2013  top

OCTOBER 2013

ARRIS gateway discloses passwords

ARRIS DG860A - NVRAM Backup Password Disclosure
by Justin Oberdorf   October 22, 2013
A backup file that contains passwords in plain text is readable without authentication on the Arris DG860A modem/router. See see the file go to this URL
http://192.168.0.1/router.data

Joels Backdoor in D-Link router

D-Link router flaw lets anyone login through "Joel's Backdoor"
by Paul Ducklin of Sophos   October 15, 2013
Quoting "If you browse to any page on the administration interface with your browser's User Agent (UA) string set to a peculiar, hard-wired value, the router doesn't bother to ask for a password ... these routers have a hardwired master key that lets anyone in through an unsupervised back door.". The no-longer-secret user agent is "xmlset_roodkcableoj28840ybtide." If remote administration is disabled, then this can not be exploited from the Internet. The flaw exists these models: DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240 and possibly the DIR-615. The same firmware is also used in the BRL-04UR and BRL-04CW routers made by Planex. The flaw was found by Tactical Network Solutions researcher Craig Heffner.

CSRF attacks on TP-Link routers

Real-World CSRF attack hijacks DNS Server configuration of TP-Link routers
by Jakob Lell   October 30, 2013
Summary coming....

Security flaw in a couple Netgear routers

Complete, Persistent Compromise of Netgear Wireless Routers
by Zach Cutlip   October 22, 2013
Effected models are the WNDR3700 and the WNDR4700. Quoting: "If you browse to http://routeripaddress/BRS_02_genieHelp.html, you are allowed to bypass authentication for all pages in the entire administrative interface. But not only that, authentication remains disabled across reboots. And, of course if remote administration is turned on, this works from the frickin' Internet ... complete, persistent administrative access to the web interface, a huge attack surface is opened up. "
This article discusses the same bug: Taking over the Netgear WNDR4700 by Jacob Holcomb of Independent Security Evaluators. April 2013

AUGUST 2013

ISE finds still more bugs in ten tested routers

Exploiting SOHO Routers Service
Research by Jacob Holcomb, Stephen Bono, Kedy Lui, Alex Morrow, and Jacob Thompson   Undated
Quoting Independent Security Evaluators "In a previous report, we released a list of SOHO router vulnerabilities and showed proof-of-concept (PoC) attack code for how to exploit them ... In this follow up study, we addressed only the extraneous, non-router services that were present on the routers. What we found was that of the 10 routers reviewed, all 10 could be compromised from the (wireless) LAN once a router had USB attached storage connected ... All 10 routers evaluated can be taken over from the local network by exploiting non-essential services that are either enabled by default, or enabled once USB storage is attached." The other services referred to are: FTP, Telnet, DNS, HTTP, SMB, HTTPS, ACSD, NetBIOS and UPnP. The routers tested were: Linksys EA6500, Netgear WNDR4700, ASUS RT-AC66U, ASUS RT-N56U, TP LINK TL-WDR4300, TP LINK TL-1043ND, TRENDnet TEW-812DRU, Netgear WNR3500, D-LINK DIR-865L and Belkin N900. One example, the Linksys EA6500: "we demonstrate how improper file permissions, unauthenticated access to SMB, and a misconfigured SMB can allow an attacker to execute arbitrary commands on the router, thereby granting the attacker a root shell." They reported on 55 new CVEs at Defcon 21

JULY 2013

Multiple Vulnerabilities in Asus routers using AiCloud

Full Disclosure ASUS Wireless Routers Ten Models - Multiple Vulnerabilities on AiCloud enabled units
by Kyle Lovett   July 14, 2013
Quoting: "In June I released a partial disclosure for just the RT-N66U on the issue of directory traversal. I have only heard back from ASUS twice on the issue, and I understand they are working on a fix. However, no serious attempt to our knowledge has been made to warn their customers in the meantime, even after multiple requests from several different security professionals. Nor has ASUS posted a disclosure of these serious issues to new potential customers on their AiCloud web adverts, since they still advertise the product as an add-on with these routers, as a safe and bug free home cloud solution."
If you have an Asus router, verify that port 443 is closed, it is used for web access. They also use port 8082 for content streaming, you may want to check that it too is closed. Another check for this bug is to reference https:///smb/bin. This would grant full access to files plugged in to an Asus router, if you accept the untrusted certificate.

More bugs in D-Link routers

OS-Command Injection via UPnP Interface in multiple D-Link devices
by m1k3   July 6, 2013
Vulnerable routers: : DIR-300 rev B / DIR-600 rev B / DIR-645 / DIR-845 / DIR-865. The vulnerability is caused by missing input validation in different XML parameters. This vulnerability could be exploited to inject and execute arbitrary shell commands. You do not need to be authenticated to the device to execute malicious commands. The vulnerability was discovered by Michael Messner.

