PROLiNK PRN2001a Default Firmware Backdoor Account

I was playing with a cheap wireless-N router (S$25) that I bought at a nearby store and found out that there are some serious security issues with it.

IMG_0586

It seems that in the default firmware that came with the router, there is actually another ‘admin’ account with the same login name, just a different password. I telnet to the router with the default credentials of admin:password and took a look around.

img_0584

The ‘show login’ command showed that there were 2 login accounts, the default admin account and another backdoor admin account with the password XXXXairocon, where XXXX is the last 4 characters of the router’s MAC address. The MAC address can be easily obtained from an NMap scan.

mac_4digits

I then proceed to hard reset the router to confirm it was built into the firmware and the account was still there after numerous resets. Dumping the config.img, it is confirmed that it was a backdoor account set by the firmware vendor. There was even a blatant “BACKDOOR” attribute with the value of “0x1” for that account!

IMG_0582

Using the backdoor credentials did not work on the interface on port 80 but it was possible to use those credentials through telnet:

login_with_backdoor_telnet

Most of the other issues I found has already been discovered by Herman Groeneveld (http://www.exploit-db.com/exploits/35419/), although his tests were done on the PRN2001 model while I did tests on the PRN2001a model. I went ahead and downloaded the latest firmware for the PRN2001a model from http://bit.ly/1bZ5YLK, upgraded the firmware and saw that the backdoor account was still there, since it was an incremental update. After doing a hard reset with the latest firmware, the backdoor account was no longer present. There is also an NSE script created by Cesar Neira @ http://bit.ly/19XlFS5 which might also be used against this router, but some modifications will have to be made.

This could be a security issue if someone does not update the router’s default firmware, or did not do a hard reset after the latest firmware is installed. Someone in the same network segment could utilize this account to gain administrative privileges to the router and make configuration changes. If the router user has configured remote WAN administration access to the router, remote access through the backdoor account will be possible. I believe that many of these shoddy firmware are created by third-party vendors and that the router company themselves are unaware of it.

References:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s