Last week Craig Heffner, specialized on the embedded device hacking exposed a serious backdoor in number of D-Link routers allows unauthorized backdoor access.
Recently he published his another researcher, Titled 'From China, With Love', exposed that D-Link is not only the vendor who puts backdoors in their products. According to him, China based networking device and equipment manufacturer - Tenda Technology (www.tenda.cn) also added potential backdoors into their Wireless Routers.
He unpacked the software framework update and locate the httpd binary an found that the manufacturer is using GoAhead server, which has been substantially modified.
These routers are protected with standard Wi-Fi Protected Setup (WPS) and WPA encryption key, but still by sending a UDP packet with a special string , an attacker could take over the router.
Routers contain a flaw in the httpd component, as the MfgThread() function spawns a backdoor service that listens for incoming messages containing commands to execute. A remote attacker with access to the local network can execute arbitrary commands with root privileges, after access.
He observed that, attacker just need run the following telnet server command on UDP port 7329, in order of root gain access:
echo -ne "w302r_mfg\x00x/bin/busybox telnetd" | nc -q 5 -u 7329 192.168.0.1Where, "w302r_mfg" is the magic string to get access via backdoor.
Some of the vulnerable routers are W302R and W330R as well as re-branded models, such as the Medialink MWN-WAPR150N. Other Tenda routers are also possibly affected. They all use the same "w302r_mfg" magic packet string.
Nmap NSE script to test for the backdoored routers – tenda-backdoor.nse is also available for penetration testing.