October 30, 2014

Backdoor found for several D-Link routers

d-link-dir-615An intentional backdoor designed into some of D-Links home routers has been found by security researcher Craig Heffner. Having reversed engineered the firmware used in a D-Link DIR-100 router Craig discovered that by setting a browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (without the quotes) he could gain full access to the router without entering a username and password.

If exploited an attacker would be able to change any of the settings on the router and gain access to the network. During his research Craig discovered that the browser string was only mentioned once on the Internet in a Russian forum post from a few years ago that noted that the string was probably significant. As such there are no reports of this backdoor being used in the wild, D-Link has acknowledged the existence of the backdoor and said a fix would be available by the end of October.

“Various media reports have recently been published relating to vulnerabilities in network routers, including D-Link devices. Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards,” said D-Link in a statement. “We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.”

It is thought that the backdoor was intentionally programmed into the web server so that the router could be automatically configured when used with services like dynamic DNS. Since the web server contained all the code necessary to alter the routers settings, the programmers by-passed the authentication mechanism with the hard-coded browser string. This in turn allowed them to set the parameters for legitimate reason. It was likely they didn’t think that the string would ever be discovered.

Based on string searches Heffner says it can be reasonably concluded that the following D-Link devices are affected:

  • DIR-100
  • DIR-120
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

Additionally, several Planex routers also appear to use the same firmware:

  • BRL-04UR
  • BRL-04CW

D-Link already has new firmware available for several of the affected models, some of which aren’t listed in Heffner’s original list:

  • DIR-300
  • DIR-600
  • DIR-615
  • DIR-645
  • DIR-815
  • DIR-845L
  • DIR-865L
  • DSL-320B
  • DSL-321B

SSH backdoor found in Barracuda Networks products

Barracuda-networks-logo(LiveHacking.Com) – Several different products from Barracuda Networks, including its Spam and Virus Firewall, all have secret backdoors which under the right circumstances can give hackers administrative access to the devices.

The revelations comes from Austrian security company SEC Consult Vulnerability Lab, which reports that the undocumented accounts can not be disabled and can be used to gain remote access to the appliance via SSH.

The following products are affected: Barracuda Spam and Virus Firewall, Barracuda Web Filter, Barracuda Message Archiver, Barracuda Web Application Firewall, Barracuda Link Balancer, Barracuda Load Balancer, Barracuda SSL VPN, CudaTel. The Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall are not affected.

In an attempt to limit access to the backdoor, Barracude added network rules which only allow access to SSH from certain IP addresses. Internal connections from 192.168.200.0/24 and 192.168.10.0/24 are allowed while public access is granted from public IP addresses in the 205.158.110.0/24 and 216.129.105.0/24 ranges. The problem is that only some of those addresses are owned and controlled by Barracuda, the others are not.

Barracuda were informed of the vulnerabilities at the end of November. Stefan Viehböck of SEC Consult Vulnerability Lab reported two issues affecting Barracuda devices where “an attacker could use to gain unauthorized access to the appliance.”

“Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-priveleged account on the appliance from a small set of IP addresses. The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit,” said Barracuda in an advisory.

Barracuda vice president for product management Steve Pao spoke to The Register and said that the accounts are used for support purposes but admitted that the setup is flawed. Barracuda will also pay an “unspecified bounty” for finding the flaw.

Barracuda recommends that its customers update the Security Definitions on their devices to v2.0.5 immediately. It added that “while this update drastically minimizes potential attack vectors, our support department is available to answer any questions on fully disabling this functionality if support access is not desired.”

RuggedCom to Fix Hard-coded Backdoor Within the Next Few Weeks

(LiveHacking.Com) – It has been revealed that the RuggedCom Rugged Operating System (ROS), which is used in RuggedCom’s network infrastructure devices, contains a hard-coded user account with a computable password based on the device’s MAC address. The backdoor “factory” account cannot be manually disabled leaving the device open for hackers to gain complete administrative control of any affected device. The revelation was made on the Full Disclosure mailing list along with a simple Perl script to calculate the password when the MAC address is given.

According to a security advisory published by RuggedCom in response to the disclosure: “The secure shell (ssh) and web access (https) do not have the backdoor access as of ROS version 3.3 and above, however telnet, remote shell (rsh) and serial console do have the backdoor access in these versions. Earlier versions of the ROS software (prior to v3.3) have the backdoor access within all these services (ssh, https, telnet, rsh and the serial console).”

