Recently he published his another researcher, Titled 'From China, With Love', exposed that D-Link is not only the vendor who puts backdoors in their products. According to him, China based networking device and equipment manufacturer - Tenda Technology (www.tenda.cn) also added potential backdoors into their Wireless Routers.
He unpacked
the software framework update and locate the httpd binary an found that
the manufacturer is using GoAhead server, which has been substantially
modified.
These routers are protected with standard Wi-Fi Protected Setup (WPS)
and WPA encryption key, but still by sending a UDP packet with a special
string , an attacker could take over the router.
Routers contain a flaw in the httpd component, as the MfgThread()
function spawns a backdoor service that listens for incoming messages
containing commands to execute. A remote attacker with access to the
local network can execute arbitrary commands with root privileges, after access.
He observed that, attacker just need run the following telnet server command on UDP port 7329, in order of root gain access:
echo -ne "w302r_mfg\x00x/bin/busybox telnetd" | nc -q 5 -u 7329 192.168.0.1Where, "w302r_mfg" is the magic string to get access via backdoor.
Some of the vulnerable routers are W302R and W330R as well as re-branded
models, such as the Medialink MWN-WAPR150N. Other Tenda routers are
also possibly affected. They all use the same “w302r_mfg” magic packet string.
Nmap NSE script to test for the backdoored routers – tenda-backdoor.nse is also available for penetration testing.
0 komentar:
Post a Comment