Wednesday, February 6, 2013

First public patch for Broadcom UPnP vulnerability

First public patch for Broadcom UPnP vulnerability from TP-Link.

From: http://forum.tp-link.com/showthread.php?2252-Fixed-a-critical-vulnerability-issue-related-to-UPnP

Fixed a critical vulnerability issue related to UPnP
Model : TD-W8960N
Hardware Version : V4
Following the release this week of a research paper from security firm
Rapid7 describing vulnerabilities in the widely used Intel/Portable UPnP SDK and MiniUPnP SDK stacks, security researchers from DefenseCode announced that they identified a critical vulnerability in a separate UPnP stack developed by Broadcom and used in devices with Broadcom chipsets, including one device from TP-LINK, the TD-W8960N.
http://www.defensecode.com/public/De...y_Advisory.pdf
Being aware of the urgency of this issue, our R&D solved it immediately and released a beta Firmware for the customers who are worried about this problem to download.
You can find this beta Firmware here:
http://www.tp-link.com/en/support/do...rsion=V4#tbl_j
At the end of February, we will release the official FW, solving the UPnP Vulnerability of TD-W8960N.


Regards,
DefenseCode

DefenseCode Security Advisory: Cisco Linksys Remote Preauth 0day Root Exploit Follow-Up



A few weeks ago, we have announced remote preauth root access exploit for
Cisco Linksys (http://www.youtube.com/watch?v=cv-MbL7KFKE).

Vulnerability details were disclosed here:
http://www.defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf

During further research, we have discovered that other router
manufacturers are also vulnerable to the same vulnerability, since
vulnerable Broadcom UPnP stack is used across multiple router vendors.

According to data from Rapid7, from 80 million routers discovered
during data gathering on the internet, ~15 million had Broadcom UPnP.
More info available here:
http://information.rapid7.com/upnp-webcast-video-page.html

Below is the partial list of other vulnerable router manufacturers and
models. Thanks to HD Moore of Rapid7 for data.

Regards,
Leon Juranic
CEO
DefenseCode
http://www.defensecode.com/



3Com

    -  ADSL Wireless Router

    -  Broadcom ADSL Router

    -  Internet Gateway Device



Actiontec

    -  GT784WN

    -  xDSL Router

    -  Broadcom ADSL Router

    -  DSL Modem implementing Qwest TR-064 v1.0 specification

    -  DSL Modem implementing TR-064 v1.0 specification



Actiontec Electronics

    -  Actiontec xDSL Router

    -  Verizon ADSL Router



ADBB

    -  DSL Router



ADB Broadband

    -  ADB ADSL Router

    -  Broadcom ADSL Router



ADB Broadband S.p.A.

    -  ADB ADSL Router



ADB Broadband S.p.A

    -  HomeStation ADSL Router




ADSL2+ Router  

    -  ADSL2/2+ Modem Router

    - ADSLRouter



ALBIS

    -  Router VLR-4300-I



Allied Telesis K.K.

    -  CG-BARFX3



Alpha

    -  ADSL Router

    -  DLink ADSL Router

    -  Sky ADSL Router



Alvarion

    -  Residential Gateway



ASB

    -  ADSL Router

    -  Alcatel-EG692HW Internet Sharing Gateway

    -  ChinaTelecom E8C(EPON) Gateway

    -  Home Gateway



Askey

    -  ADSL2+ Router

    -  ADSL Router



Askey Computer Corp.

    -  Wireless ADSL2+ Router



ASUS

    -  Wireless Router



ASUSTek

    -  ASUS ADSL Router

    -  ASUS Wireless Harddisk Drive

    -  ASUS Wireless Router



ASUSTek Computer Inc.

    -  ASUS Wireless Router

    -  Residential Gateway Device

    -  WL-500gPV2

    -  WL-500gP V2

    -  WL-520GU

    -  WL700gE



BEC_8800N

    -  BEC 8800N



BEC Technologies Inc.

    -  BEC 7800TN R2

    -  Broadcom ADSL Router



Belkin

    -  ADSL Router

    -  F5D8232-4 v1000

    -  N1 ADSL Router

    -  Wireless ADSL Router

    -  BoB

    -  iiNet BoB

    -  Wireless ADSL Router



Bellmann

    -  Broadcom ADSL Router



Billion

    -  BiPAC 7700N

    -  BiPAC 7700N R2



Billion Electric Co., Ltd.

