In-Reply-To: <84smfb7rmf.fsf@risko.hu> X-Micro Support Team: 1- The backdoor has been solved with the latest Firmware 1.601. 2- Please do not upgrade the Firmware with unofficial releases because this will void the warranty. 3- Thanks for posting this security issue. Warm Regards, X-Micro Support Dep. Tel: 886-2-8226-2727 Fax: 886-2-8226-2828 ====================================== X-Micro Technology Corp. Plug & Fly Web site: http://www.x-micro.com Email: support@x-micro.com Address: 13F-4, No.738, Chung Cheng Road, Chung Ho City, Taipei Hsien, Taiwan 235, R.O.C ======================================================================== >Received: (qmail 18194 invoked from network); 10 Apr 2004 19:22:18 -0000 >Received: from outgoing2.securityfocus.com (205.206.231.26) > by mail.securityfocus.com with SMTP; 10 Apr 2004 19:22:18 -0000 >Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) > by outgoing2.securityfocus.com (Postfix) with QMQP > id B5BF58FD7D; Sat, 10 Apr 2004 07:07:30 -0600 (MDT) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 15203 invoked from network); 10 Apr 2004 09:53:09 -0000 >X-Injected-Via-Gmane: http://gmane.org/ >To: bugtraq@securityfocus.com >From: RISKO Gergely <xmicro@risko.hu> >Subject: Backdoor in X-Micro WLAN 11b Broadband Router >Date: Sat, 10 Apr 2004 17:57:28 +0200 >Lines: 44 >Message-ID: <84smfb7rmf.fsf@risko.hu> >Mime-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >X-Complaints-To: usenet@sea.gmane.org >X-Gmane-NNTP-Posting-Host: jenson.atom.hu >User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/21.2 (gnu/linux) >Cancel-Lock: sha1:4AtmZs1UPAU7ehxwci26psrCyRM= >Sender: news <news@sea.gmane.org> > >Backdoor in the X-Micro WLAN 11b Broadband Router > >FCC ID: RAFXWL-11BRRG >Firmware Version: 1.2.2, 1.2.2.3 (probably others too) >Remote: yes, easily expoitable >Type: administration password, which always works > >The following username and password works in every case, even if you >set an other password on the web interface: >Username: super >Password: super > >By default the builtin webserver is listening on all network >interfaces (if connected to the internet, then it is accessible from >the internet too). Using the webinterface one can install new >firmware, download the old, view your password, etc., so he can: > - make your board totally unusable, beyond repair > - install viruses, trojans, sniffers, etc. in your router > - get your password for your provider and maybe for your emails. > >Possible fixes: >1. Set up portforwarding, and forward port 80, this way from the WAN > interface an attack is impossible. But be aware, that anyone in your > local LAN (possible over a wireless connection) can login to your > router. > >2. Upload a fixed firmware. I've made an unofficial (but fixed) > one. You can download it from > http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.1/xm-11brrg-0.1.bin > This firmware is unofficial. NO WARRANTY. > This firmware also fix other bugs, for a list see: > http://xmicro.risko.hu/own-firmwares/xm-11brrg-0.1/Changes > The tool, which used to create the image also released under the > GPL: http://xmicro.risko.hu/US8181-20040410.tar.gz > DOCS: http://xmicro.risko.hu/ > >I don't know that the folks at X-Micro (who built this so nasty >backdoor in this device) when will reply, I bcc'ed this mail to them. >I've chosen not contact with them earlier, because they violated the >GPL seriously, the open source community tried to communicate with >them, but without any positive results. And I'm sure that they know >about this remote backdoor. > >Gergely Risko > >
