TOTOLink Backdoor Persistence

2015.08.15
Credit: Pierre Kim
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Hello, This is an update to: - Backdoor and RCE found in 8 TOTOLINK router models (http://seclists.org/fulldisclosure/2015/Jul/80 ) - Backdoor credentials found in 4 TOTOLINK router models (http://seclists.org/fulldisclosure/2015/Jul/79 ) - 4 TOTOLINK router models vulnerable to CSRF and XSS attacks (http://seclists.org/fulldisclosure/2015/Jul/78 ) - 15 TOTOLINK router models vulnerable to multiple RCEs (http://seclists.org/fulldisclosure/2015/Jul/77 ) Totolink has released new firmwares on 2015-07-25 and also removed the old firmwares from their website. The backdoor is still present in the new firmware images but it is not launched at the startup anymore. You can check yourself by downloading the images and by using binwalk: Example with N300RH-V2: $ wget -O 'TOTOLINK%20N300RH-V2.0.1_20150725.zip' 'http://www.totolink.net/include/download.asp?path=down/010500&file=TOTOLINK%20N300RH-V2.0.1_20150725.zip' $ 7z x TOTOLINK%20N300RH-V2.0.1_20150725.zip [...] $ binwalk -e *web DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 16 0x10 bzip2 compressed data, block size = 900k 309403 0x4B89B LZMA compressed data, properties: 0x88, dictionary size: 1048576 bytes, uncompressed size: 65535 bytes 320182 0x4E2B6 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3414764 bytes 1274560 0x1372C0 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2251972 bytes, 321 inodes, blocksize: 131072 bytes, created: Thu May 4 11:47:12 2006 $ cd _*/ $ 7z x *squashfs Processing archive: 1372C0.squashfs Extracting bin Extracting dev [...] Everything is Ok $ strings bin/skt | grep iptables iptables -I INPUT -p tcp --dport 80 -i eth1 -j ACCEPT iptables -D INPUT -p tcp --dport 80 -i eth1 -j ACCEPT $ tail -n 5 etc/init.d/rcS # start web server boa #skt& They commented the `skt&` execution in the /etc/init.d/rcS. The bin/skt backdoor is still there but not activated. I encourage TOTOLINK users to audit next firmwares to make sure the backdoor is not reactivated by "error". There are no security indications in the "Firmware Update Release Information" ( http://www.totolink.net/sub/news/board_content.asp?b_type=BOARD1&idx=164 ) and I don't want to waste my time to check if they patched the other security holes (RCE, XSS, CSRF ...) described here: - https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html - https://pierrekim.github.io/blog/2015-07-16-4-TOTOLINK-products-vulnerable-to-CSRF-and-XSS-attacks.html - https://pierrekim.github.io/blog/2015-07-16-backdoor-credentials-found-in-4-TOTOLINK-products.html - https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK-products.html By the way, Totolink released a statement the 2015-07-30 saying that there are no backdoors in their routers and threatened to sue medias regarding "totally irresponsible behavior", stating my research contains "some unverified information" (From: http://www.totolink.net/sub/news/board_content.asp?b_type=BOARD1&idx=165 ): ZIONCOM (HK) Technology Ltd (ZIONCOM, the manufacturer of TOTOLINK Router), would like to make an official announcement regarding some inappropriately news report from network media that were totally irresponsible behavior for reporting some unverified information to damage our company reputation. 1. TOTOLINK do not compromise user privacy and security, TOTOLINK product has not been installed any monitor software on user behavior after we verified all of our current inventory in Hong Kong market so it is impossible to monitor user behavior. ZIONCOM will reserve the right to take legal action against the media report on the wrong information broadcasting that may damage our company and product reputations. 2. Regarding the problem of a default login password of a TOTOLINK router may trigger an invasion from hacker through remote control, we would like to recommend all users to change the default password at the first time login.We will make an announcement through our Global website ( http://www.totolink.net ) for launching new firmware update program for solving the bug soon. Note that some firmwares have apparently not been correctly updated. For example, the "this-is-a-feature-not-a-backdoor-executable" is still activated in the latest N300RH-V3 firmware router ( http://www.totolink.net/include/download.asp?path=down/010500&file=TOTOLINK%20N300RH-V3.0.0_20150331.zip , from the N300RH webpage ). You can check by yourself the "unverified information" by using the precedent commands: the file /etc/init.d/rcS still contains skt& to execute the "this-is-a-feature-not-a-backdoor-executable" /bin/skt at startup): $ wget -O TOTOLINK%20N300RH-V3.0.0_20150331.zip 'http://www.totolink.net/include/download.asp?path=down/010500&file=TOTOLINK%20N300RH-V3.0.0_20150331.zip' $ sha256sum TOTOLINK%20N300RH-V3.0.0_20150331.zip 3c12a38dfc8c72733f384ba206e9b21a37614ba77aba7f3433ed1ce9bd40cda4 TOTOLINK%20N300RH-V3.0.0_20150331.zip $ 7z x TOTOLINK%20N300RH-V3.0.0_20150331.zip [...] Everything is Ok $ binwalk -e *web DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 16 0x10 bzip2 compressed data, block size = 900k 307237 0x4B025 LZMA compressed data, properties: 0x88, dictionary size: 1048576 bytes, uncompressed size: 65535 bytes 317016 0x4D658 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3666608 bytes 1337954 0x146A62 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2169904 bytes, 580 inodes, blocksize: 131072 bytes, created: Wed Feb 10 00:30:40 2038 $ cd _*/ $ 7z x *squashfs Extracting bin Extracting dev [,,,] Everything is Ok $ strings bin/skt | grep iptables iptables -I INPUT -p tcp --dport 80 -i eth1 -j ACCEPT iptables -D INPUT -p tcp --dport 80 -i eth1 -j ACCEPT $ tail -n 5 etc/init.d/rcS # start web server boa skt& <-- backdoor is launched at startup I leave security researchers, totolink users and medias to use their own judgment and draw a conclusion about this case. This email has been blogposted to: https://pierrekim.github.io/blog/2015-08-13-TOTOLINK-how-to-NOT-handle-security-issues.html Regards, -- Pierre Kim pierre.kim.sec@gmail.com @PierreKimSec https://pierrekim.github.io/

References:

http://cxsecurity.com/issue/WLB-2015070079


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top