    -  ADSL2+ Firewall Router

    -  BiPAC 7800VDOX

    -  BiPAC 7800VDPX

    -  home.gateway



Billion Electric Co.,Ltd.

    -  home.gateway



Billion Electric Co, PC Range Pty Ltd.

    -  home.gateway



BM

    -  ChinaTelecom E8C(EPON) Gateway



Broadcom

    -  3G Router

    -  Actiontec GT784WN

    -  Actiontec xDSL Router

    -  ADSL2+ 11n WiFi CPE

    -  ADSL2/2+ Modem Router

    -  ADSL Router

    -  ADSL Router

    -  ChinaTelecom E8 ADSL Router

    -  D-link ADSL Router

    -  D-Link ADSL Router

    -  DLink ADSL Router

    -  D-Link DSL-2640B

    -  D-Link DSL-2641B

    -  D-Link DSL-500B

    -  DSL2740B ADSL Router

    -  DSL Router

    -  HomeStation ADSL Router

    -  PHILEAS-WORLD

    -  PTCL ADSL Router

    -  Residential Gateway Device

    -  SemIndia Systems ADSL2Plus Router

    -  STOREX

    -  WL700g

    -  Zoom ADSL Router



BT

    -  Voyager 2091

    -  Voyager 220V

    -  Voyager 2091

    -  Voyager 2110

    -  Voyager 220V

    -  Voyager 2500V



Careca

    -  HRDSL108W 108M Wireless ADSL2+ router



CATCH-TEC

    -  ADSL2/2+ Modem Router



CDC POINT S.P.A

    -  ADSL2/2+ Modem Router



ChinaTelecom

    -  ASB Home Gateway



China Telecom

    -  ChinaNet EPON Router

    -  E8C(EPON) Gateway

    -  E8C Gateway

    -  Navigator 1-2 Gateway



Cisco Systems,Inc.

    -  Cisco ADSL Router



ClearAccess

    -  Broadcom ADSL Router

    -  D-Link DSL-2730B



Comtrend

    -  AR-5383n

    -  Broadcom ADSL Router

    -  single-chip ADSL router

    -  WAP-5850g

    -  Netcomm ADSL2+/3G Wi-Fi Router



Corega

    -  CG-BARMX2

    -  CG-WLBARAGM



Danalink

    -  Dynalink ADSL Router

    -  Dynalink Wireless ADSL2+ Router



DARE

    -  DareGlobal Home Gateway



Dare

    -  Router



Dare Inc.

    -  Dare ADSL2+ Modem/Wireless Router



DCOM

    -  ADSL Router



DGT

    -  VDSL Router



Digicom

    -  ADSL Router



Digital Data Communications, Inc

    -  FBR-1461A ADSL2+ Modem Router(X.X.X.X)

    -  FBR-1461 ADSL2+ Modem Router (X.X.X.X)



DIGITUS

    -  Internet Gateway Device



DIT

    -  Gateway



D-Link

    -  ADSL MODEM



D-link

    -  ADSL Router



D-LINK

    -  ADSL Router



DLink

    -  Alpha ADSL Router



D-Link Corporation.

