Tuesday, October 15, 2013

That DLink bug (masscan)

This last weekend, an interesting backdoor was found in D-Link routers when a certain user-agent is set. How many Internet-accessible routers are vulnerable to this bug? Well, that sounds like a problem for 'masscan', my Internet-scale scanner.

Last Sunday I ran two scans of the Internet on port 80, one with the user-agent of "masscan/1.0", and the other with the offending user-agent of "xmlset_roodkcableoj28840ybtide", in order to see the difference. I still haven't processed the full results yet, because apparently, most of these devices run at port 8080 rather than port 80. On port 80, we found 2139 vulnerable devices, there should be a lot more at port 8080. Therefore tonight you are going to see my scanners pop up in your logs again, assuming you are monitoring what goes on at port 8080.

One interesting difference is how the headers differ in the two cases. When you connect normally to one of these devices, you get a header that looks like:

HTTP/1.1 401 Unauthorized
Server: thttpd-alphanetworks/2.23
Content-Type: text/html
Date: Tue, 15 Oct 2013 21:00:10 GMT
Last-Modified: Tue, 15 Oct 2013 21:00:10 GMT
Accept-Ranges: bytes
Connection: close
WWW-Authenticate: Basic realm="BRL-04R"

If you follow the links from the original story, they show Shodan output that confirms this.

But, with the correct user-agent, you get a completely different set of headers, including a different Server field:

HTTP/1.0 200 OK
Server: Alpha_webserv
Date: Tue, 15 Oct 2013 20:59:44 GMT
Content-Type: text/html
Accept-Ranges: bytes
Connection: close
X-Pad: avoid browser bug

Anyway, I thought I'd do a quick progress report because it's taking me longer than I thought to answer the question how many devices are vulnerable to this bug.

Update: here is a listing by AS ("autonomous system" aka "organization"):
count AS        Name
 1510 6855    | Slovak Telecom, a. s.
   42 4837    | CHINA169-BACKBONE CNCGROUP China169 Backbone
   38 16160   | SWAN SWAN a.s.
   37 27699   | TELEFÔNICA BRASIL S.A
   25 31246   | NETBOX-AS SMART Comp. a.s.
   21 5617    | TPNET Telekomunikacja Polska S.A.
   20 3462    | HINET Data Communication Business Group
   18 27953   | Coop. Eléct. y de Obras y Serv. Público Ltda de Justiniano Posse
   12 39737   | NETVISION-AS Net Vision Telecom SRL
   12 21062   | ANITEX-AS Anitex Ltd
   11 6830    | LGI-UPC Liberty Global Operations B.V

As you can see, out of 2139 total vulnerable systems, 1510 are located at Slovak Telecom. That's a typical pattern: smaller countries are dominated by only a few ISPs who tend to roll out a standard configuration DSL modem to their customers with a vulnerability.

This is just port 80. We also scanned port 8080, and are currently looking at the results.


Sebastian Ruhs said...

Hello Robert,

how can I use your excellent masscan tool to retrieve http - headers? Or did you just scan an ip range and use another tool to connect to that addresses with open ports?


Lars Schotte said...

actually it is no Slovak Telecom, it is German Telecom (t-com). but yes, i know them and these people are idiots everywhere.