Bugtraq mailing list archives
Re: Backdoor in X-Micro WLAN 11b Broadband Router
From: Mariano Firpo <marianofirpo () x-micro com>
Date: 16 Apr 2004 14:35:49 -0000
In-Reply-To: <84smfb7rmf.fsf () risko hu> X-Micro Support Team: 1- The backdoor has been solved with the latest Firmware 1.601. 2- Please do not upgrade the Firmware with unofficial releases because this will void the warranty. 3- Thanks for posting this security issue. Warm Regards, X-Micro Support Dep. Tel: 886-2-8226-2727 Fax: 886-2-8226-2828 ====================================== X-Micro Technology Corp. Plug & Fly Web site: http://www.x-micro.com Email: support () x-micro com Address: 13F-4, No.738, Chung Cheng Road, Chung Ho City, Taipei Hsien, Taiwan 235, R.O.C ========================================================================
Received: (qmail 18194 invoked from network); 10 Apr 2004 19:22:18 -0000 Received: from outgoing2.securityfocus.com (205.206.231.26) by mail.securityfocus.com with SMTP; 10 Apr 2004 19:22:18 -0000 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing2.securityfocus.com (Postfix) with QMQP id B5BF58FD7D; Sat, 10 Apr 2004 07:07:30 -0600 (MDT) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 15203 invoked from network); 10 Apr 2004 09:53:09 -0000 X-Injected-Via-Gmane: http://gmane.org/ To: bugtraq () securityfocus com From: RISKO Gergely <xmicro () risko hu> Subject: Backdoor in X-Micro WLAN 11b Broadband Router Date: Sat, 10 Apr 2004 17:57:28 +0200 Lines: 44 Message-ID: <84smfb7rmf.fsf () risko hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Complaints-To: usenet () sea gmane org X-Gmane-NNTP-Posting-Host: jenson.atom.hu User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/21.2 (gnu/linux) Cancel-Lock: sha1:4AtmZs1UPAU7ehxwci26psrCyRM= Sender: news <news () sea gmane org> Backdoor in the X-Micro WLAN 11b Broadband Router FCC ID: RAFXWL-11BRRG Firmware Version: 1.2.2, 1.2.2.3 (probably others too) Remote: yes, easily expoitable Type: administration password, which always works The following username and password works in every case, even if you set an other password on the web interface: Username: super Password: super By default the builtin webserver is listening on all network interfaces (if connected to the internet, then it is accessible from the internet too). Using the webinterface one can install new firmware, download the old, view your password, etc., so he can: - make your board totally unusable, beyond repair - install viruses, trojans, sniffers, etc. in your router - get your password for your provider and maybe for your emails. Possible fixes: 1. Set up portforwarding, and forward port 80, this way from the WAN interface an attack is impossible. But be aware, that anyone in your local LAN (possible over a wireless connection) can login to your router. 2. Upload a fixed firmware. I've made an unofficial (but fixed) one. You can download it from http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.1/xm-11brrg-0.1.bin This firmware is unofficial. NO WARRANTY. This firmware also fix other bugs, for a list see: http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.1/Changes The tool, which used to create the image also released under the GPL: http://xmicro.risko.hu/US8181-20040410.tar.gz DOCS: http://xmicro.risko.hu/ I don't know that the folks at X-Micro (who built this so nasty backdoor in this device) when will reply, I bcc'ed this mail to them. I've chosen not contact with them earlier, because they violated the GPL seriously, the open source community tried to communicate with them, but without any positive results. And I'm sure that they know about this remote backdoor. Gergely Risko
Current thread:
- Backdoor in X-Micro WLAN 11b Broadband Router RISKO Gergely (Apr 10)
- <Possible follow-ups>
- Re: Backdoor in X-Micro WLAN 11b Broadband Router Mariano Firpo (Apr 16)
- NEW backdoor in X-Micro WLAN 11b Broadband Router RISKO Gergely (Apr 17)