
Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol - ascorbic
https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html
======
userbinator
_The latest firmware for Dlink 850L revA
(DIR850L_REVA_FW114WWb07_h2ab_beta1.bin) is not protected and a new firmware
image can be trivially forged by an attacker._

That's a feature, not a bug. ( [https://openwrt.org/](https://openwrt.org/) )

At least it makes it possible to patch the other (real) bugs yourself.

~~~
tekklloneer
No, it's a bug. A home/consumer router isn't targeted at power users, and
should not require the average user to understand what they're doing.

I also think it's unreasonable to expect people to patch bugs in consumer gear
they've purchased.

~~~
anarazel
I don't think those goals are actually contradictory. Cryptographically
verified auto updates, manually acknowledged non signed file upload updates
can coexist peacefully.

------
swiley
Maybe some of this is legitimate, but the user being able to install their own
firmware is not a security vulnerability. Yesterday I had to download a large
ISO for a friend instead of using the Linux.efi file I use on my laptop
because their's was made "secure" by Microsoft.

~~~
josteink
> the user being able to install their own firmware is not a security
> vulnerability.

That's actually a feature. I consider this a fundamental _right_ I demand on
most equipment I buy.

I have no issues with UEFI secureboot as long as it can be disabled and/or put
under the users control.

If not, that's strictly a vendor issue and best solved by not buying stuff
from that vendor.

------
moepstar
And this is why we finally need fines in the magnitude of a few million to
make corporations even think about having a secure-by-default mentality, not
patch-when-sh*t-hits-the-fan (and even then only barely).

~~~
swiley
I really wonder if that will result in a bunch of companies that own parts of
your house the way they do your iPhone.

Otherwise I would totally agree with that.

------
BenjiWiebe
Impressive. (Not you, D-Link) But seriously, why? Just why? I haven't even
gotten a degree in security or anything, but I know better than to store a
password in plaintext, at least!

~~~
kabes
The sad thing is that it's not really impressive work. And I don't say that to
discredit the author, but to discredit dlink, because the bugs found are
really security 101 kinda stuff we really should not be seeing anymore.

~~~
grawlinson
Most home networking gear I've come across are basically MVP (minimum viable
product) only. I've managed to trivially bypass quite a few via using common
techniques in whitepapers/research docs (hardcoded admin passwords stored in
plaintext, looking for open ports, etc etc)

Sadly, none of this is going to change in the foreseeable future.

~~~
netsharc
Ah, cheap shit, programmed terribly. There should be legislation saying
anything you plug permanently to your internet connection should be secure,
and anyone caught being part of a botnet because they're using a known "bad"
hardware will be fined. And just add to this blacklist "anything made by
DLink". That will get them to fix their shit.

~~~
occultist_throw
Are you sure you want more laws? I don't.

We already have laws on the books for vandalization and sabotage. We also have
that horrific law that criminalizes EULAs and "Authorized Access". Why aren't
they being used against these companies that make easy to remote-pwn gear? Its
readily evident that it's not the end-user's actions that cause these forms of
vandalization and digital assault.

Id much prefer enforcing laws, rather than make new ones we hardware creators
have to parse and understand.

(Like, how does this affect open source hardware? Some of my side projects are
put online. I know a few implementations in the wild already.)

------
drzaiusapelord
>are password-protected with a hardcoded password.

This is pretty scary stuff. I suspect dlink just resells generic firmwares and
add branding while the real OEM is so no-name Chinese shop that provides
everything but the industrial design of the plastic case. With generic OEMs
like these you can't burn your key into the hardware, so you more or less have
to do non-key passwords, which as the article shows, are trivially cracked on
modern equipment.

I think its safe to say budget brands are usually a security risk. They just
don't have the funding to actually take security seriously, even if the
engineers have the political will to do so.

This is also the same D-link that was sued by the FTC for its poorly secured
cameras, which I believe were also a rebranding of a no-name OEM product.

[https://www.ftc.gov/news-events/press-
releases/2017/01/ftc-c...](https://www.ftc.gov/news-events/press-
releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate)

I find that Netgear, Cisco small business, and Linksys aren't perfect, they
are miles ahead of d-link, belkin, and other budget brands for home use and
really don't cost all that much more. I'm pleasantly surprised to see how
often my Netgear gets security updates and Linksys/Cisco small business line
is wonderful for the price.

That said, most consumers will be on the receiving end of a ISP provided
router. I suspect a good chunk of these things aren't actually internet
facing, they're behind the ISP router and working as a access point, but
typically consumers won't or can't put them in access point mode. I think
there's a lot of dumb luck in home networking that ironically keeps people
secure because if they knew how to put the ISP router/modem into gateway mode
they'd be in a lot more trouble once their dlinks and belkins are internet
facing.

------
0x4a42
Also, the PHP tags (<?echo...) in the examples suggest that they are using an
(very) old PHP version which might contains unpatched security holes.

~~~
nucleardog
Short open tags are still in the current builds according to the docs.

The only thing that's changed is that while in older versions the <?=
shorthand was also controlled by the short_open_tags ini option, it's now
permanently enabled.

~~~
0x4a42
>Short open tags are still in the current builds according to the docs.

No.

~~~
nucleardog
[http://php.net/manual/en/language.basic-
syntax.phptags.php](http://php.net/manual/en/language.basic-
syntax.phptags.php)

[http://php.net/manual/en/ini.core.php#ini.short-open-
tag](http://php.net/manual/en/ini.core.php#ini.short-open-tag)

    
    
        $ cat test.php
        <? var_dump(PHP_VERSION); ?>
        $ php test.php
        string(5) "7.0.9"
        $
    

Yes?

~~~
0x4a42
Yes. I was thinking about other removed old features from PHP and answered in
a lame and arrogant way. Bad day, bad mood...

Please, accept my apologies. :)

------
proactivesvcs
A quote from D-Link's site, linked from one of the author's posts: "Security
is of the utmost importance to D-Link across all product lines."

These sorts of organisations certainly have chutzpah.

~~~
discreditable
Reminds me of:“We take security seriously”, otherwise known as “We didn’t take
it seriously enough”: [https://www.troyhunt.com/we-take-security-seriously-
otherwis...](https://www.troyhunt.com/we-take-security-seriously-otherwise/)