JUNE 2013

Edward Snowden on US government spying

Edward Snowden: US government has been hacking Hong Kong and China for years
by Lana Lam in the South China Morning Post June 13, 2013
Quoting: "... according to unverified documents seen by the Post, the NSA had been hacking computers in Hong Kong and on the mainland since 2009 ... Snowden believed there had been more than 61,000 NSA hacking operations globally, with hundreds of targets in Hong Kong and on the mainland. 'We hack network backbones - like huge internet routers, basically - that give us access to the communications of hundreds of thousands of computers without having to hack every single one,' he said."

APRIL 2013

Independent Security Evaluators finds multiple bugs in multiple routers

Exploiting SOHO Routers
by Independent Security Evaluators (ISE) April 2013
Quoting: "ISE researchers have discovered critical security vulnerabilities in numerous small office/home office (SOHO) routers and wireless access points. We define a critical security vulnerability in a router as one that allows a remote attacker to take full control of the router's configuration settings, or one that allows a local attacker to bypass authentication and take control ... All 13 routers evaluated can be taken over from the local network ... 11 of 13 routers evaluated can be taken over from the WAN." The routers that were studied: Linksys WRT310Nv2, Belkin F5D8236-4 v2, Belkin N300, Belkin N900, Netgear WNDR4700, TP-Link WR1043N, Verizon Actiontec, D-Link DIR-865L, ASUS RT-N56U, ASUS RT-AC66U, Linksys EA6500, Netgear WNR3500 and TRENDnet TEW-812DRU. Research was conducted by Jacob Holcomb of ISE.
Top Wi-Fi routers easy to hack, says study by Seth Rosenblatt of CNET April 17, 2013

Two backdoor accounts in Sitecom routers

Sitecom WLM-3500 backdoor accounts
by Roberto Paleari of Emaze Networks.   April 16, 2013
The backdoor accounts provide a simple way for bad guys to obtain admin privileges on the routers. These are hard-coded accounts that are persistently stored in the device firmware. Vulnerable devices are easy to find; heise Security discovered more than 10,000 potentially vulnerable routers. Other device models and firmware versions are probably also vulnerable, but they were not checked. Sitecom has released a firmware version that, the company says, no longer contains the backdoors.

Linksys router flaw

Anatomy of an exploit - Linksys router remote password change hole
by Paul Ducklin of Sophos   April 11, 2013
Summary coming .....
http://arstechnica.com/security/2013/04/using-a-linksys-wi-fi-router-it-could-be-ripe-for-remote-takeover/

Multiple Vulnerabilities in D-Link devices

Multiple Vulnerabilities in D-Link devices
by m1k3   April 5, 2013
Buggy routers: DIR-600 / DIR-300 revB / DIR-815 / DIR-645 / DIR-412 / DIR-456 / DIR-110. The vulnerability is caused by missing input validation in the dst parameter and missing session validation and can be exploited to inject and execute arbitrary shell commands. You do not need to be authenticated to the device to insert and execute malicious commands. The vulnerability was discovered by Michael Messner.
D-Link DIR-645 Authentication Bypass by Roberto Paleari of Packet Storm Feb 28, 2013

Don't Use Linksys Routers

Don't Use Linksys Routers
by Phil Purviance, a security researcher April 5, 2013
Quoting: "Back in 2012 I gave a talk at a conference [and] ... demonstrated how anybody could design an internet worm that targeted common network devices like routers and turn them into a powerful botnet ... For the presentation, I demonstrated a vulnerability in the uber-popular Linksys WRT54GL router. Well, it's been almost a year since that presentation ... " and the bug has not been fixed. Over a year.
Then he looked at the Linksys EA2700 router and wrote "I hooked it up and spent maybe 30 minutes testing the security of the embedded website used to manage the device, then never used it again. What I found was so terrible, awful, and completely inexcusable! It only took 30 minutes to come to the conclusion that any network with an EA2700 router on it is an insecure network!". He published five bugs in the Linksys EA2700.

MARCH 2013

Mapping the Internet via a router virus

Researcher uses botnet to map internet
by Paul Ducklin of Sophos March 20, 2013
Summary coming....

Metasploit modules for multiple router flaws

Weekly Update: Consumer-Grade Hacking, Attribution and Testing, and Msfupdate updates
by Rapid7   March 28, 2013
New Metasploit modules for consumer routers: a Linksys E1500 / E2500 remote command exec exploit, a Linksys 1500 directory traversal exploit, a directory traversal module for TP-Link's TL-WA701ND access point, a password extractor for the DLink DIR-645.

