Tenda firmware (multiple versions) contains hidden authentication backdoor
kb.cert.org287 points by miniBill 15 hours ago
287 points by miniBill 15 hours ago
The article doesn't disclose the value of "sys.rzadmin.password", but this writeup from 2022 does:
https://boschko.ca/tenda_ac1200_router/
Spoiler: it's "rzadmin". And it looks like there are a bunch of other goodies in the firmware, too.
That backdoor is so up front about it. We might as well call it a frontdoor.
I mean, it's 99% sure this was supposed to be a debug feature...
I have done this accidentally at least once - we shipped a full-stack app, and telemetry started lighting up that on certain older phones and browsers (no points for guessing which brand and browser), the release version didn't load. The minifier did something in the release build that it didn't like.
So after a quick test, it was decided to deploy the debug version of just the frontend as a bandaid. Next day we saw we managed to deploy the debug version of the backend with admin stuff like this as well..
Enemy of the state:
- What did you think was going on?
Jack Black: Oh, I thought it was an STO.
- STO?
Jack Black: Standard Training Op.
and "accidentally" they forgot to disable it when releasing
Wouldn't be the first nor the last time someone is asked to ship something and it gets rushed through for reasons XYZ...
This being said makes the situation for an attacker awfully convenient...
Believe it or not, shit happens in the software business.
I know this from personal experience.
At that point it’s not even a back door it’s just stupid default root password kind of design which used to be standard in this kind of hardware. Backdoor would at least try to be subtle :)
Backdoors are often (almost always?) designed to look like incompetence so that there's plausible deniability.
That sounds like a fun thing to wonder about, but how could anyone possibly know that for sure?
Sounds like a convenience feature for a dev that they forgot to remove before distribution, since it's this poorly hidden.
In computer security, never attribute to ignorance that which is adequately explained by malice.
Dunno, if I were to backdoor a piece of my code, I would definitely put in an exploit instead of a deliberate bypass.
Plausible deniability is important.
A lot of the stuff I worked on already had glaring issues like that without me having to add it..
You’ve got the saying backwards:
“Never attribute to malice that which is adequately explained by stupidity.”
Hanlon's razor is backwards. (My guess is that it's supposed to be a joke, other possible explanations are malice and incompetence.)
It's also misdirecting the discursions. If shit happens the questions isn't if it was by malice or incompetence (since youre unlikely to prove it either way), but to ensure that it won't happen again.
It's one of the worst memes out there.
Pretty sure the point was to invert it. :)
Yes, I got their point. My point is that’s the opposite of reality.
His point is that in security, the opposite applies. The supposed "incompetence" is just plausible deniability for a malicious act.
Yes, and my point is that hasn’t been the case in my experience.
It's because you (like me) aren't quite as paranoid as security people are. Personally I couldn't sleep at night if I was security people.
It's really a matter of context. Security people tend to only be involved when things are already nefarious where as boring old normal people like us see get to see the mundane everyday mistakes so not just the nefarious bits.