Re:edited by 04882 Joel backdoor by girlintraining · · Score: 5, Insightful

      s this the guy behind it? http://www.joesdata.com/executive/Joel_Liu_421313008.html Assuming good will, it seems like debugging code left in the final firmware release.

      Regardless of how strong the evidence may be, uniquely identifying someone on the internet is dangerous and may even expose you to a slander/libel/defamation case. You may recall not long ago the witch hunt on reddit for the Boston Bomber. Over a dozen 'suspects' were named and shamed on the forums, none of whom turned out to be the actual person. Those people's lives crumbled into dust after, and police had to devote valuable resources at the time to protecting those individuals from vigilantes. Don't go the extra step of naming someone -- no matter how confident you are, the odds are very high that you're wrong. I know you think you're being edgy, smart, whatever and showing off your google-fu here, but you've actually rather accomplished the reverse -- you've demonstrated a reckless abandon and an inability to consider the consequences of your actions, or at least favoring momentary glory and recognition at the expense of another. Neither scores high marks in internet ethics.

      On the internet, a loaded finger is a bigger threat than a loaded gun.

      --
      #fuckbeta #iamslashdot #dicemustdie
  5. Many routers subject to UPnP vulnerability anyway by DigitAl56K · · Score: 5, Insightful

    PDF link, published earlier this year, shows how many manufacturers use a stack with a UPnP vuln that gives root, even from the WAN side:

    http://www.defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf

    Point is, you probably weren't as safe as you thought you were, even before this new disclosure.

    I think a huge problem with consumer-grade wifi routers today is that as manufacturers race to support new models with new wifi standards and new competitive feature sets, older models quickly become abandonware. There's very little guarantee around firmware updates for critical vulnerabilities, and end users are mostly oblivious to being at risk. By the time you pick up that $80 model from the store it's probably borderline EOL already.

  6. discipline by Moblaster · · Score: 5, Funny

    The Beatings Will Continue... Until the Firmware Improves.

  7. Tomato, DD-WRT, or OpenWrt by seifried · · Score: 4, Informative

    Because friends don't let friends run crappy firmware with back doors/known problems.

    http://www.linuxpromagazine.com/Issues/2010/119/Security-Lessons-Linux-WAP/(tagID)/337

  8. xmlset_roodkcableoj28840ybtide by Alsee · · Score: 4, Funny

    Heay!
    That's the combination on my luggage!

    -

    --
    - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  9. The home router market is a an ongoing disaster by mtaht · · Score: 5, Interesting
    It's not just simple backdoors like the dlink one that are a problem.

    There is a systemic complete and total regard for basic tenets of security in nearly the entire home router/cpe market.

    Start with crypto - no hwrng and a known "less than ideal" version of /dev/random to feed your "secure" wpa and ssh sessions.

    Worse:

    There is no privilege separation in most routers, which was ok when they were single function devices - BUT: not ok, when vulnerability via services like samba can be used to root most of the top 10 current home routers:

    http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp

    Once an attacker p0wns your home gateway they can change your dns to malicious sites, as dnschanger did:

    http://www.dcwg.org/

    or have it participate in botnets, or inflict further attacks on unsuspecting devices both inside and outside your firewall, or sniff your traffic - there is no security when your front door is left wide open.

    What nearly every home router and cpe manufacturer is shipping is **rotware**, running 4-7 year old kernels with known CVEs, and 10 year old versions of critical services like dnsmasq. You'd think that new 802.11ac devices available for this christmas might have some modern software on it, but just to pick out a recent example - the "new" netgear nighthawk router runs Linux 2.6.36.4 and dnsmasq 2.15, according to their R7000 gpl code drop -

    http://kb.netgear.com/app/answers/detail/a_id/2649

    Brand new hardware - 4+ and 10 year old software respectively.

    It's unfair of me to pick on Netgear, every router I've looked at this christmas season has some major issues.

    Right now, the only current hope for decent security in home routers is in open, modern, and maintained firmware. And I wish the manufacturers (and ISPs, AND users, and governments) understood that, and there was (in particular) a sustainable model for continuous updates and upgrades as effective as android's in this market. I don't care if it came from taxation, isp fees, or built into the price of the device - would you willingly leave your networks' front door open if you understood the consequences?

    Rotten routers with closed source code, and no maintenance, are a huge security risk, and they are holding back the ipv6 transition, (and nearly all current models have bufferbloat, besides)

    How can the dysfunctional edge of the Internet be fixed?

  10. Re:A big problem by viperidaenz · · Score: 5, Informative

    Apparently IE might let you change the user agent
    http://stackoverflow.com/questions/6995311/how-can-i-spoof-the-user-agent-of-a-javascript-get-request
    You'd just need to work in some cross domain exploit somehow... or have a subdomain of your website resolve to 192.168.1.1

  11. Yes they did, TAO by Anonymous Coward · · Score: 4, Insightful

    Read it and weep:
    http://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story_1.html

    "Much more often, an implant is coded entirely in software by an NSA group called Tailored Access Operations (TAO). As its name suggests, TAO builds attack tools that are custom-fitted to their targets. "

    "Tailored Access Operations has software templates to break into common brands and models of “routers, switches and firewalls from multiple product vendor lines,” according to one document describing its work."

    So on the one hand they're supposed to defend US networks from attack, while on the other hand they have detailed knowledge of these backdoors and use them for their own use while keeping them secret.

    So yes, the NSA did have a hand in it, at the minimum it kept it secret while exploiting it.

  12. Re:A big problem by SethJohnson · · Score: 4, Interesting

    Certainly, DNS would be a pretty quick way to abuse all devices on the other side of the router. It might be detected when the owner verifies the settings themselves or watches their own network traffic and observes the DNS lookups hitting the wrong destination. It's likely that this would have set off red flags before now. Many anti-malware packages check for DNS redirections, for example.

    Being able to manipulate the router's config interface would allow an external entity the ability to upload a new firmware to the router. The new firmware would offer the attacker switches to flip at will that would enable packet sniffing of all traffic and man-in-the-middle SSL attacks. Organized crime / NSA (redundant to mention both, I know) seek no deeper capabilities than this.

    You bring up a great point of smaller establishments running WiFi on D-Link equipment. Perhaps their SSID's should be modified to read, "HACKED BY NSA - DO NOT USE!"

    --
    $5 / month hosted VPS on linux = awesome!
  13. Re:Idiot pruf by L4t3r4lu5 · · Score: 4, Interesting

    That only applies if you think of the firmware as being worth the sale of only one router. The models listed are all consumer grade, but I'm willing to bet that because they're cheap they're also popular. Your $100 router all of a sudden is $10m in sales if 100k are sold, across those six (so far identified ) ranges. Not so hard to imagine? Now think of those who work from home over networks served by that hardware, or the SMB with only a couple of clients on the network and no need for professional switching equipment. Now it's business loss to consider, even if only downtime to fix the breach is the only loss experienced.

    I can easily see something like this having the potential to cause losses not dissimilar to your "shuttle crash" scenario. It's "keys to the kingdom" external access to what should be a private network.

    Finally, there's no chance in hell of even 1% of these devices receiving a firmware update. Nobody (outside of us) upgrades the firmware on their home router; They run it from factory until death, then buy another one. These devices will be vulnerable for the foreseeable future.

    --
    Finally had enough. Come see us over at https://soylentnews.org/
  14. Re:Cisco by cjjjer · · Score: 5, Funny

    Remind me never to pick you as a team-mate for Trivial Pursuit.