SoDDing D-Link Backdoor | TechSNAP 132

chris

9 years ago

It’s never been easier to break a D-Link Router, we’ll share the details about the built in backdoor.

Plus a huge batch of Java fixes land, a look at iMessage security, and much much more!

On this week’s TechSNAP

Thanks to:

Researchers found an authentication bypass backdoor in some D-Link routers
Research was conducted on a D-Link DIR-100 revA
The firmware is made by a company called Alpha Networks which was spun off from D-Link in 2003
Other devices known to be vulnerable from D-Link:
- DIR-100
- DIR-120
- DI-624S
- DI-524UP
- DI-604S
- DI-604UP
- DI-604+
- TM-G5240
Some devices from Planex appear to use the same firmware:
BRL-04R
BRL-04UR
BRL-04CW
If the router is accessed user a User-Agent string of: xmlset_roodkcableoj28840ybtide then the user bypasses the username/password requirement and has full access to the router
If read backwards: edit by 04882 joel backdoor
This backdoor also allows an attacker to perform remote code execution and could be used to infect a router with spyware
D-Link promises to issue fixed firmware by the end of the month

Threatpost reports on Akamai’s “State of the Internet report”
Akamai is a global CDN that services many large websites including Microsoft Update
“The Pacific rim region (especially China and Indonesia) accounted for just over 79 percent of all observed attacks” according to the firm’s studies
The report also discussed the Syrian Electronic Army’s (SEA) and its attacks on media outlets, the exhaustion of IPv4 address space, and a rise in mobile data traffic
The data does not quite match up with reports from other DDoS protection vendors
The Prolexic report for Q1 2013 shows China as the source of 40.68% of all DDoS attacks, and Indonesia did not even register. USA: 21.88%, Germany: 10.59%
The Prolexic report for Q2 2013 shows slightly different results, with China holding strong at 39.08% with Mexico coming in at a surprising second with 27.32% and Russian at 7.58%
The wild differences are partly due to the fact that each company is measuring attacks against their clients, not the wider internet
There is also the methodology for localizing the source of the attack to consider, GeoIP databases and the like are often inaccurate
Each company may also have a different definition of a DDoS attack. Are bots crawling a website an attack? What about SQL injection attempts?

This is the first time that the Oracle quarterly CPU (Critical Patch Update) has included updates for Java, usually Java is updated on a separate cycle
“Of the 51 Java patches released, 50 allow for remote code execution and 20 were given the highest criticality rating by Oracle”
All users should immediately upgrade to Java 7u45
Java 6 is vulnerable to nearly a dozen critical vulnerabilities, but updates are only provided to Oracle customers with support contracts (Apple)
Rapid7 (maintainers of Metasploit) recommend that if you must use Java: “run Java in the most restricted mode and only allow signed applets from white-listed sites”
“Noted Java bug hunter Adam Gowdiak told Threatpost that the patches also harden interactions of LiveConnect code, a browser feature that allows applets to communicate with the javascript engine in the browser, and Java Rich Internet Applications”
“Overall, there are 127 patches in the Oracle CPU that touch most of the Oracle product line. Aside from the Java vulnerabilities, the only other bug approaching the same level of criticality is in MySQL Enterprise Monitor, but it is not a remote execution bug.“

[asa]0133390098[/asa]