
Hacking the D-Link DIR-890L - zdw
http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/
======
jbuzbee
I used to write reviews on these consumer-level network devices and in my
experience they nearly all ran a root-privileged server under Linux.
Inevitably they would end up having some sort of cgi interface that would take
in parameters and make a "system" call to do email, change configurations,
etc. It was only a matter of how much time and effort I wanted to put in to
show that I could break in by screwing with the variables. They also would
always have an unused telnet or ssh server that was left over from the
original developers. Lesson-learned - Don't ever enable remote access for
these cheap consumer devices.

Edit: Remembered an amusing case where I reported a vulnerability to a
manufacturer. I reported something like "If you add an administrator's email
address to the device that looks like 'myemail`reboot`@gmail.com' the box will
reboot". The manufacturer got right on it and "fixed" the bug. Their fix? The
new firmware had an explicit check for the string "reboot" inside of submitted
email addresses. Kind of tells you the quality of engineers they have
developing these things...

~~~
amenod
I think the problem is that the typical engineers that work on these devices
are used to work on a whole different layer - hardware. But they know how to
put together a few simple CGI scripts and probably don't even know the dangers
they are facing when they run HTTP(s) server.

So on the one side you have HW guys saying "no need to find someone, we can do
it ourselves" and on the other managers gladly accepting this on face value
(it probably does cost them less in the short run). I am not saying these guys
are not good engineers, just that this is not their area of expertize. Their
mistake is not realizing this.

~~~
krapht
I've worked in embedded devices, and the problem isn't that the engineers
don't know how to fix it properly, it's just that nobody cares enough to make
consumer-level devices very secure. That costs money.

------
userbinator
I wonder if there's a buffer overflow in there too - how long is the command
buffer and what's the maximum size of that header...?

From personal experience, SOAP is one of those protocols that feels
_massively_ overdesigned and unnecessarily bloated.

~~~
amenod
This. The minute I read "SOAP" I imagined the fault lies there. It probably
does, but this was lower hanging fruit... :)

------
happycube
As crappy as this firmware is, the ones ~7-10 years ago that didn't run Linux
were much worse!

------
gesman
Definitely need more posts/articles like that.

Sometimes publicity is the most efficient way to eradicate vendor' sloppiness
and ignorance.

~~~
finnn
The web is full of articles like this. Vendors still come out with shitty,
usually GPL-violating firmware. Links below from some quick googling and going
through the archives of devttys0.com, but it doesnt even begin to describe the
problem. Nearly every consumer router has some stupid injection or
authentication bypass vulnerability.

[0] [http://www.devttys0.com/2013/10/reverse-engineering-a-d-
link...](http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-
backdoor/)

[1] [http://www.exploit-db.com/exploits/35917/](http://www.exploit-
db.com/exploits/35917/)

[2] [http://arstechnica.com/security/2014/02/bizarre-attack-
infec...](http://arstechnica.com/security/2014/02/bizarre-attack-infects-
linksys-routers-with-self-replicating-malware/)

[3] [https://threatpost.com/more-trouble-for-linksys-home-
small-o...](https://threatpost.com/more-trouble-for-linksys-home-small-office-
routers/104322)

[4] [http://www.devttys0.com/2015/04/reversing-belkins-wps-pin-
al...](http://www.devttys0.com/2015/04/reversing-belkins-wps-pin-algorithm/)

[5] [http://www.devttys0.com/2015/04/reversing-belkins-wps-pin-
al...](http://www.devttys0.com/2015/04/reversing-belkins-wps-pin-algorithm/)

[6] [http://www.devttys0.com/2014/05/hacking-the-
dsp-w215-again-a...](http://www.devttys0.com/2014/05/hacking-the-
dsp-w215-again-again-again/)

[7] [http://www.devttys0.com/2014/05/hacking-the-d-link-
dsp-w215-...](http://www.devttys0.com/2014/05/hacking-the-d-link-
dsp-w215-smart-plug/)

[8] [http://www.devttys0.com/2014/02/wrt120n-fprintf-stack-
overfl...](http://www.devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/)

[9] [http://www.devttys0.com/2014/02/cracking-linksys-
crypto/](http://www.devttys0.com/2014/02/cracking-linksys-crypto/)

~~~
iancarroll
Some Netgear routers even have a built-in (root) telnet server and a command
to dump the admin password.

[https://ian.sh/blog/2014/10/18/netgear-
wndr4000-security/](https://ian.sh/blog/2014/10/18/netgear-wndr4000-security/)

------
dsacco
tl;dr: You can pass an arbitrary string to system on the router, thereby
popping a de facto root shell using telnet. This owns the network.

~~~
jschwartzi
tl;dr: but only if you're inside the lan or your target has enabled remote
administration.

~~~
finnn
It looks like it could be done with a DNS rebinding attack (as you need to set
a special HTTP header, so normal CSRF stuff doesn't work). This would mean the
victim would simply need to visit an attacker controlled webpage

~~~
jschwartzi
Sweet, even better. Is there any mitigation for that?

~~~
finnn
Sure! Install OpenWRT or some other alternative firmware.

