Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote-Access Router Exploit Finally Revealed (helpnetsecurity.com)

Posted by EditorDavid on from the rooting-routers dept.

"Back in the days, Cisco fixed the vulnerability, but we are not sure about all other router vendors and models because there are too many of them," writes the DefenseCode team. Orome1 quotes a new report from Help Net Security: Back in January 2013, researchers from application security services firm DefenseCode unearthed a remote root access vulnerability in the default installation of some Cisco Linksys (now Belkin) routers. The flaw was actually found in Broadcom's UPnP implementation used in popular routers, and ultimately the researchers extended the list of vulnerable routers to encompass devices manufactured by the likes of ASUS, D-Link, Zyxel, US Robotics, TP-Link, Netgear, and others. Since there were millions of vulnerable devices out there, the researchers refrained from publishing the exploit they created for the flaw, but now, four years later, they've released their full research again, and this time they've also revealed the exploit. The researchers pointed out that most users don't update their router's firmware -- meaning many routers may still be vulnerable.

1 of 38 comments (clear)

  1. Re:Not a big deal by freax · · Score: 3, Informative

    Download the PDF. Go to page 15 and read the implementation of the unique_service_name function. There are 7!! rash amateur code exploits in about 30 - 50 lines of code, brackets and return calls included. That means every strcpy and even every strncpy is creating an exploitable situation. That kind of rash amateurism in implementation has nothing to do with the protocol. A mind boggling stupid idiot must have written that code. The amount of stink you see in each and every line of the implementation is what makes any serious programming speechless.vA minimal amount of code review would have blocked the contribution entirely.

    We should put the blame of this one on the programmer. Not on the protocol. That doesn't mean UPnP doesn't stink together with the implementation. Especially since often the guys writing reference and often-used libraries for a protocol, are also the ones who defined the protocol. So of the implementation is like that code, which it likely is, then I'm pretty sure the protocol isn't going to conform to RFC 1925.