SoDDing D-Link Backdoor | TechSNAP 132

SoDDing D-Link Backdoor | TechSNAP 132

It’s never been easier to break a D-Link Router, we’ll share the details about the built in backdoor.

Plus a huge batch of Java fixes land, a look at iMessage security, and much much more!

On this week’s TechSNAP

Thanks to:



Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

Reverse engineering a D-Link router

  • Researchers found an authentication bypass backdoor in some D-Link routers
  • Research was conducted on a D-Link DIR-100 revA
  • The firmware is made by a company called Alpha Networks which was spun off from D-Link in 2003
  • Other devices known to be vulnerable from D-Link:
    • DIR-100
    • DIR-120
    • DI-624S
    • DI-524UP
    • DI-604S
    • DI-604UP
    • DI-604+
    • TM-G5240
  • Some devices from Planex appear to use the same firmware:
  • BRL-04R
  • BRL-04UR
  • BRL-04CW
  • If the router is accessed user a User-Agent string of: xmlset_roodkcableoj28840ybtide then the user bypasses the username/password requirement and has full access to the router
  • If read backwards: edit by 04882 joel backdoor
  • This backdoor also allows an attacker to perform remote code execution and could be used to infect a router with spyware
  • D-Link promises to issue fixed firmware by the end of the month

Akamai finds most DDoS attacks come from Asia

  • Threatpost reports on Akamai’s “State of the Internet report”
  • Akamai is a global CDN that services many large websites including Microsoft Update
  • “The Pacific rim region (especially China and Indonesia) accounted for just over 79 percent of all observed attacks” according to the firm’s studies
  • The report also discussed the Syrian Electronic Army’s (SEA) and its attacks on media outlets, the exhaustion of IPv4 address space, and a rise in mobile data traffic
  • The data does not quite match up with reports from other DDoS protection vendors
  • The Prolexic report for Q1 2013 shows China as the source of 40.68% of all DDoS attacks, and Indonesia did not even register. USA: 21.88%, Germany: 10.59%
  • The Prolexic report for Q2 2013 shows slightly different results, with China holding strong at 39.08% with Mexico coming in at a surprising second with 27.32% and Russian at 7.58%
  • The wild differences are partly due to the fact that each company is measuring attacks against their clients, not the wider internet
  • There is also the methodology for localizing the source of the attack to consider, GeoIP databases and the like are often inaccurate
  • Each company may also have a different definition of a DDoS attack. Are bots crawling a website an attack? What about SQL injection attempts?

Oracle releases the October Critical Patch Update, with updates for Java

  • This is the first time that the Oracle quarterly CPU (Critical Patch Update) has included updates for Java, usually Java is updated on a separate cycle
  • “Of the 51 Java patches released, 50 allow for remote code execution and 20 were given the highest criticality rating by Oracle”
  • All users should immediately upgrade to Java 7u45
  • Java 6 is vulnerable to nearly a dozen critical vulnerabilities, but updates are only provided to Oracle customers with support contracts (Apple)
  • Rapid7 (maintainers of Metasploit) recommend that if you must use Java: “run Java in the most restricted mode and only allow signed applets from white-listed sites”
  • “Noted Java bug hunter Adam Gowdiak told Threatpost that the patches also harden interactions of LiveConnect code, a browser feature that allows applets to communicate with the javascript engine in the browser, and Java Rich Internet Applications”
  • “Overall, there are 127 patches in the Oracle CPU that touch most of the Oracle product line. Aside from the Java vulnerabilities, the only other bug approaching the same level of criticality is in MySQL Enterprise Monitor, but it is not a remote execution bug.“



Question? Comments? Contact us here!