    -  D-Link D-LinkDSL-2640B

    -  D-Link DSL-2640B

    -  D-LinkDSL-2640B

    -  D-LinkDSL-2641B

    -  D-Link DSL-2740B

    -  D-LinkDSL-2740B

    -  D-Link DSL-2740U

    -  D-Link DSL-2741B

    -  D-LinkDSL-2741B

    -  D-Link DSL-2750B

    -  D-LinkDSL-2750B



D-Link Corporation

    -  D-Link DSL6740U

    -  DSL-2640B

    -  DSL2740B

    -  DSL-2740B

    -  DSL-2740B Adsl Router

    -  DSL-2740B Adsl Router

    -  DSL-2740U Adsl Router

    -  DSL-2741B

    -  DSL-2741B Adsl Router

    -  DSL2750B

    -  DVA-G3670B Adsl Router



Dlink

    -  ADSL router

    -  ADSL Router

    -  D-Link ADSL Router

    -  ADSL Router

    -  DLink ADSL Router

    -  ADSL Router

    -  DSL-2500U

    -  DSL-2542B

    -  DSL-2640B

    -  DSL-2640U

    -  DSL-2730B

    -  D-Link DSL-2730B

    -  DSL2730U

    -  DSL-2730U

    -  DSL-2740EL

    -  DSL2750U

    -  DSL-2750U

    -  D-Link DSL-526B

    -  DSL-526B

    -  Router

    -  D-Link VDSL Router

    -  Wireless Router

    -  DSL-2542B

    -  DSL-2640B

    -  DSL-2640BT

    -  DSL-2640U

    -  DSL-2740B

    -  DSL-526B

    -  DSL-526B

    -  DSL-526B

    -  DVA-G3672B-LTT Networks ADSL Router

    -  DVA-G3672B Networks ADSL Router



DQ

    -  ADSL Router



DQ Technology, Inc.

    -  ADSL2+ 11n WiFi CPE

    -  ADSL2+ CPE

    - DSL-2542BNetworksADSLRouter

    - DSL-2642BNetworksADSLRouter

    - DSL-2730BNetworksADSLRouter

    - DSL-2730UNetworksADSLRouter



DSL

    -  ARouter

    - DSLRouter

    -  TW ARouter



Dynalink

    -  ADSL2+ Router

    -  ADSL2+ Wireless Modem Router

    -  Wireless ADSL2+ Router



ENKOM

    -  AMIS Router



FAMNET

    -  ADSL Router



FiberHome

    -  ADSL Router

    -  Broadcom ADSL Router



Glitel

    -  Broadcom ADSL Router



gmesh

    -  ADSL Router



huaqin

    -  HGU421 Router

    -  HGU421 v3 Router



Huawei-3Com

    -  BR204+



Huawei

    -  Echolife ADSL Router

    -  EchoLife Home Gateway

    -  HG227

    -  ADSL Router

    -  Residential Gateway Device



Huawei Technologies Co., Ltd

    -  EchoLife HG520



iBall Baton

    -  150M Wireless-N ADSL2+ Router



iiNet

    -  BoB2

    -  BoBLite



Innoband

    -  DSL Router



Inteno

    -  Broadcom ADSL Router

    -  DSL Router

    -  Residential Gateway



Intercross

    -  Broadcom ADSL Router

    - InternetGatewayDevice



IskraTEL

    -  Broadcom ADSL Router



ITI Ltd.

    -  ITI ADSL2+ Modem/Wireless Router

    -  ITI Ltd.ADSL2Plus Modem/Router



K?NIG

    -  ADSL2/2+ Modem Router

    -  ADSL2/2+ Modem Router



Kunhar Peripherals Pvt Ltd

    -  54M Wireless ADSL2+ router



LevelOne

    -  FBR-1461B



Linksys by Cisco

    -  Linksys WRT54G

    -  Linksys WRT54GL



Linksys Inc.

    -  DD-WRT Router (X.X.X.X)

    -  Linksys MA568243

    -  Linksys ma890673

    -  Linksys WRT150N

    -  Linksys WRT54GL

    -  Linksys WRT54GS-PC

    -  Linksys wrt54gs v4

    -  Linksys WRT54GS (X.X.X.X)

    -  Residential Gateway Device



Linksys

    -  Internet Gateway Device

    -  Wireless Router



MAXON

    -  Residential Gateway Device



MEDIACOM  Wireless-N ADSL2+ Router

MEDIACOM  Wireless-N ADSL2+ Router     -  ADSL2+ Router



Micronet Communications Inc.

    -  Micronet WLAN ADSL2+ Modem Router



Micro-Star International

    -  Residential Gateway Device



Minitar Corporation

    -  Residential Gateway Device



Motorola

    -  Residential Gateway Device



NB

    -  DSL-2740B



NetComm

    -  Broadcom ADSL Router



NetComm Limited

    -  NetComm ADSL2+ Router

    -  NetComm ADSL2+ Wireless Router

    -  11n Wireless ADSL2+ Router

    -  11n Wireless ADSL Router

    -  Netcomm ADSL2+/3G Wi-Fi Router

    -  ADSL2+ Router

    -  ADSL2+ Wireless Router

    -  NB6 ADSL2+ Router

    -  NB6Plus4W ADSL2+ Wireless Modem Router

    -  NB6PLUS4W Wireless ADSL2+ Router

    -  NB6W Wireless ADSL2+ Router

    -  WiFi Data and VoIP Gateway



NetComm Wireless Limited

    -  NetComm ADSL2+ Router

    -  NetComm ADSL2+ Wireless Router



Netgear

    -  Broadcom ADSL Router

    -  ADSL2+ Router

    -  ADSL Router

    -  RP614v4



Neuf Telecom

    -  Trio4



NewMedia-NET GmbH

    -  DD-WRT Router (X.X.X.X)



