exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TOTOLink Backdoor Persistence

TOTOLink Backdoor Persistence
Posted Aug 13, 2015
Authored by Pierre Kim

Although they have provided an image with it disabled on start up, TOTOLink routers still have a backdoor built into them.

tags | advisory
SHA-256 | 5fd5e8b16e2f7e7dac5fbbe2efbd48e9af98651b4c03e89f5ba73804906d26a2

TOTOLink Backdoor Persistence

Change Mirror Download
Hello,

This is an update to:
- Backdoor and RCE found in 8 TOTOLINK router models
(http://seclists.org/fulldisclosure/2015/Jul/80 )
- Backdoor credentials found in 4 TOTOLINK router models
(http://seclists.org/fulldisclosure/2015/Jul/79 )
- 4 TOTOLINK router models vulnerable to CSRF and XSS attacks
(http://seclists.org/fulldisclosure/2015/Jul/78 )
- 15 TOTOLINK router models vulnerable to multiple RCEs
(http://seclists.org/fulldisclosure/2015/Jul/77 )

Totolink has released new firmwares on 2015-07-25 and also removed the
old firmwares from their website.

The backdoor is still present in the new firmware images but it is not
launched at the startup anymore.

You can check yourself by downloading the images and by using binwalk:

Example with N300RH-V2:
$ wget -O 'TOTOLINK%20N300RH-V2.0.1_20150725.zip'
'http://www.totolink.net/include/download.asp?path=down/010500&file=TOTOLINK%20N300RH-V2.0.1_20150725.zip'
$ 7z x TOTOLINK%20N300RH-V2.0.1_20150725.zip
[...]
$ binwalk -e *web
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
16 0x10 bzip2 compressed data, block size = 900k
309403 0x4B89B LZMA compressed data, properties:
0x88, dictionary size: 1048576 bytes, uncompressed size: 65535 bytes
320182 0x4E2B6 LZMA compressed data, properties:
0x5D, dictionary size: 8388608 bytes, uncompressed size: 3414764 bytes
1274560 0x1372C0 Squashfs filesystem, little endian,
version 4.0, compression:lzma, size: 2251972 bytes, 321 inodes,
blocksize: 131072 bytes, created: Thu May 4 11:47:12 2006
$ cd _*/
$ 7z x *squashfs
Processing archive: 1372C0.squashfs

Extracting bin
Extracting dev
[...]
Everything is Ok
$ strings bin/skt | grep iptables
iptables -I INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
iptables -D INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
$ tail -n 5 etc/init.d/rcS

# start web server
boa
#skt&

They commented the `skt&` execution in the /etc/init.d/rcS.
The bin/skt backdoor is still there but not activated.
I encourage TOTOLINK users to audit next firmwares to make sure the
backdoor is not reactivated by "error".

There are no security indications in the "Firmware Update Release
Information" ( http://www.totolink.net/sub/news/board_content.asp?b_type=BOARD1&idx=164
) and I don't want to waste my time to check if they patched the other
security holes (RCE, XSS, CSRF ...) described here:
- https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html
- https://pierrekim.github.io/blog/2015-07-16-4-TOTOLINK-products-vulnerable-to-CSRF-and-XSS-attacks.html
- https://pierrekim.github.io/blog/2015-07-16-backdoor-credentials-found-in-4-TOTOLINK-products.html
- https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK-products.html

By the way, Totolink released a statement the 2015-07-30 saying that
there are no backdoors in their routers and threatened to sue medias
regarding "totally irresponsible behavior", stating my research
contains "some unverified information" (From:
http://www.totolink.net/sub/news/board_content.asp?b_type=BOARD1&idx=165
):


ZIONCOM (HK) Technology Ltd (ZIONCOM, the manufacturer of
TOTOLINK Router), would like to make an official announcement
regarding some inappropriately news report from network media that
were totally irresponsible behavior for reporting some unverified
information to damage our company reputation.

1. TOTOLINK do not compromise user privacy and security, TOTOLINK
product has not been installed any monitor software on user
behavior after we verified all of our current inventory in Hong Kong
market so it is impossible to monitor user behavior. ZIONCOM will
reserve the right to take legal action against the media report on the
wrong information broadcasting that may damage our company and product
reputations.

2. Regarding the problem of a default login password of a TOTOLINK
router may trigger an invasion from hacker through remote
control, we would like to recommend all users to change the default
password at the first time login.We will make an announcement through
our Global website ( http://www.totolink.net ) for launching new
firmware update program for solving the bug soon.



Note that some firmwares have apparently not been correctly updated.
For example, the "this-is-a-feature-not-a-backdoor-executable" is
still activated in the latest N300RH-V3 firmware router (
http://www.totolink.net/include/download.asp?path=down/010500&file=TOTOLINK%20N300RH-V3.0.0_20150331.zip
, from the N300RH webpage ).
You can check by yourself the "unverified information" by using the
precedent commands: the file /etc/init.d/rcS still contains skt& to
execute the "this-is-a-feature-not-a-backdoor-executable" /bin/skt at
startup):

$ wget -O TOTOLINK%20N300RH-V3.0.0_20150331.zip
'http://www.totolink.net/include/download.asp?path=down/010500&file=TOTOLINK%20N300RH-V3.0.0_20150331.zip'
$ sha256sum TOTOLINK%20N300RH-V3.0.0_20150331.zip
3c12a38dfc8c72733f384ba206e9b21a37614ba77aba7f3433ed1ce9bd40cda4
TOTOLINK%20N300RH-V3.0.0_20150331.zip
$ 7z x TOTOLINK%20N300RH-V3.0.0_20150331.zip
[...]
Everything is Ok
$ binwalk -e *web
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
16 0x10 bzip2 compressed data, block size = 900k
307237 0x4B025 LZMA compressed data, properties:
0x88, dictionary size: 1048576 bytes, uncompressed size: 65535 bytes
317016 0x4D658 LZMA compressed data, properties:
0x5D, dictionary size: 8388608 bytes, uncompressed size: 3666608 bytes
1337954 0x146A62 Squashfs filesystem, little endian,
version 4.0, compression:lzma, size: 2169904 bytes, 580 inodes,
blocksize: 131072 bytes, created: Wed Feb 10 00:30:40 2038
$ cd _*/
$ 7z x *squashfs
Extracting bin
Extracting dev
[,,,]
Everything is Ok
$ strings bin/skt | grep iptables
iptables -I INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
iptables -D INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
$ tail -n 5 etc/init.d/rcS

# start web server
boa
skt& <-- backdoor is launched at startup


I leave security researchers, totolink users and medias to use their
own judgment and draw a conclusion about this case.

This email has been blogposted to:
https://pierrekim.github.io/blog/2015-08-13-TOTOLINK-how-to-NOT-handle-security-issues.html

Regards,


--
Pierre Kim
pierre.kim.sec@gmail.com
@PierreKimSec
https://pierrekim.github.io/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close