Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Vulnerabilities, Backdoors Found in D-Link Mobile Hotspot

Vulnerabilities, Backdoor Found in D-Link DWR-932B LTE Router

Vulnerabilities, Backdoor Found in D-Link DWR-932B LTE Router

Security researchers have discovered numerous unpatched security vulnerabilities in the D-Link DWR-932B LTE router / access point, including backdoor accounts and default Wi-Fi Protected Setup (WPS) PIN.

The device is being sold in various countries and appears to be customers’ security nightmare because of the numerous security weaknesses. The vulnerabilities were discovered by Pierre Kim, who decided to reveal only the most significant of them, and who says that the issues affect even the latest firmware version released by the vendor.

Earlier this year, Kim disclosed numerous unpatched vulnerabilities affecting the LTE QDH routers made by Quanta, including backdoors, hardcoded PIN, flaws in the web interface, remote code execution issue, and other bugs. The flaws that impact D-Link’s router are similar to those found in Quanta’s device, it seems.

The researcher discovered two backdoor accounts on the device and says that they can be used to bypass the HTTP authentication used to manage the router. There is an “admin” account with password “admin,” as well as a “root” account, with password “1234.” By default, telnetd and SSHd are running on D-Link DWR-932B, yet the latter isn’t documented, the researcher also explains.

Next, there is a backdoor inside the /bin/appmgr program, which allows an attacker to send a specific string in UDP to the router to start an authentication-less telnet server (if a telnetd daemon is not already running). The issue is that the router listens to 0.0.0.0:39889 (UDP) for commands and that it allows access without authentication as root if “HELODBG” is received as command.

D-Link DWR-932B also comes with 28296607 as the default WPS PIN, and has it hardcoded in the /bin/appmgr program. The HostAP configuration contains the PIN as well, and so do the HTTP APIs. What’s more, although the router allows the user to generate a temp PIN for the WPS system, the PIN is weak and uses an algorithm leveraging srand(time(0)) as seed. An attacker knowing the current date as time(0) can generate valid WPS PIN suites and brute-force them, the researcher explains.

Kim also reveals that the file /etc/inadyn-mt.conf contains a user and a hardcoded password, and that the HTTP daemon /bin/qmiweb contains multiple vulnerabilities as well. The router also executes strange, purposeless shell commands as root.

Advertisement. Scroll to continue reading.

Furthermore, the router supports remote FOTA (Firmware Over The Air) and contains the credentials to contact the server hardcoded in the /sbin/fotad binary, as base64-strings. The researcher discovered that, although the FOTA daemon tries to retrieve the firmware over HTTPS, the SSL certificate has been invalid for one year and a half.

The researcher also reveals that the security level of the UPNP program (miniupnp) in the router is lowered, which allows an attacker located in the LAN area to add Port forwarding from the Internet to other clients located in the LAN. “There is no restriction about the UPnP permission rules in the configuration file, contrary to common usage in UPnP where it is advised to only allow redirection of port above 1024,” Kim notes.

Because of this lack of permission rules, an attacker can forward everything from the WAN into the LAN, the researcher says. This means that they can set rules to allow traffic from the Internet to local Exchange servers, mail servers, FTP servers, HTTP servers, database servers, and the like.

An attacker can overwrite the router’s firmware with a custom firmware if they wanted to, “but with all these vulnerabilities present in the default firmware, I don’t think it is worth making the effort,” Kim says. He also notes that, because the device has a sizable memory (168 MB), a decent CPU, and good free space (235 MB), along with complete toolkits installed by default, users should consider trashing it, “because it’s trivial for an attacker to use this router as an attack vector.”

D-Link was informed on these issues in June, but the company failed to resolve them until now. Because 90 days have passed since the vulnerabilities were disclosed to the vendor, Kim decided to publish an advisory to reveal these bugs.

This is not the first time D-Link products have made it to the headline due to security vulnerabilities. The company patched a critical flaw in several DIR model routers in August, after a popular D-Link Wi-Fi camera was found in June to be affected by a serious flaw that was subsequently discovered in over 120 D-Link products.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.