<<< Date Index >>>     <<< Thread Index >>>

Re: Backdoor in X-Micro WLAN 11b Broadband Router



In-Reply-To: <84smfb7rmf.fsf@xxxxxxxx>

X-Micro Support Team:

1-       The backdoor has been solved with the latest Firmware 1.601. 

2-       Please do not upgrade the Firmware with unofficial releases because 
this will void the warranty.

3-       Thanks for posting this security issue.

Warm Regards,
 
X-Micro Support Dep.
Tel: 886-2-8226-2727
Fax: 886-2-8226-2828
======================================
X-Micro Technology Corp.
Plug & Fly

Web site: http://www.x-micro.com
Email: support@xxxxxxxxxxx
Address: 13F-4, No.738, Chung Cheng Road,
Chung Ho City, Taipei Hsien, Taiwan 235, R.O.C

========================================================================

>Received: (qmail 18194 invoked from network); 10 Apr 2004 19:22:18 -0000
>Received: from outgoing2.securityfocus.com (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 10 Apr 2004 19:22:18 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com 
>[205.206.231.20])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id B5BF58FD7D; Sat, 10 Apr 2004 07:07:30 -0600 (MDT)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 15203 invoked from network); 10 Apr 2004 09:53:09 -0000
>X-Injected-Via-Gmane: http://gmane.org/
>To: bugtraq@xxxxxxxxxxxxxxxxx
>From: RISKO Gergely <xmicro@xxxxxxxx>
>Subject: Backdoor in X-Micro WLAN 11b Broadband Router
>Date: Sat, 10 Apr 2004 17:57:28 +0200
>Lines: 44
>Message-ID: <84smfb7rmf.fsf@xxxxxxxx>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>X-Complaints-To: usenet@xxxxxxxxxxxxx
>X-Gmane-NNTP-Posting-Host: jenson.atom.hu
>User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/21.2 (gnu/linux)
>Cancel-Lock: sha1:4AtmZs1UPAU7ehxwci26psrCyRM=
>Sender: news <news@xxxxxxxxxxxxx>
>
>Backdoor in the X-Micro WLAN 11b Broadband Router
>
>FCC ID: RAFXWL-11BRRG
>Firmware Version: 1.2.2, 1.2.2.3 (probably others too)
>Remote: yes, easily expoitable
>Type: administration password, which always works
>
>The following username and password works in every case, even if you
>set an other password on the web interface:
>Username: super
>Password: super
>
>By default the builtin webserver is listening on all network
>interfaces (if connected to the internet, then it is accessible from
>the internet too). Using the webinterface one can install new
>firmware, download the old, view your password, etc., so he can:
> - make your board totally unusable, beyond repair
> - install viruses, trojans, sniffers, etc. in your router
> - get your password for your provider and maybe for your emails.
>
>Possible fixes:
>1. Set up portforwarding, and forward port 80, this way from the WAN
>   interface an attack is impossible. But be aware, that anyone in your
>   local LAN (possible over a wireless connection) can login to your
>   router.
>
>2. Upload a fixed firmware. I've made an unofficial (but fixed)
>   one. You can download it from
>   http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.1/xm-11brrg-0.1.bin
>   This firmware is unofficial. NO WARRANTY.
>   This firmware also fix other bugs, for a list see: 
>   http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.1/Changes
>   The tool, which used to create the image also released under the
>   GPL: http://xmicro.risko.hu/US8181-20040410.tar.gz
>   DOCS: http://xmicro.risko.hu/
>
>I don't know that the folks at X-Micro (who built this so nasty
>backdoor in this device) when will reply, I bcc'ed this mail to them.
>I've chosen not contact with them earlier, because they violated the
>GPL seriously, the open source community tried to communicate with
>them, but without any positive results. And I'm sure that they know
>about this remote backdoor.
>
>Gergely Risko
>
>