D-Link DWR-932 B LTE Wireless router affected by multiple backdoors

D-Link ‘s DWR-932B LTE router and access point has been found vulnerable to a number of backdoors as well as a default WPS (Wi-Fi Protected Setup) PIN.

Security researcher and blogger, Pierre Kim, has uncovered a number of security flaws in the device that even affect the latest version of its firmware.

Kim had previously released a number of flaws that existed in the LTE QDH routers made by Quanta and it appears that they also appear in D-Link models.

Among the various vulnerabilities the researcher discovered that two backdoor accounts which can be used to bypass HTTP authentication include the admin account with the username and password ‘admin’ as well as a root account using the password ‘1234’.

The D-Link DWR-932 B also contains a default WPS PIN of 28296607 which is hard coded in the /bin/appmgr directory. It’s also located in the HostAP and HTTP API’s configurations.

The /bin/appmgr program also allows malicious attackers to send a specific string via UDP which forces the device to start a telnet service which operates without authentication. This can occur even in the telnet service isn’t already running. If HELODBC is sent as a command to 0.0.0.0:39889 over UDP the router allows unauthenticated access using the root account.

Both /etc/inadyn-mt.conf and /bin/qmiweb contain various vulnerabilities, the conf file contains a username with hardcoded password and the http daemon in qmiweb has multiple possible routes for exploit.

Kim also discovered that the credentials for using the FOTA (Firmware Over The Air) service contained hard-coded user credentials in the /sbin/fotad binary, there is an added degree of security with the daemon attempting to download the firmware over HTTPS, however the SSL certificate for this service has been invalid for over 18 months.

It was also found that the security level of the UPNP program (miniupnp) in the router is lowered, thus allowing a LAN based attacker the ability to add Port forwarding from the Internet to other local clients

“There is no restriction about the UPnP permission rules in the configuration file, contrary to common usage in UPnP where it is advised to only allow redirection of port above 1024,” explained Kim.

This would allow attackers to forward traffic from the outside onto the local network, including services such as mail, file transfer, and database, posing a huge number of vehicles as Advanced Persistent Threats.

Kim informed D-Link of the issues in the D-Link DWR-932 devices back in June of this year but to date still hasn’t received any notification confirming that they have been resolved. Following 90 days of silence from D-Link, Kim has now chosen to publish an advisory revealing the bugs.

D-Link patched a number of flaws in August following the discovery of a weakness in a number of DIR model routers after a D-Link Wi-Fi camera was found to be affected by a vulnerability that later proved to be present in over 120 of their products.