I was playing with a cheap wireless-N router (S$25) that I bought at a nearby store and found out that there are some serious security issues with it.
It seems that in the default firmware that came with the router, there is actually another ‘admin’ account with the same login name, just a different password. I telnet to the router with the default credentials of admin:password and took a look around.
The ‘show login’ command showed that there were 2 login accounts, the default admin account and another backdoor admin account with the password XXXXairocon, where XXXX is the last 4 characters of the router’s MAC address. The MAC address can be easily obtained from an NMap scan.
I then proceed to hard reset the router to confirm it was built into the firmware and the account was still there after numerous resets. Dumping the config.img, it is confirmed that it was a backdoor account set by the firmware vendor. There was even a blatant “BACKDOOR” attribute with the value of “0x1” for that account!
Using the backdoor credentials did not work on the interface on port 80 but it was possible to use those credentials through telnet:
Most of the other issues I found has already been discovered by Herman Groeneveld (http://www.exploit-db.com/exploits/35419/), although his tests were done on the PRN2001 model while I did tests on the PRN2001a model. I went ahead and downloaded the latest firmware for the PRN2001a model from http://bit.ly/1bZ5YLK, upgraded the firmware and saw that the backdoor account was still there, since it was an incremental update. After doing a hard reset with the latest firmware, the backdoor account was no longer present. There is also an NSE script created by Cesar Neira @ http://bit.ly/19XlFS5 which might also be used against this router, but some modifications will have to be made.
This could be a security issue if someone does not update the router’s default firmware, or did not do a hard reset after the latest firmware is installed. Someone in the same network segment could utilize this account to gain administrative privileges to the router and make configuration changes. If the router user has configured remote WAN administration access to the router, remote access through the backdoor account will be possible. I believe that many of these shoddy firmware are created by third-party vendors and that the router company themselves are unaware of it.