OPTICOM

    -  DSLink 279



Orcon

    -  Genius

    -  GeniusLite

    -  Orcon

    - P-660HN-51



PENTAGRAM

    -  home.gateway



PhoebeMicro

    -  Internet Gateway Device



Pirelli

    -  ADSL Router



Pirelli Broadband Solutions

    -  HomeStation ADSL Router



PLANET

    -  ADN-4000



Planex

    -  BLW-54CW

    -  Internet Gateway Device



QTECH

    -

    -  Broadcom ADSL Router

    -  QTECH

    -  Residential Gateway

    - ResidentialGatewayDevice



ROTAL

    -  Wireless ADSL2+ Router



Router

    -  ADSL Router

    -  Router



Sagem

    -  AFAQ DSL SHAMEL ROUTER



Sagemcom

    -  ADSL Router

    -  ADSL Router



SemIndia Systems Private Ltd.

    -  SemIndia ADSL2Plus Modem/Router



SemIndia Systems Pvt. Ltd.

    -  SemIndia Systems ADSL2Plus Modem Router

    -  SemIndia Systems ADSL2Plus Modem/Wireless Router



SIEMENS

    -  alice.box



Siemens

    -  ADSL SL2-141

    -  ADSL SL2-141-I

    -  Gigaset SE515B

    -  SL2-141-I



SimpleTech

    -  OdenShare

    -  SimpleShare



Sinus

    -  1054 DSL



SmartLink

    -  ADSL Router



Sparklan

    -  Internet Gateway Device



Speedport

    -  500V

    -  W 500V



Starbridge Networks

    -  Broadcom ADSL Router



Star-Net

    -  Broadcom ADSL Router



STAR-NET

    -  Broadcom ADSL Router



Sveasoft Inc.

    -  Residential Gateway Device



TARGA WR 500 VoIP

    -  TARGA WR 500 VoIP



Tecom

    -  DSL Router



TeleWell Oy (http://www.telewell.fi)

TeleWell Oy (http://www.telewell.fi)     -  TeleWell.gateway



Telsey

    -  ADSL Router



TELUS

    -  VSG1432



Tenda

    -  ADSL2/2+ Modem Router



Tenda/Imex

    -  W150D



Tenda/lmex

    -  ADSL2+ Ethernet Modem Router

    -  ADSL Router

    -  Gateway



TOPTRONICS

    -  ADSL Router



TP-LINK

    -  ADSL Router

    -  54M Wireless ADSL2+ router

    -  ADSL2+ Modem Router

    -  ADSL2+ Router

    -  ADSL2+ Router Modem

    -  ADSL Router

    -  Wireless ADSL2+ Modem Router

    -  Wireless ADSL2+ router

    -  Wireless ADSL2+ Router

    -  Wireless N ADSL2+ Modem Router TD-W8960N



U.S. Robotics Corporation

    -  Internet Gateway Device



U.S. Robotics

    -  USRobotics ADSL2+ Router

    -  ADSL 4 Port Router

    -  ADSL 4-Port Router

    -  USR8561



UTStarcom Inc.

    -  UTStarcom ADSL2+ Modem Router



UTstarcom Inc.

    -  UTstarcom ADSL2+ Modem/Wireless Router

    -  UTStarcom ADSL2+ Modem/Wireless Router

    - VSG1432-B101

    - VSG1435-B101



WIN

    -  eNet660S



WorldNet

    -  ADSL Router



XAVi

    -  DSL Router



Zhone Technologies.