The company, which was bought by Siemens in March, will release a new version of ROS in “the next few weeks”. The new version will remove the factory account and disable telnet and rsh by default. Updates will be made available for ROS v3.7, 3.8, 3.9, and 3.10. Any installations using a version of ROS before v3.7 need to upgrade.

The most alarming aspect of this backdoor access is the lack of response by RuggedCom. According to the disclosure, the company was told in April 2011 that the backdoor had been uncovered and the password was computable. In June 2011 they verbally acknowledged the existence of the of backdoor and then ceased all communication. In February 2012 US-CERT was notified.

RuggedCom equipment, which is marketed as having “industrial strength” and designed for “mission-critical applications in harsh environments”, is installed in traffic control systems, railroad communications systems, power plants, electrical substations, and even US military sites.

TheHSecurity: Back door in HP network storage solution

HP’s P2000 G3 MSA Storage Area Network (SAN) product contains an hidden and undocumented account with more privileges than the normal customisable account (manage:!manage). Apparently included for support purposes, the account (admin:!admin) is not visible in the user manager and can’t be deleted or modified. It allows unauthorised users to access these systems and the data stored there.

Read the full story here.

Source:[TheHSecurity]

Hacker Creates Modified Symbian S60 Firmware with Hidden Back Door

Professional security researcher, hacker and MalCon speaker Atul Alex has analyzed the firmware for the Symbian S60 smartphone (which also runs on the Nokia 5800, Nokia X6, Nokia 5530XM, Sony Ericsson Satio and Sony Ericsson Vivaz) and created a modified firmware with a back door which allows a 3rd party to record telephone calls and download emails, telephone lists and text messages from the phone’s memory.

To use the back door, the new firmware must be downloaded on to the target phone in a manoeuvre reminiscent of the best Hollywood spy films. The compromised firmware, which is created by modifying version 5 of the original software, allows all of the smartphone’s functions to be remotely controlled, including the camera.

Once installed, the hack contacts the attacker via a wireless connection and transmits the device’s current IP address. The attacker can then connect to the phone remotely and any stolen data can be transmitted via 3G or WLAN to the attacker’s file server.

The H are reporting that the back door uses a technique to hide the extra process from the system’s TaskManager. The only way to remove the back door is to overwrite the firmware with Symbian’s original software.

Backdoor Rootkit For Network Card

Guillaume Delugré , the security researcher at French security firm Sogeti ESEC has demonstrated how it might be possible to place backdoor rootkit software on a network card.

This proof-of-concept code has been developed after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards.

He used publicly available documentation and free open-source tools to built a set of tools to instrument the network card firmware. Those tools provided him a way to debug in real-time the MIPS CPU of the network card, as well as doing some advanced instrumentation on the firmware code such as execution flow tracing and memory-accesses logging.

Further, he developed a custom firmware code and flash the device and get execution on the CPU of the network card by reverse engineering of its EEPROM.

The developed rootkit will be residing inside the network card and offers some interesting features:

  • A very stealthy communication end-point over the Ethernet link. It can intercept and forge network frames without the operating system knowing about it.
  • A physical system memory access using DMA over the PCI link, leading to OS corruption.
  • No trace of the rootkit on the operating system, as it is being hidden inside the NIC.

The network card natively needs to perform DMA accesses, so that network frames can be exchanged between the driver and the device.From the firmware point of view, everything is operated using special dedicated device registers, some of them being non-documented. An attacker would then be able to communicate remotely with the rootkit in the network card and get access to the underlying operating system thanks to DMA,” Delugré explains.

This research has been presented in Hack.lu conference last month. The presentation slides are avaliable to donwload here.

Source:[http://esec-lab.sogeti.com/dotclear/index.php?post/2010/11/21/Presentation-at-Hack.lu-:-Reversing-the-Broacom-NetExtreme-s-firmware]

Apple QuickTime backdoor creates code-execution peril

A security researcher has unearthed a “bizarre” flaw in Apple’s QuickTime Player that can be exploited to remotely execute malicious code on Windows-based PCs, even those running the most recent versions of operating system.

Read the full article here.

Source:[TheRegister]