Pierluigi Paganini
January 16, 2014
Also TP-LINK routers are vulnerable, this is the latest chapter in the saga of the vulnerabilities present in our routers after that a security researcher discovered serious flaw in CISCO, Linksys and Netgear, meanwhile months ago serious backdoor was found in D-Link devices. The news is published by THN in exclusive, more than 200,000 Algerian TP-LINK Routers are vulnerable to cyber attacks.
Analyzing data on the Internet penetration level in Algeria, it is possible to observe that more than 15.2% of the population use Internet service which is provided by 30 Internet Service Providers. Algerie Telecom is one of the largest ISP of the country and it provides TP-LINK TD-W8951ND Router to most of its home customers, these device runs ZYXEL embedded firmware.
ABDELLI Nassereddine, penetration tester and Algerian Computer Science Student, has discovered a critical vulnerability in this devices, provided by Algerie Telecom, that could be exploited by hackers to gain unauthorized access and to disclosure users’ password.
What makes further serious the flaw is that the vulnerability is remotely exploitable due, the researcher confirmed to THN colleagues that he has found that an unauthorized access is available to ‘Firmware/Romfile Upgrade’ Section on the Router’s panel that can be accessed without authentication. (i.e. http://IP//rpFWUpload.html)
The Mantenance section in the admin panel could be used to upload a Rom file backup, and also to download the Romfile Backup file (coded as rom-0)
i.e. http://IP address/rom-0 (as shown)
The Algerian Computer expert reverse engineering the Romfile Backup file discovered that the it contains the administrative password of the TP-LINK Router but that they are not in plain text. This is not an obstacle for an hacker, the ABDELLI extracted them in plain text using a free online Configuration Decompressor (LZS) service available at:
http://50.57.229.26/zynos.php
Uploading the room the service extract configuration data, including the password that is displayed in the first line of the output.
The principal problem in such cases is represented by the impact of the vulnerability, after first investigation the Algerian researcher found thousands of vulnerable TP-LINK Routers, as usual the SHODAN Search Engine represents the privileged tools for this kind of analysis, using keyword ‘RomPager country:dz‘ it retrieved 2,59,744 results.
ABDELLI estimated that around 95% of devices found with SHODAN are now at risk, he also submitted an automated exploit POC script on GITHUB that can scan the complete subnet displaying passwords on the screen for vulnerable routers.
The problem is not limited to the exposure of the password , as referred in the post published by THN there is the risk that ill-intentioned manipulate user setting for malicious activities,
“Simply by changing the DNS servers from the victim’s router, one can redirect the users’ traffic to any malicious server. Such attacks allow hackers to inject the malicious DNS server to perform advance phishing attacks against Facebook, Gmail, Bank Accounts and also whole system can also be compromised.There is no patch yet available from the vendor, so to prevent yourself from such vulnerability you can forward port 80 to any other website or unused IP address of your network.“
Let me remark that customers using the TP-LINK TD-W8951ND Router is at risk and not the patch is yet available.
(Security Affairs – TP-LINK TD-W8951ND Router, hacking)