FEBRUARY 2013

Another D-Link router flaw

Security alert for D-Link routers by The H Security February 5, 2013
Quoting: "Security expert Michael Messner has identified several holes in D-Link's DIR-300 and DIR-600 routers that allow potential attackers to execute arbitrary commands with little effort ... the router manufacturer does not appear to be planning to close the hole." A simple POST parameter allows Linux commands to be executed as root; no password needed. Many of the vulnerable devices can be accessed from the Internet. Messner found other security issues too such as the root password being saved in plain text. Since D-Link ignored this flaw the H said: "As there is virtually no way of preventing an attack at present, the most sensible solution is to decommission the affected routers...".

Remote preauth flaw in Broadcom UPnP affects millions of routers

From Zero to ZeroDay Journey: Router Hacking (WRT54GL Linksys Case)
by Leon Juranic of DefenseCode   March 10, 2013
The author stumbled across a very interesting remote preauthentication code execution vulnerability in the very popular Cisco Linksys WRT54GL router. Other Cisco Linksys models are also vulnerable along with many other routers from ASUS, D-Link, Zyxel, Linksys, TP-Link, Actiontec, Netgear, Belkin, NetComm, Huawei, Siemens and more. There are at least 15 million vulnerable routers. On a good router, the vulnerability can only be exploited from the LAN side, but many bad routers expose UPnP to the Internet. This vulnerability is present in the UPnP protocol implementation originally developed by Broadcom Company and distributed by many router manufacturers. Specifically, its in the IGD (Internet Gateway Device) module. It is a Format String bug that can be exploited to remotely read or write memory on a vulnerable router without prior authentication. The bug is in files wanipc.c and wanpp.c. Exploting the flaw gives a bad guy root shell which lets them do anything they want on the router.

Yet another UPnP bug

D-Link DIR-815 UPnP Command Injection
by Zach Cutlip February 1, 2013
"With all the excitement regarding UPnP vulnerabilities lately, I though I'd write up this one I found a few weeks back. I had kind of forgotten about it. But it's pretty straight forward, and kind of fun ... In Tactical Network Solutions' Intro to Embedded Device Exploitation class, we use the D-Link DIR-815 for the practical exercises since there are tons of great 0-days for the students to find. The last time we taught the class, I thought I'd try my hand at finding a new one. Twenty minutes in, voila! Command injection in a single multicast packet! " A command injection bug lets a bad guy take ownership of the D-Link DIR 815 with a single multicast packet.

JANUARY 2013

UPnP - a HUGE flaw on MILLIONS of routers

UPnP flaws expose tens of millions of networked devices to remote attacks, researchers say
By Lucian Constantin   Jan. 29, 2013
Universal Plug and Play, (UPnP) is a protocol designed to automatically configure networking equipment without user intervention. It was supposed to be LAN side only. Oopsie. This is one of the major flaws in consumer routers that pushed me to recommend business class routers. It is a truly amazing story. The research was done by Rapid7.
Tens of millions of network-enabled devices including routers, printers, media servers, IP cameras, smart TVs and more can be attacked over the Internet because of dangerous flaws in their implementation of the UPnP. Rapid7 found over 80 million unique public IP addresses that responded to UPnP discovery requests over the Internet, during scans performed last year from June to November.

DefenseCode Security Advisory Broadcom UPnP Remote Preauth Code Execution Vulnerability (PDF)
Quoting: "During the security evaluation of Cisco Linksys routers for a client, we have discovered a critical security vulnerability that allows remote unauthenticated attacker to remotely execute arbitrary code under root privileges. Upon initial vulnerability announcement a few weeks ago Cisco spokesman stated that only one router model is vulnerable - WRT54GL. We have continued with our research and found that, in fact, same vulnerable firmware component is also used in at least two other Cisco Linksys models - WRT54G3G and probably WRT310N. Moreover, vulnerability turns out even more dangerous, since we have discovered that same vulnerable firmware component is also used across many other big-brand router manufacturers and many smaller vendors.Vulnerability itself is located in Broadcom UPnP stack ... we have sent more than 200 e-mails to various router manufacturers and various people, without much success. Some of the manufacturers contacted regarding this vulnerability are: Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear and US Robotics ... We don't know exactly how many of them are affected, since we were unable to contact all of them, but we suspect there are probably tens of millions vulnerable routers out there. "


  Bugs from 2013 have been viewed 12,348 times
(5/day over 2,686 days)