    -  UPnP v1.0



Zhone

    -  Gateway

    -  Wireless Gateway



ZISA

    -  ADSL Router



ZTE

    -  ADSL Router

    -  Broadcom ADSL Router



ZTE Corporation

    -  ZXDSL 931 Series Device

    -  Home Gateway

    -  ZXDSL 531B



ZyXEL Communication Crop.

    -  P-870H-51A V2 UPnP

    -  P-870H-51b UPnP

    -  P-870H-53A V2 UPnP

    -  P-870HN-51b UPnP

    -  P-870HN-51D UPnP

    -  P-870HN-53b UPnP

    -  P-870HNU-51b

    -  VSG1435-B101

    -  Wireless Broadband Router

    -  ZyXEL UPnP v1.0



ZyXEL

    -  P-660HN-51

    -  P-870HN-53b

    -  P-873HNU-51B

    -  P-873HNUP-51B

    -  Qwest TR-064 v1.0

    -  VMG1312-B30A

    -  VSG1432-B101

    -  VSG1435-B101

    -  ADSL Router

    -  TR64 Router

    -  UPnP Router

    -  VDSL Router



ZYXEL

    -  ZyXEL VDSL Router

    -  xDSL Router

Wednesday, January 30, 2013

Broadcom UPnP Remote Preauth Root Code Execution Vulnerability


During the security evaluation of Cisco Linksys routers for a client, we have discovered a critical
security vulnerability that allows remote unauthenticated attacker to remotely execute arbitrary code
under root privileges.
Upon initial vulnerability announcement a few weeks ago Cisco spokesman stated that only one router
model is vulnerable - WRT54GL.
We have continued with our research and found that, in fact, same vulnerable firmware component
is also used in at least two other Cisco Linksys models - WRT54G3G and probably WRT310N.
Could be others.

Moreover, vulnerability turns out even more dangerous, since we have discovered that same vulnerable
firmware component is also used across many other big-brand router manufacturers and many
smaller vendors.

Vulnerability itself is located in Broadcom UPnP stack, which is used by many router manufacturers
that produce or produced routers based on Broadcom chipset.
We have contacted them with vulnerability details and we expect patches soon.
However, we would like to point out that we have sent more than 200 e-mails to various router
manufacturers and various people, without much success.

Some of the manufacturers contacted regarding this vulnerability are:
- Broadcom
- Asus
- Cisco
- TP-Link
- Zyxel
- D-Link
- Netgear
- US Robotics
- and so on.

Full vulnerability description is available here:
http://www.defensecode.com/subcategory/advisories-28

Regards,
Leon Juranic
CEO

Thursday, January 17, 2013

DefenseCode Security Advisory (UPCOMING): Cisco Linksys Remote Preauth 0day Root Exploit Follow-Up

Starting a few hours ago, we began a quick analysis as to how many Linksys models might be vulnerable.
From what we can tell so far, at least one other (not just the WRT54GL) Linksys model is probably vulnerable.

Moreover, during the analysis we discovered clues that network devices from other manufacturers might
also contain the same vulnerability. We are still investigating.

Regarding the Cisco case, we are looking forward to the vulnerability fix. In the meantime, we have again approached them about a few other potential vulnerabilities in the Linksys equipment.


Regards,
Leon Juranic
CEO
DefenseCode
http://www.defensecode.com/

Friday, January 11, 2013

DefenseCode Security Advisory (UPCOMING): Cisco Linksys Remote Preauth 0day Root Exploit

Story behind the vulnerability...

Months ago, we've contacted Cisco about a remote preauth (root access) vulnerability
in default installation of their Linksys routers that we've discovered. We gave them
detailed vulnerability description along with the PoC exploit for the vulnerability.

They said that this vulnerability was already fixed in latest firmware release...
Well, not this particular vulnerability, since the latest official Linksys firmware -
4.30.14, and all previous versions are still vulnerable.

Exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other 
Linksys versions/models are probably also affected.
Cisco Linksys is a very popular router with more than 70,000,000 routers sold.
That's why we think that this vulnerability deserves attention.

According to our vulnerability disclosure policy, the vulnerability details will be
disclosed in following 2 weeks on http://www.defensecode.com/ , BugTraq and
Full Disclosure.
Due to the severity of this vulnerability, once again we would like to urge Cisco
to fix this vulnerability.

The vulnerability is demonstrated in the following video:

Kind Regards,
DefenseCode