XMicro.backdoor.txt

`Backdoor in the X-Micro WLAN 11b Broadband Router  
  
FCC ID: RAFXWL-11BRRG  
Firmware Version: 1.2.2, 1.2.2.3 (probably others too)  
Remote: yes, easily expoitable  
Type: administration password, which always works  
  
The following username and password works in every case, even if you  
set an other password on the web interface:  
Username: super  
Password: super  
  
By default the builtin webserver is listening on all network  
interfaces (if connected to the internet, then it is accessible from  
the internet too). Using the webinterface one can install new  
firmware, download the old, view your password, etc., so he can:  
- make your board totally unusable, beyond repair  
- install viruses, trojans, sniffers, etc. in your router  
- get your password for your provider and maybe for your emails.  
  
Possible fixes:  
1. Set up portforwarding, and forward port 80, this way from the WAN  
interface an attack is impossible. But be aware, that anyone in your  
local LAN (possible over a wireless connection) can login to your  
router.  
  
2. Upload a fixed firmware. I've made an unofficial (but fixed)  
one. You can download it from  
http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.1/xm-11brrg-0.1.bin  
This firmware is unofficial. NO WARRANTY.  
This firmware also fix other bugs, for a list see:   
http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.1/Changes  
The tool, which used to create the image also released under the  
GPL: http://xmicro.risko.hu/US8181-20040410.tar.gz  
DOCS: http://xmicro.risko.hu/  
  
I don't know that the folks at X-Micro (who built this so nasty  
backdoor in this device) when will reply, I bcc'ed this mail to them.  
I've chosen not contact with them earlier, because they violated the  
GPL seriously, the open source community tried to communicate with  
them, but without any positive results. And I'm sure that they know  
about this remote backdoor.  
  
Gergely Risko  
`